Top Three CISO Strategic Issues

In Q3 2024, 135 Chief Information Security Officers (CISOs) from the SANS CISO Network responded to an online poll and provided insight into the main strategic issues they anticipated to face over the next twelve months (Kim, 2024). With 480 replies selected by 135 respondents, the top three CISO strategic issues were identified as government regulation (15%), relations with the board (14%), and budget and funding (14%) (Kim). The bottom three CISO strategic issues were identified as diversity and inclusion (3%), cyber insurance (6%), and burn out risk and mental health (9%) (Kim). In response to the online poll results, Frank Kim, a former CISO and senior SANS instructor, provided practical advice and solutions to address the top three issues in his webinar, Top Three CISO Strategic Issues.

For the greatest CISO strategic issue, government regulation (15%), Kim addressed this point by providing an update on how updated SEC disclosure requirements have been tested in practice by the American court system. Last year, Tim Brown, the CISO for SolarWinds, was charged by the SEC for defrauding investors by overstating security practices and failing to disclose known risks (Kim). While most of the charges brought against Tim Brown by the SEC were dismissed, a misleading security statement made by Brown in a publicly accessible document led to one fraud charge being upheld on appeal (Kim). In particular, Brown’s public description of SolarWinds’ access control and password policies were found to be “materially misleading by a wide margin” as the leaked default server password “solarwinds123” was not in alignment with “[…] the use of complex passwords that include both alpha and numeric characters” (Kim). Acknowledging the legal liability inherent in being the Chief Information Security Officer for a publicly traded company, Kim advised all CISOs to confirm they are covered by their company’s Directors and Officers insurance protection. By default, it cannot be assumed that the title of a CISO indicates that the CISO is a main officer of the organization (Kim).

For the second greatest CISO strategic issue, relations with the board (14%), Kim addressed this point by providing general guidance on how to effectively communicate with the board of directors. When presenting to the board, Kim advised for CISOs to confidently communicate their understanding of the business and their plan to protect it. By limiting presentation material to 2-5 slides, Kim reasoned that CISOs would be better prepared to steer the group discussion towards high-level outcomes, such as priority risks, maturity score; changes to the risk landscape, and progress towards security initiatives. At a minimum, all CISOs must be prepared to explain the current status on risk, what is being done to protect the organization, and to share any concerns they have with the board (Kim). To close this point, Kim shared a quote from a board member requesting for CISOs to provide comparison standards or benchmarks in order to help build trust among board members.

For the third greatest CISO strategic issue, budget and funding (14%), Kim addressed this point by providing practical advice on how to create an effective security business case and receive funding. When building a security business case, Kim advised against CISOs directly asking for money. Instead, Kim recommended for CISOs to sell a vision, and explain how they would be able to solve business problems with the money obtained. By providing multiple solutions to the problem and highlighting comparable tradeoffs (business value, risk reduction, cost) for each solution, Kim reasoned that CISOs should justify all of their security business cases by allowing the evidence collected to speak for itself.

Resources cited:

Kim, F. (2024, November 14). Top Three CISO Strategic Issues [Webinar]. SANS.

https://www.sans.org/webcasts/top-three-ciso-strategic-issues/