Why your board should focus on building your CISO’s self-resilience

Global Resident Chief Information Security Officer (CISO) for point of proof.

The past year has been another challenge for organizations as threats have continued to escalate while cybersecurity labor shortages have pushed security operations teams beyond their capabilities. In the high-pressure cybersecurity environment, the role of the CISO was always stressful. But increasing job demands, expectations, and regulatory oversight create much higher levels of burnout and stress.

With the role of security leaders more important than ever, recruiting and retaining a highly skilled CISO is a daunting challenge. Fifty-three percent of CISOs have been in their role for two years or less, and this high turnover, coupled with the shortage of talent, puts organizations at high risk of cybersecurity failure.

This untenable situation requires a concerted effort from the board and leadership team to ensure their CISO is resilient and has the tools to succeed. An overworked, overwhelmed and stressed CISO simply cannot effectively defend and protect the organization.

CISO pressures are increasing

The pandemic has shone a spotlight on mental health in the workplace, and the cybersecurity industry has been no exception. Burnout and stress are now prevalent in the CISO community, but boards may be unaware of CISO mental health issues, as conversations mostly take place in private.

One area that adds to the stress is the increased regulatory scrutiny of security officer roles. The Uber case in US federal court, in particular, is troubling for CISOs because it sets a dangerous precedent by placing personal liability on them for cybersecurity incidents. Many CISOs may not be aware that a potential solution for them is directors and officers (D&O) insurance, which covers duties of care, loyalty and obedience. While not the only answer, organizations should specifically consider D&O “Side A” insurance, which protects officers and directors in situations where the company does not indemnify them.

The much-needed rule proposed by the U.S. Securities and Exchange Commission (SEC) to increase transparency around cybersecurity risk management and governance has also created some trepidation in CISO and board circles. administration. They don’t know what that means for the relationship between security managers and board members, and those relationships are strained.

These emerging developments add to the pressures that CISOs already face on a daily basis, including the growing lack of talent and the relentless threat of ransomware and other cyberattacks. Much like the CISO, the entire cybersecurity team is stretched thin as their ranks dwindle and they have to fight growing threats with fewer resources.

Forrester even predicts that this year, the long hours of cybersecurity workers will cause a whistleblower to report unsafe working conditions. Overall, Forrester expects another eventful year for CISOs. As difficult as the current job of the CISO is, more difficult times are ahead.

Strengthen the self-resilience of your CISO

CISOs fight an uphill battle when they don’t have support in the boardroom. One of the best things boards can do to build the resilience of their CSO is to bring cybersecurity expertise to the board. Experts who understand what the organization and cybersecurity team are up against are powerful CISO allies. They help bridge the gap in administrators’ understanding of how cyber risk translates to business risk, so they can ensure their CISO has the resources to mitigate that risk.

Creating a cybersecurity or technology risk oversight committee is a great way to strengthen the relationship between the board and the CISO. In the typical organization, cyber risk is the responsibility of the audit committee, composed mainly of accounting and financial experts. Yet financial experts don’t really understand cybersecurity and its risk ramifications. For them, cybersecurity is simply an operational expense rather than a strategic consideration.

A cybersecurity oversight board would be able to truly interpret cyber risk and its impact on broader business goals and organizational valuation. The creation of such a committee aligns with the rule proposed by the SEC, and there is a broad feeling in the CISO community that this change would have a positive effect.

One of the biggest frustrations of CISOs is the feeling that no one is listening to their concerns. Having an oversight committee and more experts on the board paves the way for honest and transparent conversations about cyber risk. But the advice doesn’t have to stop there. They should strive to broaden each board member’s understanding of the threats their organization faces, as well as what their security team is going through to combat those threats. All of these steps will help the board prioritize cybersecurity, which ensures the CISO has the resources to ease some of the workloads.

As leaders who drive the corporate agenda, administrators play an important role in their organization’s cyber readiness. Understanding the impact, stresses and pressures their CISO and security team face on a daily basis, and equipping them with the resources to manage them, will build the resilience of their CISO and their organization.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?

Leave a Reply