On the frontline

Ellouise Langeveld, Altron Karabina

---

Being on the frontlines is not for the fainthearted. According to a recent study from Tessian, one in five CISOs works more than 25 hours extra per week. Different research out of BlackFog shows that nearly a third of all of the CISOs surveyed were considering leaving their current role. They call it “the great CISO resignation” and whether it’s a work-life balance-led burnout, budget pressures, under-resourced teams or the increasing pressure placed on security leaders to perform, the role has expanded far beyond technological skills.

“Around the world, there has been a drive to optimise business costs and find new routes to market, and technology is the most common enabler to achieve both of these, says Greg Day, Cybereason’s vice president and global field CISO in EMEA. He says that too many boards still don’t have any cyber representatives. But this is changing, he adds, and businesses are waking up to just how dependent they’ve become on technology to function. Crucial connectors A CISO is the bridge between the technical and management side of an organisation. “It’s a crucial role,” says David Emm, a senior security researcher at Kaspersky. “They’re the glue and their job is basically to articulate a company’s cybersecurity strategy. A CISO is the way the board stays informed.” And in today’s security landscape, it’s never been more important for CISOs and board members to work closely together.

To effectively implement security and governance policies to go with a swift crisis response framework, the full support of the C-suite is crucial.

Sunny Tan, BT Group

“CISOs take charge of establishing security and governance policies, shaping a proactive cybersecurity strategy that aligns with business objectives,” says Sunny Tan, head of security for Southeast Asia, BT Group. “Their role has evolved to become essential in not just risk mitigation and crisis response, but in facilitating digital transformations as well.” Business leaders rely on expertise from the CISO to effectively address cybersecurity threats and protect the organisation’s financial and reputational wellbeing. “To effectively implement security and governance policies to go with a swift crisis response framework, the full support of the C-suite is crucial,” says Tan.

Karen Cherry, ESET’s COO, believes that CISOs need to get practical. “CISOs must convey to the board what the benefit of being proactive in securing the organisation from cyber threats looks like by sharing metrics that measure the cost of a breach, keep visible the financial cost saving should there be mitigation strategies in place, and by taking them through the detection and response steps to educate them and instil their trust in the process,” she says. The CISO will also need to select a cyber partner who will be with them in the boardroom to have these “difficult conversations”.

Glance at a CISO’s KPIs, and one area stands out: compliance. The need to meet compliance objectives is the way to do business with other regulated organisations. Checking boxes may bring better security to an organisation, but understanding compliance and privacy regulations are not ordinary IT endeavours.

Andrew Voges, Kaspersky’s general manager, Africa, says a significant amount of a CISO’s time is also spent on “paper security”.

“This is anything from filling out forms for the audit and compliance departments, to reviewing regulatory documents and assessing their applicability in practice,” he says.

CISOs wear dual hats – operational leaders engage in hands-on security, and governance experts ensure compliance. “There are two kinds of CISOs in Southern Africa. One is the operational CISO; they’re hands-on and running identity management programmes and a SOC. But then there’s another set of CISOs who are just governance guys,” says Rupesh Vashist, KPMG’s cybersecurity leader for Southern Africa. “The role is changing a lot for operational CISOs because they have a lot to contribute in terms of executive decisions.” Governance CIOs are more concerned about compliance, and their role has remained the same, he says.

This dichotomy aligns with the industry’s response to escalating complexities, emphasising collaboration and in-depth engagement with stakeholders as strategies in the face of regulatory scrutiny and potential fines following breaches.

“Ten years ago, cybersecurity was a part of IT, but now it’s a separate business. Where we used to engage with one person, the CISO, in today’s world, there are six people who you have to engage with on different levels. Siloing the departments has also made things a lot more complicated,” says Voges. “And now they’re segregating it even further by drilling into the details. It’s important because the fines that come with being breached are massive.”

Organisations of every size share a common obstacle – the cybersecurity skills gap. A study from (ISC) Research revealed that the cybersecurity profession needs to grow by 3.4 million people to close the global workforce gap, which, right now, is growing twice as much as the workforce, with a 26.2% year-over-year surge.

“The 2023 Official Cybersecurity Jobs Report by Cybersecurity Ventures suggests there will be 3.5 million unfilled jobs in the cybersecurity industry worldwide through to 2025,” says Bertrandt Delport, country host, BT South Africa. “In the face of such enormous supply constraints, the cost of cybersecurity talent is extremely high, leading to regular churn as skilled employees leave to pursue other career opportunities. It also makes it very difficult for smaller organisations and less well-funded industries to compete for cyber talent, leading to huge security risks.”

Bertus Engelbrecht, BCX’s senior manager for information security, breaks down his long-term approach to tackling the cyber skills gap with six steps:

1. Capitalise on ongoing cybersecurity programmes to strengthen the organisation from within. Talented non-security-focused employees with transferable skills can be found in other departments; making the cybersecurity programme more appealing to the entire workforce within the organisation increases the chances of having capable employees wanting to join.
2. Cyber talent is not defined by the number of certifications, or the number of tools and languages candidates know; it’s built on problem-solving capabilities, creativity, an analytical mindset, communication skills and passion. Equipped with these basic building blocks and with the right training, opportunities and mentorship, individuals can be shaped into cybersecurity practitioners that can tend to even the most technical cybersecurity challenges.
3. Hiring and retaining talented cyber staff will hinge on proper compensation, but can also include paying for certifications, and other non-financial incentives.
4. It’s important to create an environment where cybersecurity practitioners feel appreciated, with proper work-life balance planning and enforcement. One of the reasons for the high staff turnover in the cybersecurity space is mental fatigue and burnout, so maintaining a healthy work-life balance is essential to retaining skilled staff.
5. Invest in employee training by making continuous learning part of the company’s culture. Offer training, courses, and testing for certifications that are the most in demand. This makes your company attractive to new hires and can help increase your retention numbers.
6. Partner with universities to nurture talent and hire talent right out of college. Conduct assessments and contests to identify students who possess aptitude for IT security, and nurture them by offering scholarships, internships, and apprenticeships.

“Finding the sweet spot between cost reduction and risk reduction is a process that requires a deep understanding of the organisation’s unique risks, budget constraints and the ever-evolving cybersecurity landscape,” says Ellouise Langeveld, senior specialist: solutions, modern platform, Altron Karabina. “It’s important to adjust strategies to stay effective and efficient in managing cybersecurity risk.”

In order to get the most out of their budget, Langeveld recommends the following three things CISOs can do:

1. Conduct a comprehensive risk assessment to identify the most critical threats and vulnerabilities and focus resources on those.
2. Evaluate the potential costs of a security breach or incident versus the cost of implementing and maintaining security controls, and then prioritise investments in areas with a favourable cost benefit ratio.
3. Avoid over-investing in one-size fits- all products and rather look to implement security solutions that are tailored to an organisation’s specific needs and risks.

ESET’s Karen Cherry says CISOs need to focus on reducing the time it takes to detect, respond and mitigate future breaches. “In order to improve on risk reduction and determine financial cost, the board needs to agree to invest in systems and skillsets of its people who are able to detect quickly and respond faster, while ensuring processes are in place to keep improving this.”