The CISO Conundrums, Part 1: People and Culture

November 27, 2019

The first computer security hack happened in the 1960s. But the Chief Information Security Officer (CISO) role existed only from 1994—that year, after Citibank suffered a series of cyberattacks from a Russian hacker called Vladimir Levin—the world saw its first CISO, Steve Katz. So the CISO is a relatively new role amongst the C-suite. Most may not know much about what a CISO does, let alone understand the challenges faced by one.

In this 4-part write-up series, we will shed some light on the conundrums or challenges faced by CISOs, distilled into 4 areas—people and culture, digitalisation, third party ecosystems, and success metrics. We gained these insights through conversations across our ICE71 community events, including our inaugural private CISO roundtable earlier this year.

The first part of this series will explore challenges related to people and culture.

Training for a cyber resilient culture

Any CISO is bound to tell you that it’s a humongous task for a company to adopt a 100% cyber resilient culture. In a cyber resilient company, employees are adequately trained to be cyber-aware and immune to social engineering attacks.

To trust is human. To be curious is, too. But when hackers use social engineering to take advantage of these human tendencies—making people give away confidential information such as passwords and access to buildings—it becomes a big problem for companies. Phishing is a type of social engineering attack. The attacker could masquerade as a trusted entity such as a company’s finance department, and dupe a victim into opening an email attachment which ultimately gives the hacker access to the victim’s device and data.

According to a study by IBM, 95% of cyber attacks are due to human errors. CISOs have a lot of work to do when it comes to cybersecurity training for employees.

Threats from within

In November 2019, Trend Micro was reported to be the target of an insider threat from a disgruntled employee. Close to 70,000 Trend Micro customers have had their account information stolen, sold and used to make scam phone calls. This sends the company’s reputation on a downhill path. It’s almost unimaginable to have this happen to a brand that lives and breathes security since the 1980s. And Trend Micro isn’t the only cybersecurity company that has been compromised.

Earlier in October this year, Avast experienced a security breach, and in March 2018 NordVPN was hacked. Though these were not instances of insider threats, they show that cybersecurity attacks spare nobody, not even the experts.

Unmet gap in talent

According to the 2019 (ISC)² Cybersecurity Workforce Study, globally there are over 40 million unfilled cybersecurity positions. In APAC alone, the study reveals a 2.6 million gap in the cybersecurity workforce. Add on the evolving nature and speed of attacks in the cybersecurity world—CISOs are playing catch-up with the bad guys.

The upside of this is that we see a huge potential to fill this workforce gap. First, individuals with exceptional cybersecurity skills will be highly sought after. Second, vendors that provide cybersecurity workforce ‘fillers’—whether through effective training or machine-learning solutions—will get more popular.

For more updates like this, follow ICE71 on our web and social channels.