A CISO's Strategy for 2020

2019 was another busy year for the cybersecurity industry. Cyberattacks came in bunches, including many notable incidents within the healthcare and government sectors, while small businesses continued to find themselves desirable targets for criminals.

There was good in 2019, however. More organizations expanded their information security budgets and the hiring of security leaders came in bunches. The security industry also gained yet another year of experience defending against attacks, managing their vendor relationships, maximizing technologies, communicating with the business, and developing talent.

So what should CISO’s be focused on in 2020?

Elevating the CISO Role

With so many newly appointed Chief Information Security Officer's in the industry we are bound to see a high disparity in experience, maturity, authority, and trust. Regardless of your tenure as a CISO there is an almost near-certainty – you need to work on elevating your role this year!

Being a CISO is not easy. You have an overwhelming amount of responsibility to protect the business and are in charge of a program so complex that only you and possibly a few of your staff can wrap your heads around it. There’s so much involved in what you do that it’s possible you feel overwhelmed and under-appreciated. You sit in meetings and other leaders simplify cybersecurity to encryption, firewalls, and phishing.

Take ownership of this shortcoming and pile yet another large task onto your shoulders this year. Getting better at explaining what it is your team is responsible for should be at the top of your list this year. The purpose of this isn’t to get sympathy from your peers and other senior leaders. You need others to understand how much is involved in protecting the business because you need them to realize protecting the business cannot be achieved without their involvement.

Elevate your role by engaging other senior leaders of the business and give them some skin in the game. This can be achieved through governance committees, tabletop exercises, and dropping the tech talk.

It’s important to remember that if you’re going to go out seeking more recognition, appreciation, and influence, you need to be prepared to deliver when you get to the top of this windy mountain. If you are not well-versed in business administration, budget management, strategic planning, communications, and more, it may be a good idea to bring in an executive coach or CISO consultant to assist.

Finding and Retaining Talent

According to (ISC)² there are nearly 3 million open positions in the cybersecurity industry. Even worse, several organizations attempting to forecast the situation don’t see it getting any better this year. So what is a CISO to do with this situation? Well, to start, you need to recognize that this is real and your employees have more options than they know what to do with. It’s up to you and your security leadership team to address this situation by making your program a desirable place to be a part of.

How do you do this? There are several actions you can take both short and long-term. First, make sure you are fighting for the budget to offer your employees educational opportunities. Cybersecurity professionals are curious and goal-oriented individuals. They want to continue challenging themselves and learn new crafts. That might be the reason they are in this industry in the first place, after all.

Speaking of challenging your employees, make sure you are keeping them involved in interesting activities. This benefits both them and the program. Look, someone needs to be responsible for configuring new firewall rules, but make sure they are also involved part-time in new technology implementations, design discussions, red/blue teaming, and more.

Finally, if you aren’t already looking within your organization for the next crop of cybersecurity talent you are making a mistake. There are budding stars all around you, both in technology and operational roles. Identify motivated individuals with a high level of critical thinking and find out what it takes to add them to your team in associate-level roles.

Start Using Data to your Advantage

If you aren’t already tracking endless metrics as a security program, start doing it right now. If you are, it’s time to start putting it to use in order to benefit the program and business. The data you collect as a cybersecurity program can be used in so many different ways, but there are two specific use-cases CISO’s should be aiming to leverage in 2020.

First, the data both you and the industry are collecting can be used to drive your strategic planning. Frameworks will help you lay the foundation of your program and serve an important role, but the decisions made about how to build onto that foundation should be driven by the data that surrounds you. There is no shortage of data in the cybersecurity industry. Countless institutions are collecting information about industry trends, threats, and more. Couple this with data of your own that outlines the trends specific to your business and then evaluate the marketing hype we experience each year. Whether it’s blockchain, machine learning, or phishing, it’s up to security leaders to use enough data to help them decide the validity of the hype and what the right decision is for their organization.

A data-driven approach will not only help you build a strategic plan tailored specifically to your business, it will also assist you in building some of the most bulletproof business cases you have ever created when it is time to sell an initiative to the CIO and other leaders. Presenting hard evidence through this approach may not always garner the results you are looking for, but you will sleep well at night knowing you did your due diligence and backed up your team’s vision with real data that supports the requests.

Make 2020 a Great Year!

As a CISO, make 2020 a productive year by becoming a more effective leader through elevation of your role, team building, and a data-driven approach. It’s unnecessary to put the entire burden of these initiatives on yourself. Empower your team to help you, leverage connectors within your organization, and partner with trusted advisors that have the experience accomplishing such goals.

We are excited to continue brining you valuable content, coaching, and consulting in 2020 and a Happy New Year from the entire Advosec team!

#Cybersecurity #CISO #Strategy #TeamBuilding #ExecutiveCoaching