With the digital-first economy showing no signs of decline, the role of the chief information security officer has become increasingly important to protect an organization. However, today’s CISOs face a myriad of unprecedented obstacles to do so as a result of digitalization. In fact, according to the State of the CISO 2023 report, nearly 90 percent of CISOs say that the rapid deployment of digital services has generated unforeseen risks in securing their organization’s critical business data. All of these issues have not only transformed the CISO role but also created new security risks and changed organizational priorities.
In the aforementioned report, conducted by independent research firm Global Surveyz and commissioned by Salt Security, 300 CISOs/CSOs worldwide shared their experiences, including their biggest professional and personal challenges, due to digital transformation. This article takes a deep dive into a few of the top findings, including:
- Concerns over personal litigation stemming from security breaches
- Lack of a qualified cybersecurity talent pool to meet new requirements
- New security risks stemming from the speed of AI adoption
Concerns over personal litigation stemming from breaches
Many CISOs remain anxious about the future of their role, particularly in regard to the extent to which they may be held legally responsible for cyber incidents. The guilty verdict given to Joe Sullivan, former CSO of Uber, and other high-profile CISO lawsuits have contributed to this concern. The State of the CISO 2023 report found that concerns over personal litigation due to breaches represents the number one personal challenge of CISOs worldwide. Forty-eight percent of CISOs say they have concerns over possible litigation stemming from breaches, in which they could be found personally liable and place their own livelihood at risk.
However, at a time when the role of the CISO is more important than ever, the potential impact of these concerns could be grave for businesses. Qualified CISOs might consider simply passing on the top job altogether or taking a role a level below CISO, impacting an organization’s ability to hire the best candidate. In addition, some CISOs may require indemnification, insurance or excessive compensation in order to make up for the increased personal risks, increasing business costs.
Executive leadership must work to ensure that CISOs do not bear the burden of potential security breaches alone. CEOs, CIOs and other C-Suite leaders are critical to creating a collaborative security culture. Executives must communicate about security frequently and company-wide, alongside the CISO or CSO. They must also have processes in place in the case of a cyber incident and ensure that all stakeholders are informed should an event unfold.
Organizations also have a responsibility to ensure that security teams have the right solutions in place to mitigate threats. Emerging security risks are frequently closely intertwined and overlap. Consider application programming interfaces, for example. APIs transport the critical data driving digital services, making them a key component for both internal and external communications and services. Companies need to prioritize comprehensive security solutions that provide visibility across the entire infrastructure to quickly identify and defend against threats. With greater visibility and context, CISOs can demonstrate progress on risk mitigation and reduce security control gaps, lowering the risk of personal liability as a result of a breach. If CISOs lack the needed visibility, they can’t detect or prevent potential threats, ultimately, setting them up for failure.
Lack of qualified cybersecurity talent to meet new requirements
The modern CISO is faced with multiple challenges, and it’s no exception when it comes to hiring qualified cybersecurity talent. Because digital services introduce new types of cybersecurity attacks, its defense demands new knowledge and capabilities, making the hiring of qualified talent essential. Ninety-one percent of CISOs say that hiring and retaining qualified cybersecurity talent is critical to their ability to deliver digital transformation initiatives. However, CISOs face troublesome talent shortages. In fact, CISOs cite the lack of qualified cybersecurity talent as their top security challenge resulting from digitalization. Finding and recruiting qualified cybersecurity workers is essential but increasingly difficult as there is a shortage of candidates with the skills needed to fill these roles.
To meet this need, some organizations have gone global, as shown by a recent spike in international hires. Assuming candidates can get adequate sponsorship, there can be a big upside to building a diverse cybersecurity team, particularly if an organization has plans to expand globally.
Another solution to the talent shortage is to lean on artificial intelligence. AI tooling could very well be one of the compensating factors organizations can embrace to make up for the gap in skilled talent—at a minimum, AI-driven security solutions will need to help organizations bridge that gap.
New security risks due to the speed of AI adoption
The speed of AI adoption is drastically impacting the CISO role, making it even more complex. The rapid rise of AI in virtually every industry has transformed the security landscape, and CISOs are right to be concerned about how this dynamic will affect their organizations. AI serves as a unique cyber defense tool with its ability to quickly analyze large volumes of data and assess and learn from potential attacks. However, AI can also be a security threat as bad actors are always staying on the pulse of new ways to attack.
Cybercriminals have already turned to AI for its ability to provide new ways to attack organizations’ infrastructures, allowing them to harness AI to launch novel and sophisticated attacks at scale. Using more widely available generative AI technologies, such as ChatGPT, for example, bad actors can generate malicious emails and even script attacks at a much faster rate. CISOs must always understand the adversary and that the adversary is using AI. As CISOs learn to navigate the associated threats and security ramifications of AI, they must also learn to harness AI “defensively” for their organization’s security. By harnessing the power of AI for good, CISOs will be better equipped to “catch” and stop AI-driven attacks and safeguard their organizations and their customers’ critical assets.
Being on the security front lines, CISOs feel the risks of digitalization most sharply, and as a result of the rapid pace of the digital-first economy, the role of the CISO has drastically transformed. The lack of qualified cybersecurity talent has been a large point of pressure for CISOs. Finding and recruiting qualified cybersecurity workers is essential to their ability to deliver digital transformation initiatives. The speed of AI adoption has also drastically impacted the CISO role; CISOs must quickly learn to navigate the threats and security risks that come with AI, as well as harness it defensively for their own organizational security.
Lastly, CISOs are feeling pressure even beyond the organization. The fear of personal litigation as a result of security breaches is a lingering constant in the background. The potential impact of a digital breach affects the entire enterprise, costing organizations not only in damage to their brand reputation but also in mitigation costs, fines and potential litigation. Therefore, increasing security for these vital digital initiatives must be a priority for the whole business—not just the security team. C-level executives must do their part to enable and aid the business by prioritizing and funding new security requirements created by digitalization.