CISOs Balance Business and Supply Chain Risk With Talent Shortages
The role of a CISO involves much more than finding the right security tools to protect an organization, while enabling the business. The role has become inherently more complex and continues to be a balancing act – affected by economic factors, technological constraints, and staffing shortages that have plagued the industry for several years. Recently, during a roundtable discussion, several CISOs from the U.S. and Europe shared their insights on what makes the role especially challenging today.
Mergers & Acquisitions – & IPOs
Moving the bar with respect to the cybersecurity challenges of your own organization is enough to keep any CISO busy. But adding a merger or acquisition to the mix further complicates things. It’s generally agreed that conducting due diligence is extremely important during the M&A process, so an organization can better understand additional risk. Several CISOs mentioned they’d seen acquisitions result in immediate cyberattacks, after a deal has closed, due to security gaps in the acquired company.
Public offerings have also been a boon to cyberattacks. In one case, a CISO shared that his own company wasn’t targeted, but a partner firm they worked with went public, and then experienced an attack. Then they noted that simply by associating with the public company, their organization became a cyber target of the same criminals. Other CISOs had similar stories, of how, as a customer, their company would become a target of the same criminals attacking their vendors.
Supply Chain and Manufacturing Risks
In the supply chain, security used to be a “check the box” requirement with procurement, one CISO noted. Now, a cyberattack is likely to cause a ripple effect, affecting vendors and partners both upstream and downstream.
Security hardening could go too far, of course, and so by locking everything down you could be inhibiting the business. It’s a delicate balance, managing the risk and making sure employees can do their work and not be slowed down in the process.
In some cases, a perceived slowdown may be addressed through communication and education. One roundtable attendee noted that explaining why it needs to be done – often, at the request of a client – that makes the case for the fortified security posture. The threat of not getting the work if the company doesn’t meet the security requirements is usually sufficient to help colleagues in the business get on board.
Similarly, you need partners to take security seriously, too. One CISO in the manufacturing industry reported having seen supply chain partners brought down, data lost to ransomware, causing production lines to falter.
For some CISOs in specific manufacturing verticals, innovation dollars are typically allocated to Manufacturing 4.0 initiatives for the latest, cutting-edge technologies, so support for security remains critical. Especially with the edge devices, CISOs noted that the risk is exponential to the growth, necessitating a balance between new technology and security.
Striking the right balance between bringing in new technology and maintaining a strong security posture requires cultivating a tight relationship with the executive team, a strong process orientation, and lots of education.
The Talent Shortage
In nearly every discussion, the subject eventually turns to the challenge of recruiting and retaining employees. A universal theme in the U.S. and Europe, the competition for talent often means turning to a third party becomes the most viable option for managing security.
Depending on your geography, the talent shortage could look different. One CISO is bracing for the IT exodus that could result when a well-known tech brand opens an office it’s planning in his town. Recruiting to less-tech oriented geographic regions of the U.S. can be even more challenging, with a CISO noting they may have the greatest opportunities for finding talented security experts when they adopt hybrid or work-from-home approaches.
Given the skills shortage he’s seen, one CISO has stopped trying to hire those with cybersecurity skills. Instead, he’s opted for candidates with effective communication skills to educate end users, since they’re on the frontline of defense against cyberattacks – and train them in personal security practices.
Still others noted Microsoft security customers could be a potential draw for security experts seeking to keep their skills honed on the latest technology.
The Role of Managed Detection and Response Services
As all assembled for the roundtable noted, in today’s environment, it’s unrealistic to create their own security operations centers (SOCs). Instead, partnering with a provider of managed detection and response services can help fill the need.
Knowing that each organization is different and has different business challenges and different environments, CISOs should consider a service provider offering tailored, 24×7 protection and that can serve as an extension of your team. Even more importantly, if you’ve invested in the Microsoft 365 E5 Security stack, consider a service provider who is built for Microsoft to ensure you can realize the full potential of those investments.