Cultivating Security Culture as an Organization’s First CISO

Published On: May 2, 2023Categories: CISOs, Blog

The role of a CISO is multifaceted, encompassing not only technical expertise but also strategic planning and a deep understanding of organizational dynamics. One key challenge for first-time CISOs is identifying maturity gaps in cybersecurity processes, controls, and staff, leveraging existing tools to communicate efforts to the entire organization. As we journey through this article, let’s keep communication in mind. The CISO is not effective in a silo, but a cultural leader who must synthesize all relevant data, reaching out and bringing others into the cybersecurity fold.

In the most recent Business of Security Podcast featuring CISO extraordinaire, Allan Alford, we tackled challenges organizations face when they hire their first CISO. Allan has held the first-time gig several times over, and according to him, the first steps involve understanding the existing risks, identifying champions and allies within the organization, and recognizing potential adversaries who may not be supportive of the CISO role. He also emphasized the importance of aligning security efforts with the organization’s goals and interests. A successful security program should not place security above the business’s interests, but rather, should work in tandem to achieve overall success.

People love lists, so I’ve broken our conversation into six pillars of success. To create a robust security program and cultural revolution, first-time CISOs should consider the following:

1. Maturity assessment

Understanding the effectiveness of current risk processes is crucial for developing a mature security strategy. This involves measuring the maturity of processes and controls in support of finding existing vulnerabilities, identifying potential threats, and prioritizing risk mitigation.

The first step in conducting a maturity assessment is identifying and evaluating the organization’s key assets and vulnerability processes and controls. These assets include critical data, intellectual property, IT infrastructure, and systems essential for the organization’s operations. According to the 2021 Data Breach Investigations Report by Verizon, 85% of breaches involved a human element, and 61% of breaches were caused by credential data. By understanding which assets are most valuable and sensitive, CISOs can better focus their efforts on protecting these resources.

Once gaps have been identified, CISOs must assess potential threats that could exploit these weaknesses. Common threats include phishing attacks, malware, ransomware, and insider threats. The 2021 Cyber Threat Landscape report by ENISA highlights ransomware as a significant concern, with a 150% increase in ransomware attacks from 2019 to 2021. By staying informed about emerging threats and attacker tactics, first-time CISOs can develop proactive security strategies to address these risks.

Given the limited resources available to most organizations, it’s essential for CISOs to prioritize mitigation efforts based on the potential impact and likelihood of exploitation. The 2021 Cost of a Data Breach Report by IBM reveals that the average total cost of a data breach is $4.24 million, with the healthcare industry having the highest average cost at $9.23 million per breach. By quantifying the remediation of supporting systems, CISOs can justify investments in security measures and allocate resources efficiently to protect the organization’s most critical assets.

2. Building relationships:

Establishing strong relationships with key stakeholders within the organization, such as IT and executive teams, can help foster a collaborative environment and ensure that security initiatives are aligned with business objectives.

Int the first 90 days, it’s essential for a CISO to work closely with the IT team to identify and address the organization’s security needs. According to a 2020 study by PwC, only 44% of organizations have a dedicated CISO role, which means that, in many cases, IT teams handle security responsibilities. By forming strong relationships with IT teams, CISOs can gain a better understanding of the organization’s technology infrastructure, identify security gaps, and work together to implement effective security measures.

CISO’s should prioritize relationships with executive teams. A survey by the Ponemon Institute found that 68% of respondents believe that their CISO has a significant impact on their organization’s cybersecurity posture when they have a direct reporting line to the CEO. By fostering open lines of communication and maintaining regular updates with the executive team, CISOs can ensure that they have the necessary support and resources to execute their security initiatives successfully.

Ultimately, the goal of a CISO is to protect the organization’s assets and ensure that security initiatives are aligned with business objectives. A 2019 study by Deloitte revealed that organizations with a strong alignment between their security program and business strategy experience fewer security incidents and recover faster from those incidents. By building strong relationships with key stakeholders, first-time CISOs can create a collaborative environment that promotes a security-conscious culture and helps the organization achieve its goals while minimizing security risks.

3. Identifying allies and adversaries:

First-time CISOs should identify individuals within the organization who can help champion their security efforts, as well as those who may be resistant to change. By understanding these dynamics, CISOs can work to build consensus and mitigate potential roadblocks.

First-time CISOs should focus on identifying individuals within the organization who can help champion their security efforts. Allies may include IT team members, executives, and even employees from other departments who recognize the importance of a strong security posture. According to a 2019 study by Deloitte, 74% of organizations with high-performing security programs have a CISO with strong influence over organizational culture. By engaging these allies, CISOs can foster a security-conscious culture and gain support for their initiatives across the organization.

In addition to identifying allies, first-time CISOs must also be aware of potential adversaries who may be resistant to change or view security measures as an impediment to productivity. A 2020 survey by ESG and the Information Systems Security Association (ISSA) found that 36% of cybersecurity professionals believe that one of the biggest challenges they face is a lack of support from executive management. By recognizing these adversaries, CISOs can work to address their concerns, demonstrate the value of security initiatives, and build consensus around the need for robust security measures.

