More awareness
Right now, the same is happening for CISOs, Rob Beijleveld notes. “Increasingly, companies are starting to understand the importance of mitigating cyber risks. Undoubtedly, this process of building awareness is accelerated by recent and ongoing cyberattacks, which have led to grave financial and legal consequences for a number of companies. We can now clearly see that companies have started to prioritize the areas of security, risk, and liability.”
Conflicts of interest
Yet, while boards may realize the importance of cybersecurity and want to make improvements, concrete measures are lagging behind, Beijleveld points out. “For example, we still see structures at companies where CISOs report to the CIO. This can lead to conflicts of interest: to what extent do the strategic, technical targets, and management initiatives of the CIO match with the security targets and concerns of the CISO?”
“In discussions with the board, CISOs must advocate to improve cybersecurity. With the CISO community, we want to provide them with the resources to do so.”
In addition to lacking independence at a company, CISOs might also lack essential tools and resources. “What does the roadmap of a CISO look like? Which steps need to be taken, and which certificates should be gained for a CISO to develop well in their role? Often, the development path of a CISO is unclear,” Beijleveld says.
Developing the CISO role
The CISO’s level of responsibility might exacerbate this problem. As cyberattacks can happen at any time, a CISO should be ‘on’ 24/7, Beijleveld notes. “When CISOs are focused on emergencies, fixing urgent matters, they don’t have much time left to seek out other projects, such as following courses or improving their soft skills.”
Yet, it is precisely those skills that are vital in making progress toward gaining more maturity in the CISO role, Beijleveld says. “We, therefore, need to provide CISOs with the right network and the right tools.”
“The CISO role is mentally demanding. By sharing knowledge and providing CISOs with the tools to develop their hard & soft skills, we aim to take off some of the load.”
“There should be a roadmap that explains which steps should be taken for a CISO to improve in their role. This is something the CISO community will be able to provide. As I mentioned before, the CISO role is mentally demanding. By sharing knowledge and providing CISOs with the tools to develop their hard & soft skills, we aim to take off some of the load.”
Change in mindset
“A change in mindset will also need to happen at the top level,” Beijleveld notes. “Just like sales and marketing have been separated in the past, or finance and IT, companies will need to realize that both IT and cybersecurity deserve their seats at the table.”
“Many companies have become victims of cyberattacks, and these attacks are becoming increasingly inventive. There is a clear business case that shows why companies should allocate more resources to cybersecurity.”
Yet, how do we convince companies to devote their resources to cybersecurity and prevention? One might argue that companies lack insight and think cyberattacks will not happen to them. Beijleveld refutes this argument. “The evidence is there. Many companies have become victims of cyberattacks, and these attacks are becoming increasingly inventive. Even without looking at the evidence, it is easy to calculate the costs and benefits of investing in cybersecurity. There is a clear business case that shows why companies should allocate more resources to it. However, in this discussion, the CISO needs to advocate. With the CISO community, we want to provide them with the resources to do so.”
“Considering the speed at which the digital world is evolving, we don’t have the time to lean back and see what happens,” Beijleveld adds. Instead, if we combine the resources, the tools, and, of course, the people, we can start getting stuff done.”
CISO as stakeholder
“I see a big role for CISOs as an important stakeholder in the coming years,” Beijleveld says. “CISOs are the authority in the field of cybersecurity, and they should grab that opportunity with both hands. CISOs must be present at the table, not just in their own company, on the board, but also as a stakeholder in education, in government, and many other fields.”
“Considering the speed at which the digital world is evolving, we don’t have the time to lean back and see what happens.”