CISOs have a complex job balancing risk with the threats and business challenges that face an organisation.
From increasing board awareness into the role security plays in company strategy to constantly changing regulations, the advancing threat landscape presents complexity that needs to be managed in a balanced way.
In this video Hadi Hosn, SecureWorks Head of Security Strategy and GRC Consulting in EMEA, gives a quick overview of some of the challenges CISOs are faced with every day that require a delicate balancing of risk acceptance.
The role of the CISO has recently grown in complexity for a number of reasons. There’s a regulatory compliance requirement organisations are facing a number of different regulations globally, and also in the region that they operate in, but also industry specific regulations. Financial services is heavily regulated, the European Union is more aware of security and they’re changing the regulations in that space. And accepting the risk as an organisation is becoming very difficult because you need to justify that to the regulators. So with the changing regulatory environment CISOs have a complex job trying to address that.
Another reason the complexity has grown is because the organisation’s executives, the board of directors are, more aware of security. They’re more aware of what’s happening to other organisations, they’re more aware of the breaches, and they want answer wither their organisation is susceptible to those breaches and the CISO needs to answers those questions very well. Another view of that complexity is also around the technology getting personal. CISOs have to manage bring your own device, cloud, mobile, trying to get big data initiatives that the business wants to invest in and trying to get that secured as an organisation is difficult for a CISO to control individually.
The final view is, I believe, is around the changing threat landscape. The attackers are getting more commoditised but also there’s a lot of advanced threats, advanced persistent threats, facing organisations. Investing in both basic technology and the advanced technologies are complex in nature and the CISO needs to manage that in a balanced way.