Feb 3, 2024
Table of contents
No one has ever said that being a CISO is easy. And with threat actors continually innovating, anxious customers and prospects to reassure, and regulators to satisfy, the work is never done. It’s not surprising that as many as half of security leaders are predicted to change jobs before 2025 due to stress.
So, what are the key challenges facing industry practitioners? And how do they use their precious time at work? The answers from the startup CISOs that AccessOwl co-founder Philip Eller spoke to may be surprising.
The CISO challenge: Managing risk, reputation, and people
No two CISO roles are the same. The challenges cited by those we spoke to include porous cloud infrastructure, human error, cultural roadblocks, and the persistent headache of shadow IT. For Typeform CISO Aristotelis Gkortsilas, these issues are compounded by the fact that boards are often confused about what they want from a CISO.
“Sometimes you are a chief without really being a chief. So you get a lot of responsibility but not enough authority to drive things through,” he says. “Then you get some companies that want the CISO to be a super security hero that can do everything. They are trying to hire an entire team in one person.”
Other key challenges include:
Visibility into assets
For Getaround CISO Mel Reyes, the foremost challenge is defining and cataloging all of an organization’s assets, because IT can’t protect what it can’t see.
“You’ve got to define what an asset is, and you’ve got to be able to find the right tools to identify which ones are true assets. But how do you find that system of record that you can rely on that will give you that?” he asks. “You need to know where your people are and where the crown jewels are.”
He adds that access management, vulnerability management, data classification, and systems configuration management are the other baseline challenges CISOs need to overcome early on in their roles.
Shadow IT
The visibility challenge also explains why shadow IT is such a problem for organizations. Starburst VP of Information Security Colton Ericksen explains that it can be a major time waster for CISOs.
“You’ve already thought of these guardrails, so there are paved roads for people to take. But they still find it to be too painful, so they decide to go around,” he says. “But there’s obviously a learning opportunity here, because when that happens, it’s a really good moment to have a heart to heart with the folks that were responsible for making that decision — whether it was intentional or negligence.”
The product attack surface
Ericksen continues that for a SaaS company, 95% of the incidents a CISO must deal with are related to mistakes made in production, which unintentionally create cyber risk. Finding them early becomes a critical endeavor.
“Maybe you’re lucky you discovered it internally, through testing or some other means, and you’re able to remediate it before it’s discovered more broadly. That will reduce the amount of questions and scrutiny that you get,” he explains. “But these are the most immediate critical things I would be worried about as a CISO.”
Corporate infrastructure
Ericksen adds that the challenge is less acute for corporate infrastructure, but here, too, human error can lead to dangerous misconfigurations. It’s a challenge compounded by the shadow IT tendency for business teams to invest in unsanctioned cloud systems.
“Intentional avoidance of the vendor management program is something that I’ve seen happen time and again,” he says. “It may have created an integration between multiple cloud systems that shouldn’t be talking to each other, and allowed a cloud system of a lower classification security to access HR — or something like that.”
SecurityScorecard CISO Steve Cobb also cites the “porousness” of cloud infrastructure as a challenge — especially for a security startup.
“Reputation damage is a major risk — anything that gives the perception that we don’t have security controls in place,” he says. “Cloud environments like AWS and Azure give you a lot of capabilities but also open you up to a lot of risk.”
Jarred White is a Fractional CISO for IOmergent, and he does a great deal of work helping clients “clean up issues” with their cloud posture.
“I have a client who has a huge backlog of vulnerable services, vulnerable servers, EC2 instances, containers and virtual machines. I can lob them over a bunch of tickets and say, ‘This box is out of date and needs to be patched.’ But in three months, the problem will resurface,” he explains. “So the conversation I need to have is around how do you operationalize keeping those things up to date, which includes testing them, and promoting them sometimes from testing QA environments.”
Cultural change
The biggest headache for Owkin CISO Leo Cunningham is trying to build a security-first culture.
“We have a lot of sensitive medical information, which should mean people are automatically receptive to our security message. But I guess, historically, education could have been prioritized to educate others on the importance of security — rather than any misconceptions or assumptions made,” he says.
What keeps CISOs busy?
As if these challenges weren’t enough to keep most CISOs busy, the security leads we spoke to are often also focused not on managing emerging cyber-threats and mitigating risk, but on other tasks. These include:
Sales enablement
A growing trend appears to be for startups to task their CISOs with building a strong story for sales teams.
“We as the infosec team have put out a number of white papers focused on what I know the security and compliance counterparts at customers will care about,” explains StreamSets Director of Information Security, Ross Stapleton-Gray. “Sales is less familiar with our product than the engineers who build it, but both primarily try to sell it based on features … the ‘cool stuff’ that might make a data engineer’s job easier. But to make the sale, it’s also incredibly important to address any security, compliance, or privacy concerns, in language that the customer’s vendor management team understands.”
IOmergent’s White says that his Series A clients’ prospective customers can often take plenty of convincing about security posture, and need reassurances right down to the supplier or sub-processor level.
“They’ll get a questionnaire or a big Excel spreadsheet with a lot of questions about the tech stack and security controls. And they’ll fill it out, but that will lead to more follow-up questions,” he explains. “That cycle can get out of hand really quickly. It’s like sharks smelling blood in the water.”
However, this part of the job can be a great way for CISOs to bolster their reputation as business enablers rather than blockers, according to Typeform’s Gkortsilas.
“We can help reduce sales friction and expedite sales cycles. But this has nothing to do with what you would consider operational security,” he says. “I want to make sure that security and compliance reviews are executed as fast and efficiently as possible. Practically, this means I need to centralize and automate the process around onboarding suppliers and customers.”
Starburst’s Ericksen spends a great deal of his time “unblocking customer deals” — which he sees as a key part of the job.
“It’s about finding out what feedback we’re getting from customers in terms of where our gaps are,” he adds. “And if those things are related to security risk, there’s a potential for me to push and add resources so we can close a deal immediately.”
Compliance
Another growing part of the CISO’s job, especially when startups are short of staff in this area, is compliance.
“Someone has to carry the ball there, and the infosec team is really working as if we were also the compliance or some of the compliance team,” explains StreamSets’ Stapleton-Gray.
IOmergent’s White agrees, but bemoans the fact that, for a lot of this time, he’s not adding a great deal of value.
“It’s shuffling things around to get them into a state that’s going to satisfy an auditor. And what you’re really doing is a game: giving the auditor an opportunity to quiz you and find things and show that they really know what they’re doing,” he argues.
“It’s almost like search engine optimization — making sure that these keywords appear in the policy somewhere.”
Interfacing with the board
Many of the security leaders we spoke to claim that they don’t have much time on the front line anymore. But they maintain that having to update the board on cyber risk is still an essential part of the job.
“CISOs need to understand the language that’s been spoken in the boardroom and the interests that a CFO or CEO actually has. As a CISO, I too need to talk about revenue and cost efficiencies, market share, product development and customer needs,” says Typeform’s Gkortsilas.
Directing the orchestra
This isn’t to say that a large part of the job isn’t still the “nuts and bolts” of managing security controls, improving the security program, responding to emerging risks, and keeping abreast of the latest threat trends. Many CISOs we spoke to say it is.
But the fact that there are so many other aspects to the role — especially engaging with external stakeholders — is illustrative of the growing importance of the CISO to the business. And that can only be a good thing.
Coveo Director of Information Security Pierre-Alexis Tremblay likens the role to the conductor of an orchestra.
“You’re not playing any instrument, but you’re synchronizing everything — paving the way and trying to inspire people to go in the right direction,” he says.