What are some of the most pressing cybersecurity threats and how CISOs manage them?
CISOs have a lot on their minds, from team’s burn out, AI risks to the pressure of proving business value, security leaders are juggling a complex range of threats.
The security profession has a stress problem
The security profession has a pervasive stress problem, one that affects practitioners from entry-level analysts to C-level executives. The pace of change, constant exposure to threats, and pressure of operating at high stakes creates an environment where there’s a lack of psychological safety.
“We have a stress problem and there is a lot of shame in coming forward and saying you’re not dealing with what you’re doing on a day-to-day basis,” says Qualtrics CSO Assaf Keren.
The culture of silence needs to change or the profession risks burning out talented individuals, deepening the industry’s skill gap, according to Keren. “You shouldn’t be up at night because of your work, and if something keeps you up at night because of work, you should seek some help.”
He wants seeking help to become normalized in the profession, where the personal and professional costs of mistakes or misfortune can be high. “We have the resources to make things better and we all should be doing more as a profession,” he tells CSO.
Keren is excited about the possibilities with AI such as handling triage or certain manual tasks to help relieve some of the burden on security practitioners and the associated stress. “The more we can take away menial day to day jobs that people are doing and have them focus on big picture thinking, the more we reduce the disruption to the flow of work.”
AI’s potential to create a competency crisis
At mental health organization Headspace CISO Jameeka Aaron sees many potential applications for AI but she is balancing enablement with caution. However, Aaron is particularly concerned about the impact of generative AI on the hiring process.While strong developers can leverage AI to their advantage, weaker developers may appear more capable during interviews and preliminary assessments.
“You have to have the skills. If you don’t, AI will certainly help you answer interview questions, but when you get to the job, it’s not helpful, and we know very quickly if someone’s capabilities don’t exactly align with how they showed up in an interview,” she says.
It adds another layer of difficulty for CISOs already overstretched. “With AI, it’s becoming harder to understand the capabilities of potential employees,” she says.
AI tools can mask skill deficiencies and is something CISOs can’t easily fix with a new control or tool. “There’s a risk of hiring people who interview well with AI assistance but lack fundamental technical knowledge,” she says. “You need to have tribal knowledge and a deep understanding of the technologies you’re enabling, and if you don’t, AI isn’t going to help you do that.”
The pressure to move fast, but not break things
What keeps Fortitude Re CISO Elliott Franklin up at night isn’t just the threat actors, it’s the internal complexity CISOs are wrestling with every day. “Most of us are managing a patchwork of tools and platforms that were never designed to work together,” says Franklin.
Over time, layers of solutions have accumulated to meet compliance needs, respond to incidents or satisfy audits, and CISOs are stuck trying to glue them into something coherent, but the structure is inherently fragile, according to Franklin. “The more fragile it gets, the more likely something will break. When it does, security is the one holding the bag.”
Third-party risk makes the situation even riskier and Franklin cites the recent McDonald’s hiring bot breach, which was caused by a vendor using ‘123456’ as an admin password, as a perfect example. “That wasn’t some cutting-edge nation-state hack. It was a basic failure most orgs would catch internally — but when it’s a partner, our control is limited, and our accountability isn’t,” he says.
It also comes back to the problem of the basics being overlooked in the rush towards the shiny new tools. “It’s a perfect example of how flashy tech is masking basic security failures. What keeps me up at night isn’t the lack of innovation it’s that we’re forgetting the fundamentals,” he says.
At the same time, security teams are expected to enable innovation, without being a roadblock. “But when security isn’t brought in early, we’re forced into a reactive posture that benefits no one. I do worry about attackers. But I lose more sleep over the internal pressure to move fast on fragile infrastructure, to trust third parties without verifying them, and to chase new tech while skipping the basics,” he says.
AI is exacerbating these challenges and isn’t going to fix the underlying problems, warned Franklin. “I’m a big believer in using it where it makes sense — we’re leaning into AI to reduce manual work and improve speed. But we’ve got to be honest with ourselves: AI isn’t going to fix broken fundamentals.”
Organizations struggle to identify everywhere AI is being used, let alone how to secure it. “If you don’t have visibility, if your access controls are weak, or if no one’s reviewing your alerts, AI just adds another layer of complexity. Worse, it can give leadership the illusion that we’re more secure than we actually are,” Franklin says.
Deepfakes are causing major security headaches
Deepfakes are emerging as another security threat enabling employee impersonation campaigns. As this AI-powered threat becomes more sophisticated, CISOs face major challenges to prevent and detect these attacks and protect their organization.
Deepfake employees is when AI is used to impersonate someone during a remote interview. In Aaron’s organization, they’ve detected mismatches between candidates and their resumes, or where someone’s name in a remote interview doesn’t seem to match the person. With many organizations conducting candidate interviews remotely, they will need to pay more attention to identifying and blocking these threats.
Deepfakes are something that we’re going to have to pay attention to, Aaron says. While regulation is lagging the technology it’s a threat that security practitioners can’t fight alone. “We need deep partnerships with vendors to make sure we all understand what’s possible and then we defend as much as we can against those things,” she says.
Phishing is harder to catch
Phishing emails have become far more realistic and increased in volume with generative AI available to cyber criminals. It’s given attackers the ability to emulate the English language flawlessly. “There are no more emails written in broken English. [Cyber criminals] are gathering information and putting out very realistic looking phishing emails,” says Aaron.
“It isn’t AI itself that keeps me up at night. It’s the capabilities, like AI’s ability to mimic humanity, that keeps me up at night,” she says.
Connecting security priorities to business outcomes
The CISO role has its own headaches and worries. Increasingly, the task of translating security initiatives into business value is one of the hardest, but most important, aspects of the role. “The ability to connect security priorities to business outcomes is a muscle that is sorely needed, and it’s very hard, but it’s increasingly necessary for CISOs to provide value and influence at the executive level,” says Keren.
Success is hard to measure when it’s defined by what didn’t happen — no breaches, fewer vulnerabilities or the addition of new tools. Seasoned security leaders have learnt to adapt their reference points, especially in businesses exposed to market forces. “We’re a business function and we’re measured by the stock price of the company,” says Keren.
However, without a clear path to becoming a business-oriented security leader, CISOs face uncertainty about the best way forward. “It’s definitely the role of the business to bring the CISO along to understand the business and be part of the rhythm of business to enable them to be connected,” he says.
Keren suggests CISOs seek targeted training, education, and mentorship to help get a better grasp of how to translate security into business metrics.
With a career that includes executive roles in sales and professional services, Agero CISO and CIO Bob Sullivan has developed a strong business mindset. He links metrics to what matters, the business mission, showing where security risks pose potential damage to the business, or not.
For example, a list of vulnerabilities sounds bad, until he’s able to explain which ones are benign, or not externally facing, and therefore pose little real-world threat. With those that are a risk to the business, Sullivan visualizes the threat path to demonstrate how an exploit could lead to PII and if that is breached and sold or exposed, would have major ramifications. “If I just say it’s a configuration issue within the cloud, it’s meaningless to them. But if I can visualize it, I can create that context and tie it to a business story,” Sullivan tells CSO.
In many ways, it’s defining risk in a dollar or reputational impact because they’re the fundamentals of business viability. “As a cyber professional, you have to be able to speak the language of business or no one’s going to listen,” he says.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.