Once a very technical IT job, the role of the CISO has now pivoted into one with more challenges, pressures and responsibilities than ever before. In fact, 71% of CISOs consider themselves more stressed than other C-suite roles within the business. With the company reputation on their shoulders, it’s no surprise that Chief Information Security Officerss are feeling the pressure. Constantly juggling daily IT tasks, managing surprise threats, and testing or integrating new technology; the list goes on. Learn how to manage challenges like AI, data access and vendor fraud prevention with Trustpair.
1. Security pressures
One of the main responsibilities of senior IT staff is to prevent and protect against security attacks. CISOs and their employees are therefore always considering the various security risks and expectations associated with their organizations. This can bring huge pressure. One famous example of CISO security pressure happened when Uber faced a significant security threat in 2016. The personal details of 57 million customers were accessed. But the pressure was clearly mounting up, as the CISO paid the hackers $100,000 to keep things quiet. That same CISO was later fired when a new CEO was appointed in 2017 and disclosed the attack.
There’s no all-in-one fix for security pressures in the CISO role, especially because it’s a significant part of the job. But IT teams can relieve the pressure by setting up strong internal policies and internal controls to keep a tight lid on operations. For example, creating a response plan in the face of an attack would enable CISOs to act logically and follow the steps provided, instead of reacting with emotion. In the example above, the CISO will have known that it was not in the organization’s interest to pay the cyberattackers, and it may have saved his job.
2. Alert fatigue
IT teams are constantly monitoring their systems for vulnerabilities, threats and errors. In fact, with hundreds of different factors monitored at once, it’s likely that the CISO is facing notification after notification. For example, IT teams might get pinged when:
- fellow employees need troubleshooting.
- accounts request access to documents.
- suspicious transactions are carried out by unverified customers or vendors through the supply chain.
- emails have been flagged as spam or phishing attempts.
- and even more!
At some point, the novelty of receiving notifications wears off, known as alert fatigue. Combatting alert fatigue is all about exercising those prioritizer muscles. This means automating as many of the alerts as you can (the low priority ones). It can also mean ensuring that these notifications are passed onto the right team members. CISO priorities are the highest, so they should only be dealing with highest emergency alerts, limiting the possibility of experiencing alert fatigue.
3. Digital transformations
Undergoing a digital transformation is not for the weak. While CISOs are typically part of the most-informed members of the company, it can take a lot of time and resources to educate stakeholders into making the leap.
Adobe felt the pains of digital transformation when they transitioned their products from physical (on-premise) to cloud-based back in 2010/2011. Anticipating disruptions for their customers, the team used a strategic approach to reduce both tension and churn. In order to do this, Adobe hosted a conference in which every talk, panel and discussion mentioned the benefits of cloud technology. They primed the audience to believe that cloud-based apps were the only way forward. They ensured the attendees knew that Adobe could successfully move with the times. Plus, launching their transformation with 24/7 online support (through social media) helped answer all customer queries and concerns in a timely manner, ensuring users were satisfied. This digital transformation strategy became one of the most successful pivots in history, even after the team reported “lots of customer protests at first”. The CFO later stated that their strategy was to “over-communicate like crazy”.
But it’s not just large and long-standing companies that know the pains of change management. If you’re a CISO facing significant pushback from internal or external stakeholders, ensure you effectively communicate the benefits, educate your audience and get them on side.
4. AI threats
As technology evolves, so do the tools that fraudsters use to take advantage of businesses. And all of the buzz around AI in financial technology means that cybercriminals have developed some crafty ways to threaten the IT operations of a business.
New research shows that 54% of CISOs feel their team is unprepared for AI threats, and some have even stopped using AI technology due to the risk of a breach. AI and cybersecurity problems are not only detrimental to privacy. They can also limit a firm’s potential operational resilience as it strives to continue providing top-quality services to customers. Overcoming AI threats involves proactively investing in your cybersecurity goals for 2024. Use automatic malware detection software to spot suspicious activity and set up controls to prevent detrimental actions from harming your firm. And fight fire with fire – learn about the tools and ensure you’re at the top of the AI game by taking advantage of them yourselves.
