Notes from the Trenches: What’s top-of-mind with CSOs?
I am fortunate that I get to spend a lot of time with CSOs from all over the U.S. It’s great to hear their challenges as well as their hopes and goals for improving their information risk posture. Lately, there have been a few key themes emerging from my conversations with these CSOs, which I’ll outline here:
- Staffing. Across the U.S., businesses are struggling to find qualified security personnel to meet the demand. I’m hearing that following an employee’s departure the average length of time that a position remains unfilled is 9-18 months! We need to do a better job of encouraging smart people to move into InfoSec. But even if we could do that today, we’d still be years away from lessening the problem. It’s like the old adage: when’s the best time to plant a tree? 20 years ago. The impact is that businesses are looking for technology solutions that don’t require warm bodies to care for and feed them. Namely, they’re looking for solutions that automate (i.e. they don’t require a person staring at a pane of glass 24/7), integrate (i.e. they play nice in the sandbox and talk to all your other security technologies, including your Security Information & Event Management (SIEM)), or that can be delivered in a service provider model (i.e. outsource what you can, but maintain the critical aspects of security in-house – you can’t outsource risk).
- Budgets. Despite claims that budgets may go down this coming year, I don’t see it. It’s not jiving with what I’m hearing, and it doesn’t make sense. Most businesses are still in catch-up mode trying to make-up for short investments in prior years. Others are aggressively adopting new technologies like those that enable behavioral analytics. What I am hearing is budgets shifting away from older technologies like signature-based AV to more advanced technologies that leverage big data analytics, allowing enterprises to reduce dwell time and move to a more proactive stance. All those log files are great for a post-event forensics examination, but imagine if you could use analytics to review activity in real-time and develop actionable intelligence that could be used to prevent security incidents from happening in the first place.
- Security as a Business Issue. Board-level attention means security is maturing as a business issue. Probably the most impactful thing I’m hearing is about the growing involvement of the Board of Directors in addressing cyber risk. Two years ago, the average CSO when asked about their engagement with the Board would tell you that they were given space for half of a slide that was presented to the Board once per year by the CIO…without them in the room. That’s changed. The average CSO is more likely today to have a scheduled 45-minute briefing with the Board on a quarterly basis and that 45-minutes usually turns into 2 hours. Keep in mind that while this attention from the Board is driven by market demands and guidance from organizations like the National Association of Corporate Directors (NACD) that states that cybersecurity should be on the agenda of every Board meeting, it is also the byproduct of an evolving legal doctrine of strict liability of Board members for failing to exercise due care meaning that if they willfully ignore security concerns, they can be held criminally liable and face jail time. Watch for Boards to pay an increasingly important role in addressing cyber risk.
I’ll keep my eyes and ears open so that I can share insights like these with you in the future. Two things I suggest you pay attention to in the coming months:
- The quickly growing use of behavioral analytics in base-lining systems and individuals to identify abnormal behavior; and,
- The use of private intelligence services by private sector enterprises in an effort to get their hands on the meat behind some of the filtered intelligence they get from government law enforcement and intelligence services.
If you are interested in learning more about any of these topics, please reach out and we can schedule a briefing.