CISOs: Heroes Without Demonstrable Results?

CISOs: Heroes without demonstrable results?

CISOs are usually responsible for the right cybersecurity strategy and are therefore faced with a Herculean task, says Olaf Petry from Hornetsecurity.

The position of Chief Information and Security Officer (CISO) is increasingly coming into focus. However, the challenge of this role is greater than one might think. The aim is to set up an efficient strategy to protect the company that every employee can understand and help shape. The human factor is the biggest security risk for any cybersecurity strategy. Figures show that continuous training is required to maintain the attention of the workforce. Even a break of just a few weeks can lead to a significant drop in security awareness.

At the same time, unlike other positions, the success of a CISO is measured by events that do not occur. This in turn makes measuring success much more difficult: as long as there is no incident, the need for a CISO is questioned. It is only when an incident occurs that the focus shifts to the CISO. This often means that the CISO’s security strategy was not elaborate enough. However, the problem lies elsewhere: For companies, the question is not whether an incident will occur at some point, but when – and how well they are prepared for it.

Does great simplicity come with great risk?

The success of a cyber security strategy is therefore measured, among other things, by how long there are no relevant security incidents and how quickly they can be responded to. The crux of the matter is to keep the procedures as simple as possible so that the entire workforce can follow the strategy while still offering the best possible protection. It is important to take into account the world in which employees live.

The most frequently used tools sometimes provide the greatest points of attack. For example, unexpected security vulnerabilities can arise, particularly when using Microsoft365. Files are shared via a link, and with the wrong access rights settings, anyone who has the link can access the content – a gateway for hackers. One way out of this predicament is to implement effective authorisation management and use additional tools for monitoring. This makes it possible to ensure with little effort that only authorised persons have access to sensitive data, and that incomplete data – for example after the termination of an employee – is eliminated as quickly as possible.

ISO27001 certification provides insights

But how can the success of a CISO be measured? The documentation currently being prepared for the planned ISO27001 certification provides insights into this. Key indicators for a good measurement of success are:

  • Coverage of security scans
  • Number of security incidents both with and without human cause
  • Coverage of employee training
  • Results from phishing simulations
  • Extent of encrypted hard drives on user computers
  • IT systems with virus scanners installed
  • Number of serious risks from risk analysis
  • Duration until a new patch with medium or high criticality is installed

Olaf Petry

Olaf Petry

is CISO at Hornetsecurity.