Listen to Your CISO. Stay Secure.

Aaron Bostick

May 14, 2021

Your Most Valuable Asset

The past year has been a roller coaster – I like to call it The Year of Cybersecurity Scandals. From Solar Winds to yet another Marriot credential breach, cybercrime is on the rise and has become a U.S. national security concern for the Defense supply chain. Naturally, interest in cybersecurity is rising too. Which is great, except for one concerning trend: companies seeking a fast, easy solution.

Don’t get me wrong, this is to be expected – who doesn’t want an “Easy Button?” But choosing the easy route in cybersecurity is like choosing a Big Mac over a home-cooked meal. Sure, you solved your hunger problem for a little bit, but fast food will only tide you over for so long. Why? Poor quality. Short cuts. Low-quality cybersecurity solutions will do the same thing – and before you know it, your organization will be hungry for more.

The greatest impact a Chief Information Security Officer (CISO) can have within an institution is the reduction of its attack surface. And shortcuts lead to a lack of accountability and visibility within your organization. This will surely further areas of potential areas of attack and breach of security. What cannot be seen or accounted for cannot be adequately protected.

Your CISO is one person who understands the damage  of a breach or malicious attack. They understand the far-reaching implications beyond the public embarrassment of suffering a breach. A company can patch a system, purchase cyber insurance, and pay the damages. But they cannot repair the damage done to their brand and reputation. And in the end, it is the customer and the public who suffer.

As scary as it may be, we need to trust CISOs – it’s time to follow their lead.

CISOs Need More Autonomy

Hear me out.

Historically, CISOs haven’t been strategically leveraged in the right way. It’s only very recently, in very specific instances, when CISOs have been allowed to sit at the “Leadership Table.” In fact, only 18% of CISOs report directly to a board of directors – the rest are at the mercy of their C-suite “colleagues.” The lucky ones report to a CEO. But even that’s a rarity, despite CISOs being one of an organization’s highest-paid employees.

I’ve personally seen too many CISOs reporting to someone in finance – often a CFO. This only makes sense from a financial perspective. Yes, CISO initiatives are often costly, so they’re more likely to be postponed or get shut down by a finance department. The problem is finance specialists don’t understand the gamble they’re taking. These initiatives are built to save organizations from cybersecurity incidents that cost far more in the long run. If CISOs were trusted with more autonomy, we could avoid these incidents altogether. That’s a win-win.

Want to Save Money? Listen to Your CISO

Before you say anything, I can probably guess what you’re thinking…

“But I can’t give my CISO more authority – their initiatives are just too expensive!”

Sure, cybersecurity initiatives are expensive. But it’s nothing in comparison to the cost of an attack. In 2020, the average cost of a security breach in the United States was $8.64 million. This is nothing compared to the average cost of a high-quality cybersecurity initiative. In other words, trusting your CISO is an investment that pays dividends.

What Happens When You Don’t Listen to a CISO

Sometimes, companies learn the hard way.

Look at Target. In 2013, the infamous Black Friday breach resulted in compromised personal and financial information for approximately 110 million shoppers. For you and me, it was a frightening headline. For Target, it was a PR nightmare. Customer trust evaporated, sales plummeted, and lawsuits piled up – all while Target scrambled to secure their systems.

At the time, Target had no CISO. Six months later, they hired their first. If only the retail giant had a CISO in 2013 (and actually listened to them), they could have been prepared. It’s an oversight that cost them their time, image, and money – and all it took was a single breach.

Incidents like this have only gotten more common and more severe. The writing is on the wall: It’s time to listen to your CISO.

In Conclusion: Just Listen to Your CISO

It can’t be stressed enough how vital quality cybersecurity is to organizations of all sizes. This isn’t like shoulder pads in the ‘80s – it’s not a trend that’s going away. In fact, cybercrime is projected to cost the world $10.5 Trillion by 2025, a 15% increase over the next five years.

At the end of the day, your CISO’s interests are your company’s interests – just as much as finance, marketing, production, or any other department. Their job is to keep you safe. That’s it. However, CISOs can only succeed at their jobs if given the appropriate tools, authority, and financing to make it happen. And that responsibility lies with you.

Of course, at CORTAC, we recognize that not all companies have CISOs. This could be the result of any numbers of factors, from your budget, in-house expertise, to your size. Fortunately, there are alternatives that enable you to keep your organization secure without committing to an expensive, full-time employee.

If you or anyone you know are looking for help in this arena, we’re here for you. Our compliance practice ranges from commercial cybersecurity to DoD compliance and cybersecurity hygiene – including the new Cybersecurity Maturity Model Certification (CMMC). Read more about it here or reach out to us directly here