New CISOs Face Emerging Universal Challenges

The office of chief information security officer (CISO) has two primary issues facing it before a new CISO can even set his or her briefcase down and find a chair: rapidly increasing numbers of regulations addressing the field of information security, and increasing numbers of threats coming from data breaches as hackers start to realize the value of data kept on hand.

But there are other issues as well, as other C-level staffers are increasingly expecting information technology (IT) departments to be sources of innovation and yet at the same time keep it all safe. A report from Deloitte (News - Alert) pointed to several challenges, however, that were facing most of the new crop of CISOs.

The first common challenge was a lack of resources and an effective team structure. Without that team structure, the system is underperforming as not all the oars, metaphorically, are pulling in the same, correct direction. A lack of funding was also noted as a major challenge, though that could be classed under resources for much the same effect. Without the right resources, progress can't take place.

Second, there were issues of communication and reporting. Issues of communication produce much the same effect as issues of team structure, but the impact of these issues can go much farther than just within the team. Unclear communication can produce doubts about the mission itself, and the IT arm's place within the company. Without clear reporting, it's hard to tell just where progress is being made.

Third, inadequate governance was cited, particularly in terms of strategy and processes. Without a clear vision of strategy, the overall goal is lost, and this can produce useless work, unnecessary work, and of course, people moving in the wrong direction. This can also be a morale drain as employees lose that vital connection between effort and reward.

Finally, there's also a lack of trust seen from the executive leadership as well as stakeholders. While status reports and the like are important to chart progress, ensure accountability, and other points, too many can have a negative effect. Status reports draw attention away from the work itself, and too many calls for such updates can leave workers feeling like they aren’t trusted. Responses to these issues can vary wildly, but take on certain basic frameworks depending on what's focused on in response to the issues presented.

Thankfully, once the problems are known about, addressing them becomes a much simpler task. Projecting a greater sense of trust can be as easy as backing off on status update requests, and addressing issues of resources and funding can be corrected at budget time. Or, if the budget isn't there—an increasingly common lament—there can at least be some explanation of what's going on. That tends to help, if nothing else. But the key point here is knowing what the challenges are, and the more of these that can be addressed, the better the overall performance is likely to be in response.

CISO isn't an easy position to have. There are plenty of potential challenges to take on and issues to address. But having a better idea of what these are will be a huge help, and will help drive this increasingly valuable part of the overall business picture to much greater heights.