CISO Voices: The CISO as a Storyteller—Part 6
There are few, if any, industries safe from cyber criminals. But it’s fair to say that some industries find themselves targeted by threat actors more than most.
As a security leader in the legal industry, Christian Toon has seen his fair share of cyber attacks—some successful, others not. In a recent discussion with Jenny Radcliffe for the “Human Factor Security” podcast, Christian discussed his experience, the security skills gap and much more.
The following is a summary of their conversation.
A look at the legal sector
Over the past 12 to 18 months, we’ve seen a definite increase in attacks targeting the legal and professional services sector.
There are many cases in the public domain where cyber criminals have used spear-phishing attacks against law offices, for example. So even though we’re seeing an increase that feels en masse, these attacks are highly targeted to the organization and the individual.
Phishing emails are still a huge pain point. In an industry where content is constantly shared backward and forward via email, well-written malicious messages are tough to spot.
The worry with phishing is that technology only takes us so far. Email is a universal medium that we need to communicate, and businesses need to click on that link or share those documents as an attachment.
On the evolution of the CISO
The chief information security officer (CISO) role has grown immensely in terms of its responsibility and the focus it gets in corporate environments. We are now seen as the go-to person for support and advice around the risks facing an organization.
Boards are realizing that if cybersecurity isn’t among their top risk factors, it should be. There are few other areas where a business can be taken down in 60 minutes or less. Barring some seismic disaster or natural event, nothing else has the same power to disrupt a business to that degree.
But while it has grown in scope and responsibility, we mustn’t deal with the role in isolation. Information security (infosec) is a team sport. You need everyone on board, from the front of the house to those behind the scenes, and across all departments and levels of an organization.
To do this, we need to remove some of the barriers we arguably put up ourselves in infosec—the buzzwords and the hype. We must also understand that people don’t care about certain concepts like zero trust. Most don’t understand it in practical terms. So, we need to translate this kind of language and relate it to people’s daily roles.
Is the skills gap an attitude gap?
Our industry has been talking about the skills gap and shortages for some time now. But I think part of it is more of an attitude gap. Employers are still searching for candidates with a preconceived view of what a security person looks like.
Many businesses still want people who are happy with a suit, shirt, tie, formal office environment, rigid career structure and little development. But there are fewer people like that out there. On the other side, some are coming to the workforce with perhaps overinflated expectations of what roles they are suitable for. This disconnect makes it very difficult to manage expectations.
We need to step back and look at what makes a job attractive to today’s employees. Our industry is not a top payer. So how else can we make our roles desirable to potential hires?
There are government initiatives aimed at changing these perceptions and encouraging a younger and better-prepared demographic. But there’s still a lot more work to do.
In the meantime, I think we’re going to see a greater shift to outsourcing as organizations struggle to get the resources they need in-house. And the longer they go without those people in place, the more exposed they are—and the worse the situation is going to get.
Want to hear more from CISOs?
Also, download our 2022 Voice of the CISO report to find out how our industry is adapting post-pandemic and the part people play in putting organizations at risk.