The modern CISO: Scapegoat or value creator?

2024 is already shaping up to be one of the most stressful years yet for CISOs. They are trying to defend their organizations against a growing number of threats as they increase in speed and complexity, fueled by emerging technologies like generative AI. It doesn’t help that cyber budgets are shrinking and CISOs can now be held personally liable for a breach, as was seen by the precedent-setting verdict against the former Uber CISO. 

To top it up, 61% of CISOs feel unprepared for a cyber-attack and 68% feel that their organization is at risk of an attack, according to Proofpoint. It’s no wonder that the modern CISO often feels like the scapegoat, with odds stacked against them.

In working with hundreds of CISOs across leading Fortune 100 companies globally, I understand their biggest challenges as I help them shift to the role of value creator and trusted partner. While there is no silver bullet solution, there are steps CISOs can take now to elevate the value of their cybersecurity programs, setting themselves up for success against a moving target.

Bring your board on board

Boards typically comprise seasoned executives with experience in operations, finance, sales and other industries, but may not have a detailed, technical understanding of cybersecurity. Yet, CISOs are faced with increasing scrutiny from their boards as they defend their cybersecurity program’s effectiveness.

To showcase the value of their programs and demonstrate effectiveness, CISOs must establish clear communication and overcome the disconnect between the board and their team. It’s up to the CISO to ensure the board understands the level of cyber risk their organization is facing and what they need to increase the cyber resilience of their organization. Presenting cyber risk levels in monetary terms with actionable next steps is necessary to bring the board of directors on the same page and open an honest line of communication, while elevating their cybersecurity team to the role of value creator. 

File an honest SEC 10K without increasing cyber risk (no really!)

New disclosure requirements from the Securities and Exchange Commission (SEC) and other regulators require CISOs to have a firm understanding of their material risks and disclose how they manage and mature their cybersecurity program. Yet, recent analysis of SEC 10Ks filed in early 2024 shows that 31% of enterprises had no cybersecurity disclosures and 23% did not quantify or describe how their cyber risk is managed. 

CISOs are deeply wary about sharing too many details on their cybersecurity posture in the public domain, because of the unnecessary and preventable risk of exposing their organizations to cyberattacks, which are expected to cause $10.5 trillion in damages by 2025. 

Filing an honest 10K while preserving your organization’s cyber defenses requires a delicate balance. We’ve already seen Clorox fall victim when the balance was off. 

A good example of an honest, yet balanced SEC 10K is Lockheed Martin’s 2024 SEC 10K filing, which took a descriptive approach. The company named the CISO as being responsible for its security strategy. It outlined specific cybersecurity policies, frameworks, and requirements that it would comply with, indicating the maturity of the organization’s cybersecurity program. They proactively described their cyber risk models and clarified the methodology for supplier and third-party risk management. Lockheed Martin also mentioned using techniques such as third-party assessments, penetration testing, audits and threat intelligence to test the design and effectiveness of controls. These are all vital components of having a robust risk management program and filing for a balanced and honest SEC 10K.

Adopt gen AI to mitigate cyber risk

According to data from Gartner, there are only enough qualified cybersecurity professionals available to meet just 70% of the current demand. This need for the right talent will no doubt increase as the threat landscape continues to evolve rapidly. 

Effectively managing cybersecurity risk requires identifying critical vulnerabilities and evaluating your security controls’ efficacy. However, petabytes of data from disparate sources and a stagnant team size make gaining complete visibility into these risks a challenge for CISOs. 

Often, the core obstacle for security teams is converting raw data into actionable insights, which is necessary to facilitate effective risk reduction in a way that is digestible for the entire organization. By leveraging advanced technologies such as generative AI, deep learning and other specialized machine learning techniques to analyze millions of assets and vulnerability instances, security teams can access real-time, actionable insights and rapidly reduce cyber risk. 

More so, this can enable security leaders to understand the effectiveness of their security program and showcase the return on investment of their cybersecurity initiatives. Ultimately, this facilitates an easier and more productive conversation with the board, too.

Given the pace at which the cybersecurity landscape is continuing to evolve, the CISO’s job is getting tougher. They are responsible not only for successfully defending their organizations against threats but also for providing proof of their efficacy to the board and reporting it to the SEC. Keeping pace with the latest technology and ensuring open and honest communications with non-cybersecurity stakeholders is imperative for fully embracing the role of value creator in an organization.

Gaurav Banga is the CEO and founder of Balbix, an AI-powered cybersecurity risk management platform.