Sababa Security S p A : The CISO’s role in changing the board’s perception

Having a chief information security officer, or CISO, is crucial to any large entity's safe and secure running. Moreover, since the global pandemic struck, the breadth and depth of the CISO's job description have changed dramatically - CISOs are no longer merely charged with heading up cyber security, they are now responsible for securing multiple devices, connections, and apps that are outside the organisation's perimeter.

At the time, entire workforces moved to remote working practically overnight, and in the aftermath, the vast majority of companies have adopted hybrid working policies, meaning CISOs need to secure two parallel sets of infrastructure. Firstly, they must secure on-premises systems, devices, and networks for employees who work from the office, and secondly, a wide range of mobile and remote technologies for when they are working elsewhere.

Greater flexibility, more complexity

And while hybrid working brings greater flexibility to employees and to the business, it also adds a lot more complexity, which in turn, comes with a slew of new risks and threats to the company. This has seen the CISO's role grow dramatically in both scope and scale because the attack surface has become exponentially wider, meaning cyber security needs to be more agile, and all-encompassing.

Because this job has changed and expanded so much over the last few years, there has been a movement towards securing data and identities, rather than systems and perimeters. CISOs are also charged with monitoring and handling a wide range of external threats, ranging from well-funded cybercrime groups, nation-state actors, as well as malicious individuals. In addition, today's CISOs will have some responsibilities when comes to regulations and compliance, and they need to deal with insider threats, both malicious and careless, and end-user training and awareness now fall under their purview too.

Where once the IT head's role was inward facing only, today they need to also provide more outward-looking services, such as security operations centre (SOC) as a service to both internal and external stakeholders. Similarly, they are now involved in all technology purchasing decisions, as well as software development, as the need to build security in from the ground up, has given rise to the trend of DevSecOps.

A digital world

Furthermore, the widespread digital transformation of organisations in every sector has seen the CISO's role extend to practically every area within the business. This means that security teams can easily be overloaded, and SOC's overwhelmed with requests from all across the business and beyond. And because technology is changing at an unprecedented pace, CISO's are being pulled into new areas where they might have little experience, regardless of their unquestionable expertise, meaning that even these leaders have gaps in their skillset that need to be addressed.

Changes in the technology and threat landscape are seeing security teams having to spread themselves very thin too, which is putting more pressure on CISOs at a time when retaining existing talent and finding new talent with the right skills is practically impossible. The fact that talent and skills acquisition and development is another item on the CISO's to-do list is only exacerbating the problem.

Changing perception

It's not all doom and gloom though. On the positive side, all these factors have earned the CISO a place at the table, and the chance to influence and change perceptions at board level. Today's CISOs have become one of the organisation's most important advisers on risk too - after all, any investments in new cybersecurity solutions have to lead to business value, and it's up to the CISO to show the board how these investments can support the wider business goals as a whole.

This isn't always easy, as the perception that security is a hindrance to business operations is deeply routed. It means security needs to be moved from a technical or compliance-focused function to a strategic one, that sees security heads involved in key decisions from the very beginning. And forward-thinking entities are already doing this, and view their CISOs as business risk advisers, and crucial members of the board.

Bringing in the necessary skills

However, not every company can afford to have its own CISO and accompanying security team, and even some that can, simply can't find the appropriate skills. This means that organisations need to understand and control risks across the business and organise their CISO function in a way that supports this as effectively as possible.

This is why many companies are looking to outsource the role to experts that have the skills and experience that are needed, and that offer them at a fraction of the cost of having an entire team dedicated to cyber security.

A virtual CISO

Sababa Security, for example, has a Virtual CISO solution, that temporarily assigns a CISO with more than five years of experience in the role to their customers. The individual is there to help customers build their cyber defences in the most effective manner, helping them to achieve their business goals, by acting in the full and exclusive interest of the organisation in question.

With Sababa Virtual CISO companies can reduce their overall risk exposure, and improve their existing and future cybersecurity investments. In addition, it helps customers adapt to ever-evolving business requirements, based on their maturity level, and helps to lead internal security teams, as well as advocate security within senior executives, board members, and non-technical teams. Finally, it helps customers measure and keep track of their results, while saving time and the associated costs of recruiting and retaining a dedicated C-level cybersecurity expert.

Read the case study with Ansaldo Energia to find out how Sababa Virtual CISO supported the energy giant in its digital transformation journey.