It is a topic that a bring up on just about every podcast that I have, and even ask people directly when I meet them. It is the issue of the C-Suite, and their degree of accountability that they should be held for Cybersecurity, whether they have been breached or not.
I have had varying opinions on this topic, some believe that the CIO or the CISO should simply look at the big picture and let the IT Security Manager and their respective teams be the decision makers.
Then I have had those responses where they believe that the CIO or CISO should be fired immediately if there is a security breach, and after their that, they should face criminal charges. In other words, the buck stops with them, and that they are ultimately responsible for everything.
My view is quite candid: Leadership and setting by example comes straight from the top and goes all the way down to the nightly custodian.
In this, every employee is held accountable for Cybersecurity, and is also held responsible for their own actions and conduct. But on the same token, the only way they learn and how to maintain good levels of “Cyber Hygiene” is to learn from the top. If the C-Suite does it, then more than likely, employees will follow suit.
But now, the CIO and the CISO is getting into the hot seat once again on a different, but related issue: How come they cannot keep up with the Cyberattacker? This is a topic that was brought up by a recent study entitled the “Forbes Insight Report”, in which they asked this very same question, and what the reasons were why they could not keep up. Here is what they found:
*84% of the CIOs/CISOs firmly believe that that the risk of a security breach occurring at their place of business is very imminent;
*25% of them believe that that the proverbial cat and mouse game is only getting to get worse (meaning, the Cyberattacker will be well ahead);
*In order to relieve the repetitive, day to day tasks of the IT Security team, 45% of the CIOs/CISOs have now started to consider very seriously or have implemented to some degree, the use of Artificial Intelligence (AI) tools such as Machine Learning (ML) and Neural Networks;
*Most of the respondents would like to shift their current Cybersecurity strategy from protection to a more proactive stance when it comes to detection and response times;
*On a positive note, a majority of the CIOs/CISOs are now implementing security training awareness programs for all their employees on a regular basis;
*About 30% of those respondents polled believe that they biggest constraint is a sheer lack of budget;
*35% of the CIOs and CISOs believe that the protection of the Personal Identifiable Information (PII) of their customer base is of top priority, along with the protection of their organization’s Intellectual Property.
My Thoughts on This
I honestly have to say that I side for the most part with those that have been polled in this study. Let’s break it down further. First, it seems like that most of them have accepted the fact that they could potentially become a victim of a Cyberattack. At least they are being realistic now, which is a far cry from last year, when their perception was that they would never be hit. Second, it is good to see that they understand that their IT Security teams are probably amongst the most burdened and overworked bunch in a large company. While implementing AI and ML tools is a good step forward, it is not the only way. Corporate America simply must ramp up hiring of skilled Cybersecurity workers, and they are out there.
They don’t have to hire specialists per se at the beginning, but rather, they can hire even just hire general Cybersecurity workers to help augment and relieve the burden of the current IT Security staff so that they can focus on more important issues.
Third, it is also great to see that the CIOs/CISOs are now taking a much more proactive stance when it comes to employee training and shifting their mindset from just simply deploying security tools to trying to mitigate Cyberthreats before they happen.
Maybe perhaps the approach of strategically deploying tools and technologies is starting to sink in. My analogy to this has always been, why not just deploy two firewalls instead of ten? Fourth, I really do believe that the CIOs and the CISOs are facing a sheer budget crunch.
In most organizations, IT budgets are usually the last to get approved, the first to get cut in fears of an economic downturn. But given today’s Cybersecurity Threat Landscape, money should not be made an issue, provided that the justification for the needed funds have been made.
Finally, I have to say that it is also quite refreshing to see that the CIOs and CISOs are taking the protection of the confidential information and data that they have been entrusted much more seriously. Just last year, if this question were to be asked, you would probably get a bunch of laughs and shrugs. Perhaps the Experian, British Airways, Marriot Hotel Group, and others have made much more an impact than originally thought.
But despite all of this, my opinion still stays the same, in that should the head of the CIO or the CISO still be chopped off in case they are hit? Not necessarily. I still believe that leadership comes straight from the top, and that employees learn and follow by example from that. If a business or a corporation were to be hit by a Cyberattack, obviously the first concern is mitigating the threat and bringing up mission critical processes once again.
Once this has been completed, then obviously a thorough investigation needs to be conducted. It is only from this that can be determined who is ultimately responsible, and from there, the appropriate actions should then be of course taken. Simply firing a CIO or CISO at first blush is simply a knee jerk reaction that needs to be avoided.
The bottom line is that as much as the employees want to be heard by the C-Suite, they in turn also need to be heard by the Board of Directors, especially when it comes to approving new budgets and funding for Cybersecurity.
Finally, more details about this study can be seen at this link: