Job descriptions, tiring as they might be for some, help give employees a sense of what their responsibilities are day-to-day. But what if your job description is constantly changing?
That’s a real problem facing those with the title of chief information security officer who, according to a report from BT, are finding their job descriptions increasingly starting to include things not directly related to security.
Aside from regular duties such as managing an organisation’s information and data security, BT’s report found that these days expectations now include managing brand perception, employee engagement and adoption of new tech.
The question you might have is why these responsibilities are falling in the lap of CISOs? The answer is that the information security landscape has changed substantially thanks to the pandemic.
“The huge increase in the pace of digital transformation during 2020 has not only further erased the traditional parameters of the role, but also intensified the scale and complexity of threats to protect against. As a result, CISOs must ensure that they have the visibility that not only makes them the first port of call for security incidents, but also ensures they’re placed at the heart of strategic decision making and planning,” explains managing director at BT Security, Kevin Brown.
The above coupled with cybercriminals increasing their efforts as attack surfaces have widened, means that CISOs likely have their hands very full these days. While that doesn’t seem like a problem yet, there might be cause for concern.
The BT report reveals that while 76 percent of executives rate their IT strategy as excellent or good at protecting against threats, 84 percent of executives reported that their organisation had suffered from data loss or a security incident.
Worse still, 45 percent of employees say they suffered a security incident at work and didn’t report it while 15 percent of employees said they had given work log-in details to others in the organisation.
It’s clear then that while CISOs are expected to don many hats, their attention is very much divided between an increasing number of responsibilities.
So what can organisations do to insure complacency doesn’t take root and make the job of the CISO that much harder? A few things actually.
For one, security must become a part of a company’s culture. Make security measures as memorable as pre-flight precautions and instill them in employees. Make sure things like a manager asking for log-in details are met with resistance as while it might seem innocent, acts like that can lead to severe implications for a company.
Another good consideration is to perhaps spreading the weight of the CISO role.
“Because cybersecurity is the cornerstone of all business, CISOs must be influential in strategic decision making. And they must be given the time and mental space to do that. Consider appointing an experienced security partner who can take over day to day security operations, including those essential basics. Relieving CISOs of immediate responsibility for commonplace tasks and incidents will give them the time and energy they need to raise their profile and focus on strategic business outcomes,” reads the report.
The most complex solution is complex in that it will take some time.
This involves helping employees become human firewalls by teaching them how to recognise internal threats and the like. What we find interesting is that BT stresses that each employee will have a different risk profile and it’s important to understand what that risk profile is.
What should be highlighted is that while security is going to become more complex in future, organisations should be refining strategies for what the future might hold.
You can find the full CISOs under the Spotlight report here.
[Image – CC 0 Pixabay]