Victim Blaming: Cybercrime is real crime, so why do CISOs take the heat?

Cybercrime costs businesses an estimated $500 billion a year. Yes, you read that right — billion with a “b.” This hyperactive threat landscape is one reason that high-profile breach news seems to play on a continual feed. But even though we have Homeland Security forces, FBI task forces, and whole markets devoted to combatting cyberthreats, it’s still not really treated like other crime.

When an enterprise is breached, the blame usually falls to the CISO. According to a recent survey, almost all C-level execs lack confidence in their CISO, often viewing them as a scapegoat when data breaches occur. But as the CISO at a major U.S. bank said at the recent ISE North America conference: If someone robs a convenience store, the police don’t rush in and arrest the clerk — they look for the robbery suspect! So why is it different in an enterprise? It shouldn’t be the case, but this is the world we live in.

The average CISO is in an unenviable position. Many can’t get basic staffing/skills needs met and are dealing with outdated legacy infrastructure. While most executives are still happy to blame CISOs in the event of a data breach, fewer are willing to grant authority over cybersecurity strategy and purchasing to that same CISO to mitigate risk in the first place. This lack of respect in the C-suite may be the reason for the growing mythology that a CISO appointment will only last a little over a year (the average tenure of a CISO is now estimated to range from 2.1 years up to 6 years, which is still pretty short, but not quite a revolving door). On the other hand, there is incredibly high demand for candidates to fill the position. Remember that $500 billion dollars? The business community is well aware that somebody has to staunch the bleeding.

What all of this adds up to is the reality that being a CISO is a pretty thankless, high-risk, high-stress job. But it’s also a necessary job, and a position that serves as the spearhead in our collective defense against cybercrime. The strategic CISO must be proactive to achieve any measure of success:

  • Prepare the organization for the reality that it is going to be breached eventually. Setting realistic expectations upfront aids in setting parameters for future blame games. Accountability should be shared after a data breach. CISOs can only do so much to protect an enterprise — but can do a lot to prepare and respond.
  • Take on the role of “cutting-edge-ucator” within the organization. Stay abreast of both emerging threats and emerging technologies for combating cybercrime and regularly disseminate that information throughout your organization. Methodically keep security on everyone’s radar.
  • Automate. A CISO is never going to get all the resources required to do the job effectively. Automating as much of the basics as you can (orchestration, provisioning, network monitoring, etc.), will free your team to spend less time on menial but necessary tasks, and more time on high-value human activities. 
  • Build scalability and flexibility into your security strategy to keep pace with changing threats. Start with the cybersecurity fundamentals at the most elemental level and build your way out. By baking-in security at every level of every function within the network, you get layers of protection and granular visibility into traffic behavior regardless of scale, and any anomaly or attack can be quickly identified and addressed.

It would be great if the world would change its de facto response to cybercrime. Firing CISOs shouldn’t be the go-to answer, especially when they often have the cards stacked against them from the start. However, owning the security conversation and being savvy with limited resources may help a CISO survive — perhaps even thrive.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts