Breach, blame, repeat: The hard truths of today’s CISO

In this webinar, cybersecurity and counterterrorism expert DIck Clarke warns that it’s no longer a matter of if, but when, an IT breach will occur.

Cyber security expert Richard Clarke’s resume is nothing short of remarkable. He is an expert in security risk management and has been security advisor to three U.S. Presidents. So when Mr. Clarke has something to say about what is arguably the most critical role in today’s enterprise, we should listen.

Just having a CISO isn’t a security solution in itself. Clarke believes that today’s CISO does not have the clout they need to adequately protect the enterprise.

Here are the challenges facing today’s CISO:

Limited access to the CEO

If you think that the Chief Information & Security Officer (CISO), with an office in the C-suite, would have the ear of the CEO, you’d be mistaken. The danger of a reporting structure to someone other than the CEO, warns Clarke, is lack of insight into security strategy at the very top of the organization.

Without a direct line to the CEO, CISOs struggle with visibility and face challenges getting the necessary resources to prepare for today’s security risks.

Senior execs who think cyber risk is a technical problem

Nearly 80 percent of CEOs believe that cyber security and IT are strictly tech and compliance issues. That’s a problem. CISOs must learn to effectively communicate, in business terms, the risks and strategies required for proper security measures. CISOs need to speak the language of risk management – something every executive and CEO understands.

Short on budgets and staffing

CISOs generally work with a budget of 3-4 percent. That may have been adequate 15 years ago but it is stretched far too thin given today’s security requirements. It’s simply not enough.

“If you want adequate coverage, expect to spend anywhere between 8-12 percent of your budget on security strategies,” says Clarke.

Your security spend should be based on two things:

  1. What you want to prevent
  2. What you need to protect

Today, a typical large-scale enterprise has an average of 22 (yes, twenty-two) different IT security vendors. As business shifts toward mobile, cloud and eCommerce, security is more critical than ever. And as threats grow bigger, so does potential damage, and so does the cost of containing it.

Lack of a breach plan

Every CISO must prepare a breach plan – and it ought to be CEO-approved, advises Clarke.

It’s important that everyone know exactly what to do the event of a breach. The plan should account for everything from computer forensics, to legal, to crisis communications.

Practice the plan. Do the run-through. Feel the pain. According to Clarke, many executives scoff at the idea of doing a run-through saying they “don’t have time to play games”.

“I’ve played games with Presidents of the United States, with cabinet secretaries, and with Prime Ministers. They play games. That’s how you get ready. Making them live through a breach is how you show them how horrible it can be.”  ~ Richard Clarke

“It’s no longer a matter of if, but when, an IT breach will occur,” warns Clarke. And the CISO is invariably on the hot seat. In this climate of inevitable cyber threats, security as a strategy, deeper resources, and more visibility at the executive level, are critical for the CISO to be truly effective.

 


An avatar of the author

Anna is a passionate content writer who’s always eager to learn something new about cyber security.

Related content

Banner announcing BlueCat's acquisition of LiveAction, displaying both logos and the phrase "We're about to get bigger."

BlueCat acquires LiveAction to drive network modernization and optimization

BlueCat’s acquisition of LiveAction will allow customers to expand their view beyond DNS and dive deeper into the health of their network.

Read more

Simplify NIS2 compliance with DNS management

Learn whether the EU’s NIS2 requirements apply to your organization and about how DNS management and BlueCat can boost your path to compliance.

Read more

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

BlueCat has acquired LiveAction

It’s official! BlueCat has acquired LiveAction’s network observability and intelligence platform, which helps large enterprises optimize the performance, resiliency, and security of their networks.