The CISO Compliance Skills Dilemma
Is there a general lack of people with the requisite skills to step into the role of CISO? With techies who cannot engage with the board and management types who are not taken seriously by the techies? What about those skills in need for compliance and regulation? Are they in short supply also? Dan Raywood evaluates the problem.
The issue of the skills gap has long been debated, particularly with relevance to those who are suited to take on the responsibilities of the CISO.
As well as the confidence to speak and report to the board of directors, there are considerations on whether the CISO should be technically savvy and be aware of the workings and configurations of the defences, as well as them being able to spread security awareness and manage risk throughout the organisation.
If that sounds like a lot to sit on a person’s plate, consider the compliance element. Yes, Governance, Risk and Compliance (GRC) are the cornerstones of a company’s security plan, but how much does compliance come into consideration of the CISO’s skills, and is there a fresh skills shortage of compliance frameworks and regulations for the future CISO?
In research I conducted for Infosecurity Magazine in 2019, I engaged with students, people on work placements and those starting their careers in cybersecurity. In that instance, I asked those we surveyed if they knew what GDPR, PCI DSS and PSD2 were and how they differed. We received 54 responses, of which 35 were positive and 19 were negative.
Those particular regulations have had much attention, and the concept of GDPR should not have escaped the average person on the street, but from a security leadership perspective, is it obvious what needs to be done to fill this gap, and is there a knowledge gap on meeting compliance needs?
Brian Honan, CEO of BH Consulting, believes there is a shortage of experienced people available as CISOs. With the pressure for organisations to demonstrate they take “security seriously”, many people are being appointed to the CISO role who may not be suited for it.
“Many inexperienced CISOs tend to focus on the technical aspects of their function as that is often where they feel most comfortable; however, they may not have experience in cyber risk management, policy development and implementation, or developing an effective awareness program,” he says.
Another issue CISOs often struggle with is focusing the compliance program on just the security or the IT function within an organisation, Honan claims, as “in many cases, a compliance program applies to the whole organisation and not just those functions.”
Understanding and implementing compliance is more than just fitting it into your security team and layers of defence but also into the broader organisation.
“The other issue I often see with regulatory compliance requirements such as GDPR or the UK Data Protection Act is that many CISOs only focus on the security element of those regulations leading to the organisation not being fully compliant,” he says.
Rowenna Fielding, director of Miss IG Geek Ltd, says from her engagements with clients and others in the security industry, “I can definitely say that there are significant gaps concerning the GDPR”. In particular, she says, “alarmingly few security people have a robust understanding of what ‘personal data’ actually means (most confuse it with PII)” in an effort that “undermines every GDPR compliance activity they are involved with, by setting the scope too narrow from the outset.”
Asked why their employers won’t invest in effective, meaningful training to meet compliance requirements, Fielding says it is often seen as costing too much, “and having the leisure and funds to seek out education on an individual basis is a luxury.”
She says a challenge is that there is often too much product marketing promising assurances on achieving compliance, as “compliance people reach desperately for ‘solutions’ (including outsourcing) they hope will relieve some of the immense cognitive load of the job, but those ‘solutions’ themselves still require a lot of human effort to set up, monitor, check, adapt and sustain their functions – on top of all the new risks that the solutions themselves introduce.”
Owanate Bestman is the founder of cybersecurity staffing resource firm Bestman Solutions, and asked if he feels there is a skills shortage in this area, he says there is not, as there are often too many hiring companies “looking for unicorns to slap the CISO title on” when really the business is looking for someone to do GRC and work with regulators.
If there is a shortage of people needed to fill the requirements of compliance and regulatory frameworks, there has to be a consideration of the risk of the roles being left unfilled. If someone is not taking responsibility at a senior level, is there a danger that it’s left undone?
Honan says there is an issue of CISOs dismissing frameworks, standards and even legal obligations as an unnecessary overhead which will not “make them any more secure” or even cite the argument that “policies will not stop a hacker”.
“What they are often missing is that the requirements outlined in laws and frameworks are there to provide a structured approach to security and to ensure business commitment to better security,” he says. “A good CISO will understand how frameworks, standards, and legal obligations can help reduce risk to the business while at the same time getting them resources they need to secure the organisations better.”
The options to learn what is needed to enable compliance in an organisation are out there, but the preventative elements are cost and time rather than a complete lack of skills. “I don’t think there’s a lack of skill out there, but there’s definitely an unmanageable ratio of available brainpower to task demand.” Fielding agrees, saying people have everything they need for compliance except the time and energy to apply them effectively.