CISO Voices: The CISO as a Storyteller—Part 3
Have you ever wanted to listen in on the confessions of a chief information security officer (CISO) adviser? Thanks to Jenny Radcliffe and the CISO Voices podcast series, you can. Jenny recently sat down with CISO-for-hire Todd Wade to discuss confusion around the role of the CISO and much more.
Here’s a summary of some key points that Todd shared during this discussion.
On the CISO’s struggle to find a home
Working across many organizations, I see a similar struggle when it comes to the role of the CISO. For some, it’s a technical security manager, overseeing information security across the business, but they’re unclear on exactly what that entails. Across the board, many businesses are unsure precisely what a CISO should do and who they should report to.
This disconnect can cause a governance issue. If the CISO doesn’t have the authority and accountability to make decisions concerning risk, then such calls are at the discretion of the chief technology officer (CTO) or a similar role. Of course, there are some fantastic CTOs, but this shouldn’t matter. The CISO and the CTO should be peers working in partnership rather than one reporting to the other.
The United States is now moving to a model where cybersecurity expertise is a board-level requirement. The United Kingdom needs to head this way, too. Some organizations have learned from their past troubles and their CISO is no longer reporting to the CTO, or similar.[AA2] [SR3] [MM4] The board now wants to hear directly from the person in charge of information security, and I think that’s an important change.
The importance of personal cybersecurity
CISOs and cybersecurity teams must take care to speak the right language when communicating our message. This is true whether talking to the board or to peers. Good security posture requires the whole business, not just the security team. So, we need to build relationships.
One way to do this is to make it personal. People are more likely to have an “aha” moment when they can see how a hack or compromise impacts them. Unfortunately, I know of at least one senior executive who did not care about corporate security and would click on any link without a second thought. Until, of course, such a click led to the compromise of his personal financial accounts.
So, we need to combine the message and show people that good security habits can protect them and their employer. When you teach people how to improve cyber posture for their families and themselves, it connects with them better, and those same habits carry over into the workplace.
The repeated rise of ransomware
Everyone knows about ransomware. Whether they work in the industry or not, they understand the concept—because, really, we’re talking about extortion.
The aim of cyber criminals is to continue that extortion for as long as possible. They will use any emotional driver to their advantage, whether that’s COVID-19 or the war in Ukraine. These individuals have no shame—and that’s part of the reason they get through. And the chances are, they will get through.
Keeping these threats out is both difficult and expensive. That’s why the conversation is shifting to a place where all organizations should assume they will be hit with a ransomware attack. The question then becomes: How resilient are you – and how fast can you recover?
Want to hear more from CISOs?
Head to CISO Voices to listen to Jenny’s interview with Todd in full and find more episodes.
Jenny’s Human Factor Security podcasts also feature further insights from cybersecurity experts. Look out for our next CISO Voices blog post to discover cybersecurity insights from Daniela Almeida, CISO at Dutch fintech firm, Tinka.
Proofpoint CISO Hub
Visit our CISO Hub to get regular updates on cybersecurity research, insights and resources specifically for the global CISO community.
Proofpoint Ransomware Hub
Also, be sure to check out the Proofpoint Ransomware Hub to learn more about this threat and how Proofpoint helps organizations defend against it.