Navigating modern security challenges: The role of CISOs in driving secure corporate culture

Technology and cybersecurity specialist Andre Stivala has told MaltaCEOs.mt that Chief Information Security Officers (CISOs) must have the required systems in place to properly assess a potential security threat, and consequently, foster a company culture which prioritises security.

His reflections came after he recently took to social media to highlight that businesses need to focus on embedding security within their operations, and hence not depend on CISOs to be the sole bearers of cultural change. CISOs are senior-level executives who oversee an organisation’s information, cyber, and technology security. Mr Stivala stressed that CISOs are ultimately “business enablers” with the aim of aligning with business goals, not just to impose restrictions.

Mr Stivala is an experienced tech professional, having worked in the areas of cybersecurity and IT advisory for a number of years at various companies.

Cybersecurity has been a hot topic in the business space over the past few years, particularly given that a number of organisations have been subject to cyberattacks. While there has been increased investment in cybersecurity, the rapid development of technology has also resulted in more elaborate and well-thought-out threats to emerge.

Following his post, MaltaCEOs.mt reached out to Mr Stivala for further comment, to which he said that one of the primary issues he faces when consulting and assisting companies is that there is a “lack of buy-in and instilling cultural changes” aimed at encouraging greater security.

“It took some time for me to realise this, but the reality is that introducing a culture change often means altering an organisation’s modus operandi, the very fabric of their being,” he remarked.

He explained that nowadays, measures and initiatives aimed at improving security, such as cumbersome controls and mitigating measures “with the intent of achieving a mystical and impossible 100 per cent secure infrastructure” has now become the “new norm.” Mr Stivala said that by working towards a model of “too much security,” businesses will suffer from inefficient processes and angry and unmotivated staff, prompting the “wrong culture change” to take place.

As a fractional CISO, Mr Stivala feels that security professionals’ impact on cultural change is something that is often overlooked by tech-savvy individuals, who end up chasing the latest trends rather than doing what is best for the company.

He emphasised that there is a “delicate balance” between implementing functionality and security, as tipping the scale too far on one of the sides, and then the business could end up being hindered.

When asked how businesses can go about deciding how much of their budget and focus they need to allocate to information security, Mr Stivala said that this has to depend on risk assessment.

He explained that everything a business does is “directly proportional” to their “risk appetite.” However, he affirmed that this does not mean that organisations should be engaged in conducting extensive and never-ending risk assessment exercises, but it requires decisionmakers to “think.”

“It’s surprising how much humans can get done when we use the empty space between our ears. Once a comfortable level of understanding of one’s risk has been achieved, deciding how much of a budget to allocate to security becomes a ‘fill in the blanks’ game,” he affirmed.

If there is too much data stored in various locations and jurisdictions without there being a certain element of control, prompting hefty penalties and reputational damage, then businesses need to “consolidate their environments.” Should there be a lack of visibility in their systems with privileged access to delicate data, then they must “implement appropriate access control and logging mechanisms.” Mr Stivala noted that these are just two examples from an extensive list of scenarios.

Additionally, it is also vital for both business leaders and CISOs to be able to assess the risk levels of a particular threat. They cannot afford to be swayed by every new trend or scare that emerges, and hence need to be pragmatic in their decisions.

When met with a potential security scare, CISOs need to base their decisions and approaches on evidence.

However, Mr Stivala remarked that a CISO can never be in a position of analysing a threat if the “necessary systems” are not in place to effectively investigate and gather evidence. This also includes having a solid team, as even the most experienced executives would fear certain situations.

He stated that the three pillars for effective crisis management are Incident Response Planning (IRP), Business Continuity Planning (BCP), and Disaster Recovery Planning (DRP), with all ancillary controls and a team for each of these that overlaps one another.

An IRP provides clear guidelines for responding to different potential scenarios, such as data breaches and malware outbreaks. A BCP entails anticipating different crisis scenarios to design the strategies needed to maintain critical business functions. On the other hand, a DRP involves detailed instructions on how to respond to unplanned incidents such as a possible hardware or software failure or the destruction of certain facilities.

“It’s also vital to state that the best IRP, BCP, and DRP are redundant if measures are never tested and validated for effectiveness. I cannot emphasise this enough. You have nothing if you test nothing,” Mr Stivala stressed.

Within the context of a rapidly evolving digital environment, together with the countless dangers and opportunities that this presents, Mr Stivala stated that the role of CISOs has become “pivotal.”

He said that this is due to various factors, such as never-ending cybersecurity threats, digital transformation, an endless list of compliance and regulatory requirements that “the EU keeps shoving down our throats,” rising economic and reputational stakes, strategic business alignments, as well as vendor and third-party risk management.

This makes navigating this complex environment particularly difficult, with many tech experts and business leaders stating that they are finding it difficult to find skilled talent in the information security and cybersecurity space. A shortage within these areas could potentially escalate to a national security issue, with the state finding itself inadequately equipped to protect its sensitive data and infrastructure from potential cyberthreats.

MaltaCEOs.mt proceeded to ask Mr Stivala whether the previously mentioned complexities tied to CISOs’ responsibilities could be possibly keeping individuals away from specialising in the information security field, to which he said that this is the case, “to a certain degree.”

“Not so much in the default nature of a CISO, but more in the pop-culture evolution of increasing one’s responsibilities to lessen the cost of human resources. The sad reality is that vacancies and talent decreases,” he remarked.

He explained that just like any other C-suite executive, a CISO is primarily a leader. “So let them lead and remove the unrealistic expectations of reaching impossibly unattainable targets while juggling the aforementioned complexities, and having to do this all alone. Give your CISO the resources they need,” Mr Stivala said as he wrapped up.