The 10 biggest issues CISOs and cyber teams face today – Source: www.csoonline.com

To outsiders, the CISO role may seem straightforward: Secure the tech stack.

But CISOs know that their job, which in its earliest days may have been narrow in scope, now comprises a huge array of responsibilities.

Although CISOs say each of those duties are critical, they cite a group of issues that are top of mind for them. Here are 10 that now dominate the CISO agenda.

1. A massively expanded threat landscape

The volume and velocity of threats coming at organizations continue to grow, as does the sophistication of the attacks, says Jon France, CISO of ISC2, a nonprofit cybersecurity training and certification organization.

“It’s the most challenging threat landscape we’ve seen in the last five years,” France adds.

At the same time France says the typical organization’s attack surface has expanded, creating a much larger and more complicated environment to defend.

The combination of the two — the growing threat landscape and the expanding attack surface — has CISOs “pulled across all the compass points,” he adds.

2. Protecting a moving target — without introducing digital friction

CISOs must not only protect their expanding environment against an ever-increasing volume of threats but they must do so even as the environment and business needs change and change at a faster clip.

“Emerging technologies is arguably the most enduring perennial issue; however, the rate of change is accelerating at an accelerating rate,” says Vandy Hamidi, CISO of BPM, an accounting and consulting firm.

Moreover, Hamidi says he and other security chiefs must contend with all that rapid-fire change in ways that help the business grow and evolve; in other words, security can’t bring friction that hurts the business in the marketplace.

“While I need to focus on reducing overall risk to the firm, I must also consider the effects of my decisions on our firm’s mission, our colleagues’ productivity, and our clients themselves,” Hamidi explains.

To meet these modern demands, he works with his firm’s CIO “to build a strategy based on rapidly changing information. Our approach is a combination of adoption and adaption, embracing the potential while addressing the risks.”

3. An ‘avalanche of regulations’

CISOs also cite as a top issue the lengthening list of regulations that govern their work.

Niel Harper, CISO for Doodle and a board director with the IT governance association ISACA, calls it an “avalanche of regulations.” He points to the recent arrival of the NIS2 Directive in Europe and the EU’s Digital Operational Resilience Act (DORA) as two recent examples of the legal demands with which CISOs must comply.

“There are so many compliance requirements that now take up quite a bit of my time,” he adds. “It’s a lot of work.”

The volume is just part of the issue. CISOs say they’re also contending with myriad regulations that have different and sometimes even conflicting demands. They’re also dealing with regulations that vary by regions.

Rex Booth, CISO of SailPoint, maker of identity and access management systems, calls it “regulation disharmony.”

“All these regulations are trying to accomplish mostly the same thing — the security of products, the data being held, and the organization itself — but they ask about it and pursue it in a variety of different ways,” he says. “They’re not always at odds, but they don’t harmonize well. And that makes life difficult.”

4. Third-party and supply chain risk

Multiple CISOs also list third-party and supply chain risk as a top concern today.

“Because companies have less control over the security of their supply chain vendors, there is a vulnerability with respect to attacks on those third parties that can impact the companies that use them,” explains Jamil Farshchi, executive vice president, CISO, and CTO of Equifax.

Although Farshchi says this isn’t a new area of concern, “companies are using more and more third parties and third-party software, including open source.”

Meanwhile, attackers are having more success with supply chain attacks, which — of course — has elevated supply chain security on the CISO agenda, he says, adding that CISOs are putting more emphasis on knowing their vendors and the components in their software as a way to counter the threat.

5. Increasing liability for the organization’s security

When the US Securities and Exchange Commission (SEC) in 2023 charged software company SolarWinds and its CISO, Timothy G. Brown, with fraud and internal control failures, CISOs everywhere took note — as they should. It was the first time the SEC had charged a CISO.

Other CISOs in recent years have faced new levels of personal liability, too, further upping the risks that professionals assume when they step into chief security roles, France says.

As a result, France sees more CISOs demanding coverage under directors and officers (D&O) liability insurance and ensuring the authority they have in their organizations matches the legal and regulatory accountability levels they now face.

6. Securing AI within the enterprise

CISOs are contending with artificial intelligence as much as any other executive in the C-suite, as they race to secure the AI used within their organizations — and working to do so in ways that don’t slow their organization’s adoption of the technology.

“CISOs are trying to get their arms around AI, but it’s evolving faster than they can,” says Nick Kathmann, CISO of LogicGate, a risk management and compliance solution provider.

7. Protecting the organization from AI-enabled threats

Pam Lindemoen, CSO and vice president of strategy for the Retail & Hospitality ISAC, says the retail and hospitality industries — like many others — have seen “a massive increase in fraud and scams.”

And while scams are not new, she says, “they are being supercharged by generative AI tools that fraudsters are using to create realistic content. A common scam is to post fake listings on a legitimate travel booking website or app. These listings look authentic thanks to AI-generated text and images.”

Other security leaders also report worries about hackers’ use of AI to create more powerful attacks.

“They’re using AI to maximize the quality and scale of traditional attacks. Social engineering, in particular, is really aided by AI. Scattered Spider used social engineering and help desk agents to breach a number of organizations, but using AI voice cloning makes it even easier to execute this attack. Add deepfakes to legacy attacks like fake CEO messages or business email compromise (or to dupe people into joining meetings with AI avatars), and the scales have massively tipped in the attacker’s favor,” Farshchi says.

Although CISOs are worries about the adversaries’ use of AI, they’re also strategizing on how they can use AI to most effectively counter attacks. In fact, the Metomic survey found that four-fifths of surveyed security leaders “plan to implement AI-powered tools to fight emerging AI-based security schemes and threats.”

8. Adequate resources

Securing adequate resources — particularly on the talent front, but also when it comes to budget — is still a top concern for many CISOs, France says.

Figures from the 2024 ISC2 Cybersecurity Workforce Study show why: There are still too few workers to meet the workforce demand.

In fact, ISC2 estimates the shortfall to be 4.8 million in 2024, with the size of the active cybersecurity workforce at 5.5 million globally while the total workforce needed is 10.2 million. The 2024 gap between available workers and demand is 19% higher than it was last year.

Booz Allen Hamilton CISO Amanda Cody also raises the issue, saying, “Cybersecurity is all about people. To perform the mandate of the CISO, we need to attract and cultivate teams representing a variety of skills, backgrounds, and perspectives.”

Cody adds: “Finding that talent is an ongoing, perennial, and fundamental issue. We must ask ourselves: Do we have the right people in the right roles doing the right work? Are we building them up and supporting them properly? Do we have a strong pipeline of new talent coming in? To ensure we’re establishing our talent pipeline, we’ve been elevating security roles at a variety of levels across the organization. In my mind, that’s the loudest action an organization can take to demonstrate they’re invested in taking cybersecurity seriously.”

9. Security’s role (and stature) in the organization

Building a true, robust security culture across their organization is another top-of-mind issue for CISOs today — as it has been for many years, multiple sources say.

It remains a top concern because many find that security remains in its own silo, treated often as an afterthought, says Theresa Lanowitz, chief evangelist for LevelBlue, a managed security service provider.

Too often CTOs, CIOs, and innovation teams don’t include security at the start of projects, she explains. And many CEOs, boards, and other C-suite leaders don’t yet see security as a business-enabler or core to the company’s work.

“Cybersecurity,” Lanowitz adds, “is still not part of the fabric.”

Lanowitz sees improvements, however, as more organizations adopt secure-by-design principles and DevSecOps practices, and as more CISOs advocate for and land equal footing with other executives.

“We’re seeing more organizations embrace security from the top down and see it as a business requirement and not just a technical problem,” Lanowitz says.

10. Achieving operational excellence

In addition to all the issues that might arise one year to the next, CISOs say they continue to focus on achieving operational excellence — an always challenging and complex task.

“While the basics of a cybersecurity program remain fairly constant, the protection of operations and data involves constant navigation of new technologies and dynamic threats,” Cody says. “Cybersecurity updates need to integrate seamlessly with existing systems, which requires a deep understanding, at an operational level, of the business activities you’re protecting and securing. Cybersecurity teams need to be ahead of the curve, not playing catch-up.”