CISO Strategies for Overcoming the Security Resource Strain

By Editorial Team | May 18, 2020

It is undeniable that the responsibilities of a CISO are quickly evolving and expanding (see “The CISO Ascends from Technologist to Strategic Business Enabler,” Understanding the Cybersecurity Skills Shortage: An Analysis of Employer and Jobseeker Skills and Occupational Demographics Report Series, Fortinet). Digital initiatives that expand the boundaries of the network edge, paired with the demands from the board of directors for protecting critical data now require a CISO with both executive and technology expertise. However, the most simplified version of a CISOs biggest priority can be stated as such: secure the organization’s growing attack surface with limited budget and resources.

How does a CISO allocate limited resources to protect an evolving attack surface and meet the needs of the board? This is a question that Forbes Insights explores in a new report that was published in association with Fortinet: “Making Tough Choices: How CISOs Manage Escalating Threats And Limited Resources.” Specifically, the report takes a deep dive into the decision-making processes of leading CISOs to determine how they secure their networks from an array of advanced threats with resource constraints.


Forbes,CISO,Leadership,Hiring,Skills,Learning and Development


Key Findings and Takeaways for CISOs

The report determined five top findings from the surveyed CISOs, ranging from concerns of the future of evolving threats, key priorities and goals, security concerns, and an ideal security posture scenario:

  • The risk of attacks will continue to increase. 84% of CISOs believe that cyberattacks will continue to proliferate in the future, and 21% say that their security infrastructure will soon be outpaced by advanced threat capabilities.
  • CISOs face a number of cybersecurity roadblocks. Both lack of a sufficient budget for cybersecurity investments and a lack of a centralized security strategy were ranked as the top constraints by one-third of CISOs.
  • Maintaining brand and reputation is paramount. Protecting the organization’s brand by securing customer data came in as the top priority for CISOs cybersecurity concerns.
  • Integration and analysis are cybersecurity goals. A resounding 48% of participants are focused on integrating their security architecture throughout the network. 45% of CISOs aim to gain in-depth analytics to increase network visibility.
  • CISOs want to shift their security posture. If they had the opportunity to restructure security resources, CISOs would shift away from threat prevention technologies and focus more on allocating resources to detection and response.

Perception of the Evolving Threat Landscape

Considering the recent rapid adoption of digital transformation (DX) initiatives that unintentionally expand the attack surface coupled with the growing threat landscape, it comes as no surprise that the majority of CISOs represented in this study say that they anticipate an increase of cyberattacks in the near future. The study revealed that the top threat concerns for CISOs consist of malware (17%), Internet-of-Things attacks (14%), and phishing attacks (12%).

In other words, these findings demonstrate that CISOs are primarily concerned about known threats, and may lack the ability to take a proactive approach to finding and remediating zero-day unknown attacks.

With malware variants increasing dramatically—129%—and upwards of 40% of malware on any given day being unknown, this lack of attention to zero-day/unknown attacks should signal blaring warning sirens.

Factors That Inhibit Comprehensive Security

Limited resources result in CISOs making decisions based on necessity, leaving them to compromise and forego more proactive, visionary security measures. According to the Forbes Insights report, there are three main factors that limit CISOs from implementing an end-to-end security infrastructure:

  • Inadequate security budget. More than half of CISOs reported that they have insufficient funding allocations for cybersecurity investments, leaving them to make the difficult choice of where to allocate their funds in the midst of a growing attack surface. While the needs of each organization may vary, it is important that CISOs determine the priorities and goals of their security needs before allocating critical funds.
  • Lack of a defined, centralized strategy. CISOs who said they lacked a clear cybersecurity strategy felt the impact and experienced greater challenges throughout their organization. Not only are these leaders more concerned about breaches but they lack the confidence in their security posture.
  • Shortage of skilled cybersecurity staff. The cybersecurity skills gap continues to plague CISOs. Not only do security teams lack the qualified security staff to execute their security strategies but constrained teams often also lack the ability to simply maintain their existing infrastructure. Staff shortages also put a strain on small teams who are overworked, leaving room for human error and diminished morale.

Steps to a Proactive Security Strategy

Despite the number of constraints CISOs face when protecting their organizations, there are a series of actionable steps they can implement throughout their teams to ensure they allocate spending in the right areas and manage their teams for maximum outcomes:

  • Automate resources. Automating as many processes as possible will not only speed the time it takes to detect and remediate breaches but also ease the strain on limited teams.
  • Take a detection and response approach. It is not enough to rely on breach prevention alone. CISOs must shift their focus to security that detects and remediates threats in the unlikely event of a breach.
  • Enable a holistic approach. While growing a security team is a priority, the whole organization must be on board with security. Create a culture of security with employee training to not only educate employees but also help limit insider risk.
  • Increase security funding. With the average breach costing $7.9 million, security vulnerabilities are simply not acceptable. Demonstrate the business case for increased security funding to the board of directors to maximize investment.