Understanding the dynamics between allies and adversaries within the organization enables first-time CISOs to build consensus and mitigate potential roadblocks. By engaging both supporters and skeptics, CISOs can foster open dialogue, address concerns, and create an environment in which security is viewed as a shared responsibility. A study by the Ponemon Institute found that organizations with strong security cultures experience 52% fewer cyber incidents than those with weak security cultures. By working to build consensus, CISOs can create a more resilient organization that is better prepared to face cybersecurity challenges.

4. Legal and regulatory compliance:

The role of the CISO has increasingly become tied to legal and regulatory compliance. This is evident in recent proposals by the New York Department of Financial Services (NYDFS) and the Securities and Exchange Commission (SEC), which emphasize the need for CISOs to report to boards and CEOs on cyber risks. First-time CISOs must stay informed on relevant regulations and ensure that their organizations remain compliant.

The regulatory landscape surrounding cybersecurity has evolved significantly in recent years, with a growing number of laws and regulations requiring organizations to implement robust security measures and report on their cybersecurity posture. According to the 2020 Hiscox Cyber Readiness Report, 61% of organizations surveyed experienced a cyber incident in the previous year, demonstrating the need for increased regulatory oversight. As a result, the role of the CISO has become increasingly intertwined with legal and regulatory compliance, as they are often responsible for ensuring that their organizations meet these requirements.

Recent proposals by the New York Department of Financial Services (NYDFS) and the Securities and Exchange Commission (SEC) have emphasized the need for CISOs to report to boards and CEOs on cyber risks. The NYDFS has proposed that there should be a CISO role that reports to the board and that CEOs and boards must sign off on and be accountable for mature cyber risk practices. Similarly, the SEC has released updated guidance that requires public companies to disclose cybersecurity risks and incidents, emphasizing the importance of the CISO’s role in maturity management and reporting.

First-time CISOs must stay informed on relevant regulations and ensure that their organizations remain compliant. This includes understanding the requirements of various laws and regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as industry-specific regulations like the Health Insurance Portability and Accountability Act (HIPAA). By staying informed on the latest regulatory developments, CISOs can proactively address potential compliance issues and ensure that their organizations’ security measures align with the expectations of regulators.

5. Cultivating a security-conscious culture:

Developing a security program is not solely about implementing technical solutions. It also involves promoting a culture of security awareness and encouraging employees to take ownership of their role in protecting the organization’s digital assets.

A critical aspect of cultivating a security-conscious culture is ensuring that employees are aware of the potential risks and their role in mitigating them. According to the 2021 Data Breach Investigations Report by Verizon, 85% of breaches involved a human element, highlighting the need for comprehensive security awareness training. By offering regular training sessions that cover topics such as phishing, password security, and social engineering, CISOs can equip employees with the knowledge and skills necessary to identify and prevent security incidents.

In addition to providing mature security awareness training program, it’s essential for CISOs to encourage employees to take ownership of their role in protecting the organization’s digital assets. A survey by the Ponemon Institute found that organizations with strong security cultures experience 52% fewer cyber incidents than those with weak security cultures. By emphasizing the shared responsibility for security and promoting a culture of collaboration and communication, CISOs can ensure that employees are actively engaged in safeguarding the organization’s information and infrastructure.

Cultivating a security-conscious culture has numerous benefits for organizations, including reduced risk of security incidents, increased employee engagement, and improved overall security posture. According to a study by the CyberEdge Group, organizations with a strong security culture are 70% more likely to have effective security programs than those with weak security cultures. By fostering a security-conscious culture, first-time CISOs can create an environment where employees are more vigilant and proactive in identifying and addressing potential threats, ultimately contributing to the organization’s long-term success.

6. Balancing technical expertise with business acumen:

CISOs must navigate the complexities of security technology while also understanding the needs and priorities of the organization. This requires balancing technical know-how with a strong grasp of business strategy and organizational dynamics.

The ability to communicate effectively with various stakeholders within the organization is a critical skill for CISOs. In addition to their technical expertise, CISOs must be able to translate complex security concepts into terms that non-technical stakeholders can understand. According to a 2019 study by Deloitte, 79% of organizations with high-performing security programs have a CISO who can articulate the value of security initiatives in the context of the organization’s overall business strategy. By bridging the gap between security and business teams, CISOs can ensure that security initiatives align with the organization’s goals and objectives.

Developing a strong understanding of the organization’s business strategy and dynamics is crucial for CISOs to succeed in their role. This business acumen enables them to prioritize security initiatives based on their potential impact on the organization’s bottom line and to adapt their security strategies to the organization’s evolving needs. According to a 2020 ESG survey, 36% of cybersecurity professionals believe that their biggest challenge is a lack of support from executive management. By demonstrating an understanding of the organization’s business objectives, CISOs can gain the support they need to implement effective security measures and mitigate potential risks.

It’s time to create your pillars for success. Write it on the wall, pin it on your coat, spray-paint your list across your front door if you must. CISOs can create a more resilient and adaptable security program that’s driven by clear and concise communication, supporting the organization’s strategic goals. Building a security program from scratch as a first-time CISO is a complex undertaking that requires a strategic approach, strong relationship-building skills, and a deep understanding of the organization’s unique challenges and opportunities. By focusing on risk assessment, cultivating a security-conscious culture, and aligning security efforts with business objectives, first-time CISOs can successfully develop and implement a robust security program that meets the needs of their organization.