Why understanding the business has never been more important for CISOs

As part of our annual Cyber Security in Focus research, we took the opportunity to catch up with Chris Castaldo, CISO at Crossbeam, the world’s first and most powerful partner ecosystem platform.

In this short subsection of our interview, Chris stresses the importance of security leaders taking the time to fully understand all operational elements of the business to ensure a successful security roadmap. He also shares his views on how the role of CISO will evolve over the next five years and offers advice to security leaders on navigating the current economic climate.

Skip ahead to:

The key challenges in front of CISOs in 2023
The major barriers to strategy execution
Top tips for managing candidate scarcity
More cyber security resources

What do you see as the key challenges sitting in front of the CISO community in 2023?

I definitely think that the economy is going to be at the top of everybody’s mind. CISOs in startups that are very burn conscious may have a slightly different perspective to those that are in publicly traded companies, who will still have reporting requirements, but the economy is going to be a key challenge for everyone. If you’re a CISO in a B2B SaaS company and your sales team is not hitting the numbers every quarter, then you’re unlikely to be procuring new security tools, for example. This will ultimately culminate in CISOs needing to do more with less and ensuring that their security functions represent good value for money.

You’re probably going to see some of those ‘nice to have’ elements dropping off the security roadmap. The focus will be on the ‘need to haves’. If you’re in a regulated industry, for example, do you need to have this tool going into the year? Do you need that FTE, or can we get by one more calendar year without that hire or without that tool? Is that a risk we can accept? That being said, I think that narrative offers lots of opportunities for CISOs in 2023. There is a real opportunity to shine in the role.

A large proportion of our job as CISOs is operational. It’s about managing risk for the business. So this will be the year that CISOs really earn their keep in that regard. Not everybody knows what an EDR is or DSPM, or CSPM, for example, so that’s your job as a CISO to demystify these things and make sure the business understands the risks that you’re telling them to accept.

What are the major barriers that you see CISOs struggling with when it comes to executing their security roadmaps?

Not understanding the business. That’s the main barrier. Everyone that I talk to that’s trying to implement some new tool or a new process or new policy and meets resistance typically hasn’t spent enough time trying to understand what those stakeholders really care about and tailoring that message to them. For example, there should be no question that every company on the planet needs EDR. It should come with the cost of doing business. But I still hear from peers that are struggling to buy and deploy EDR in their environment.

To me, that comes down to the blocker of not understanding the business. It’s really not the job of individual stakeholders to understand what EDR is. It’s your job to translate it in the context of their role and what they care about. They need to understand the implications of a breach. What does it mean for their ability to close deals? What does it mean for a potential IPO? This is part of the tooling that de-risks that for the business. This whole business understanding piece unlocks a lot of the other common elements that CISOs are challenged with on the execution side. Lack of budget. Inability to acquire the right level of internal skills. All of these things are linked to understanding the business and shaping a strong narrative that resonates with key stakeholders.

What tips do you have for CISOs to manage the impact of candidate scarcity?

First of all, we have to rethink the way we hire. We should move away from a traditional hiring model that focuses solely on university degrees and specific certifications. I know many very skilled individuals and professionals who don’t have any of the above, but they are very good at what they do. So we really need to look at how we assess candidates in this industry. For example, you could send them through assessment tests, have them do a demo, or have them prove their skills through a practical exercise. I don’t mind how it’s done, but relying solely on a university degree will actually sabotage your hiring efforts because it’s such a scarce candidate environment.

Another obvious coping mechanism we’ve already discussed is building and growing your own security talent. Hire IT Engineers and upskill them through an intensive 3-month training program. Trust me; if you do it right, you’ll get Cyber Security Engineers on the other side. Automation is obviously another option to do more with less, but I feel lots of organizations have already realized as much of the efficiencies that they are going to see in this space.

In this new world of work, there is also an opportunity to broaden the search radius for scarce skill sets. Even before the pandemic, our policy was to hire talent from wherever the talent is. It was less about location and more about candidate quality for us. If you can create a global talent pool, it is better than having a local one. The only thing to consider is depending on the location; there may be timezone constraints. This could cause collaboration challenges, for example, so individual CISOs must be mindful of that. But if we’re talking about individual contributors who can deliver their work on their own timeline, it’s excellent. Clearly, there are additional security considerations with remote work, but at the end of the day, you’ll be able to attract top cyber security talent on a global scale by hiring remotely rather than just relying on a local talent pool. Read the full feature and more in Cyber Security in Focus 2023.