5. Risk and compliance
The risk and compliance stress is real, with 66% of CISOs concerned about personal, legal and financial liability in their role. Knowing that the buck ultimately stops at C-suite level, any data breaches are likely to lead directly to regulatory compliance problems. Preventing risk events from materializing is only half of the CISO problem, as responding after a breach is equally important. That’s why hiring a battle-hardened CISO can have its advantages and build trust for stakeholders. In particular, it’s useful for solving risk and compliance challenges. Experienced CISOs can pick the right moment to communicate, and report the most important information when required.
One such example happened only recently at Okta, where the team experienced two cyber data breaches within 18 months. In the first breach, the Okta team chose not to notify customers immediately, instead taking two months to make the news public. However, CISO David Bradbury called this a mistake, and upon the second breach, the Okta team were more timely with their communications. This not only helped Okta in staying compliant, but aided the company in keeping trust from their consumers.
Solving for risk and compliance challenges is useful when the IT team isn’t siloed. Instead, encourage collaboration between CISOs and compliance teams. The two Heads can marry their expertise to create an impenetrable barrier.
6. Operational Resilience
Operational resilience refers to the ability of a business to continue to operate ‘as normal’, even under strained conditions like a cyberattack. Some vendors are required to perform operational resilience testing as part of their regulatory compliance, in which they gain realistic CISO insights into how their service output might change under threat.
Real-life case studies of operational resilience include:
- During the Covid-19 pandemic, many in the banking industry were told to work from home. Financial institutions had to securely provide remote working to these employees without interruption, to ensure that customer service could be maintained.
- Nokia failed to respond to the competition of Apple and Android in the early 2010s, unable to pivot its offering and innovate. This poor operational resilience ultimately led to the downfall of Nokia.
- Ticketmaster was hacked when a third-party supplier, its customer service portal, was compromised in May 2024. Fortunately, Ticketmaster was able to shut down this part of their system and notify customers of the data breach. This maintained operational resilience, but not after lots of sensitive information was stolen.
While it’s challenging, companies can improve their operational resilience through regular practices. Performing regular security audits and stress tests can help identify vulnerabilities which need to be prioritized. Moreover, the creation of contingency plans within risk assessments are useful in providing IT employees with a governance guide to their response during operational challenges.
7. Cloud architecture
Cloud architecture refers to each of the components required to provide remote digital storage in the online environment. These days, most companies operate with cloud storage capabilities, since it’s cheaper, larger, and can be more secure than on-premise data infrastructure. While migration over to the cloud can be difficult, it’s covered pretty well in the above section on digital transformation. So instead, we’ll be talking about another of the biggest challenges associated with cloud architecture– keeping your data both secure and available.
For CISOs, face this challenge by putting your thought into two different policies:
- How to classify the data
- How to monitor the data
Classifying the data insights can help ensure that the right information is made available, and lock away the stuff that’s unlikely to be required. For example, if records are only being kept for regulatory or audit purposes, they can be classified as such and secured away. Instead, data required for account authentication must be within easy reach.
Continuous data monitoring also falls under the remit of the CISO, or rather the decision is which automated platform to use. Leaders who choose this solution will typically find it more cost-effective than requiring a team member to periodically check on your information storage. It’s also less likely to result in mistakes or breaches.
8. Third party risk management
Finally, third party risk management represents a key challenge for CISOs. That’s because with every third party supplier, provider and software you bring onboard, you’re exposing the company to a new line of attack from fraudsters.
Construction company, Sade Telecom, became a victim when one of its suppliers was imitated by fraudsters. The attackers requested a change of bank details (by post) for a known supplier, and Sade Telecom had no reason to doubt this request. They sent subsequent invoice payments to this new bank account. Itwasn’t until the company received a ‘late payment’ notification from its real supplier that they realized the payment change was a scam.
Fortunately, Sade Telecom now works with Trustpair to manage third party risk, like payment fraud. They now perform comprehensive account validation checks at the beginning of any new vendor relationship, and ongoing monitoring with every payment.
As a CISO, bringing Trustpair’s services into your arsenal of tools is going to enable your team to reduce the risk of third party fraud and help you manage your vendor list with ease.
Demo Trustpair to see how it could benefit your organization.
Overcoming the top 8 CISO Challenges 2024
For CISOs, the eight most important challenges to the role have been identified as security pressures, alert fatigue, digital transformations, AI threats, regulatory compliance, operational resilience, cloud architecture and third party risks. Apply best privacy practices, internal controls and systems like Trustpair to protect your company, and your role as CISO.