5 Common Mistakes that Well-Meaning CISOs Make

The chief information security officer (CISO) has a tough job. Because the CISO is responsible for overseeing the organization’s cybersecurity program, he or she takes the heat when the organization falls victim to a successful attack. Unfortunately, too many organizations have a culture that de-emphasizes cybersecurity, giving the CISO less of a voice in the board room and in budget considerations. It’s not surprising that the averge CISO tenure is just two to four years.

That said, well-meaning CISOs are sometimes their own worst enemy. Here are five common mistakes that can undermine a CISO’s ability to be effective:

1. Trying to boil the ocean. The volume and severity of security threats increase every day. A data breach or ransomware attack could cost tens of millions of dollars. In light of that, it’s easy to view every risk as an existential threat to the organization. However, when everything is critical, nothing is. The real threats get lost in the noise, and the CISO loses credibility. The CISO’s role is to prioritize threats according to their risk to the organization, so the IT team knows what to tackle first.
2. Locking down the environment. In most organizations, users have too many privileges, security patches aren’t applied quickly enough, and administrators take shortcuts that put the environment at risk. But CISOs need to be careful not to go to the opposite extreme and completely lock down the environment, making it hard to get business done. Cybersecurity should be a partner to the business, not an impediment.
3. Not communicating effectively. Other executives know that cybersecurity threats exist but often have difficulty relating those threats to business strategy. The CISO is in the best position to help them understand the likelihood of a given risk and the potential impact on the business. Building strong relationships with other business leaders will also help to move the needle toward a culture of cybersecurity.
4. Relying on gut instinct. Gut instinct can sometimes lead to success in business, but not for the CISO. The same rule applies to industry studies and surveys — knowing the potential threat to a hypothetical organization in the same industry is a useful starting point but little more. The CISO needs to make empiricaly based, data-driven decisions that align with quantifiable risks to the organization.
5. Not asking for help. The cybersecurity skills shortage is very real and increasing. But even if a CISO has an adequately staffed team, internal decision-making can be influenced by biases, blind spots and politics. It can be immensely valuable to get the perspective of a third-party consultant with expertise in cybersecurity. The consultant’s analysis can also provide the backup the CISO needs at budget time.

SageNet offers a suite of cybersecurity solutions and services that can help maximize the CISO’s success. Our team includes certified cybersecurity analysts, architects and engineers who can help you build your cybersecurity strategy, solve complex problems, or simply serve as a sounding board. Our fully managed SIEM platform can help you make sense of all of the security alerts and notifications coming from your systems, so you can better understand risk and prioritize your team’s efforts. Our cost-efficient Managed Security Operations provide around-the-clock monitoring and investigation of security events.

Don’t let common mistakes and pitfalls undermine your effectiveness. Contact SageNet to discuss your top cybersecurity challenges.