The modern CISO: scapegoat or value creator?

2024 is already shaping up to be one of the most stressful years yet for CISOs. They are trying to defend their organizations against a growing number of threats as they become faster and more complex, fueled by emerging technologies such as generative AI. It doesn’t help that cyber budgets are shrinking and CISOs can now be held personally liable for a breach, as evidenced by the precedent-setting verdict against the former Uber CISO.

To top it all off, 61% of CISOs feel unprepared for a cyber attack and 68% feel their organization is at risk of an attack. Evidence point. It’s no wonder that the modern CISO often feels like the scapegoat, with all the odds upside down.

Working with hundreds of CISOs from leading Fortune 100 companies around the world, I understand their biggest challenges while helping them shift to the role of value creator and trusted partner. While there is no silver bullet solution, there are steps CISOs can take now to increase the value of their cybersecurity programs and set themselves up for success against a moving target.

Bring your board on board

Boards of directors typically consist of seasoned executives with experience in operations, finance, sales and other industries, but may not have a detailed, technical understanding of cybersecurity. Yet CISOs are facing increasing criticism from their boards as they defend the effectiveness of their cybersecurity program.

To showcase the value of their programs and demonstrate effectiveness, CISOs must establish clear communication and overcome the divide between the board and their team. It is up to the CISO to ensure that the board understands the cyber risk their organization faces and what they need to increase their organization’s cyber resilience. Presenting cyber risk levels in monetary terms with actionable next steps is necessary to align the board of directors and open an honest line of communication while putting their cybersecurity team in the role of value creator.

File an honest SEC 10K without increasing cyber risk (no, really!)

New disclosure requirements from the Securities and Exchange Commission (SEC) and other regulators require CISOs to clearly understand their material risks and disclose how they manage and mature their cybersecurity program. Yet, recent analysis of SEC 10Ks filed in early 2024 show that 31% of companies had not disclosed cybersecurity information and 23% had not quantified or described how their cyber risks are managed.

CISOs are very wary of sharing too many details about their cybersecurity posture in the public domain due to the unnecessary and avoidable risk of exposing their organizations to cyberattacks, which are expected to lead to cyberattacks. $10.5 trillion damage in 2025.

Submitting a fair 10K while maintaining your organization’s cyber defenses requires a delicate balance. We’ve already seen it Clorox falls victim when the balance was gone.

A good example of a fair, yet balanced SEC 10K is Lockheed Martin’s 2024 SEC 10K filing, which took a descriptive approach. The company named the CISO responsible for its security strategy. It outlined the specific cybersecurity policy, frameworks and requirements it would meet, indicating the maturity of the organization’s cybersecurity program. They proactively described their cyber risk models and clarified vendor and third party risk management methodology. Lockheed Martin also mentioned using techniques such as third-party assessments, penetration testing, audits and threat intelligence to test the design and effectiveness of controls. These are all essential components of having a robust risk management program and filing a balanced and fair SEC 10K.

Adopt generation AI to mitigate cyber risks

According to data from Gartnerthere are only enough qualified cybersecurity professionals available to meet only 70% of current demand. This need for the right talent will undoubtedly increase as the threat landscape continues to rapidly evolve.

Effective cybersecurity risk management requires you to identify critical vulnerabilities and evaluate the effectiveness of your security controls. However, petabytes of data from disparate sources and stagnant team sizes make gaining full visibility into these risks a challenge for CISOs.

Often the main obstacle for security teams is turning raw data into actionable insights, which is necessary to enable effective risk reduction in a way that is digestible for the entire organization. By using advanced technologies such as generative AI, deep learning and other specialized machine learning techniques to analyze millions of assets and vulnerabilities, security teams can access real-time, actionable insights and quickly reduce cyber risk.

More than that, this can enable security leaders to understand the effectiveness of their security program and highlight the return on investment of their cybersecurity initiatives. Ultimately, this also facilitates an easier and more productive conversation with the board.

Given the pace at which the cybersecurity landscape continues to evolve, the CISO’s job is becoming more difficult. They are responsible not only for successfully defending their organizations against threats, but also for providing evidence of their effectiveness to the board and reporting it to the SEC. Keeping up with the latest technology and ensuring open and honest communication with non-cybersecurity stakeholders is imperative to fully embracing the role of value creator in an organization.

Gaurav Banga is the CEO and founder of Balbixan AI-powered cybersecurity risk management platform.