What’s on CISOs’ Minds This Fall

The echoes of RSA Conference, Black Hat, and DEFCON are still ringing in our ears. These gatherings, packed with groundbreaking insights, learnings, and predictions, left CISOs buzzing with new ideas and a renewed sense of purpose. In these last weeks of summer, it’s time to step back from the whirlwind of conferences and take a look at the big picture. 

In a panel discussion facilitated by Keyfactor and Devo at RSA, CISOs gathered to share their most pressing concerns, the evolving role of the CISO, and the strategic shifts they’re making to navigate today’s complex security landscape. Four key themes emerged as top-of-mind for CISOs—read on to see what’s keeping leaders up at night, and what they plan to do about it. 

Public awareness of security issues has increased in recent years – in fact, it’s the highest it’s ever been.

We’ve seen major disruptions caused by cyber incidents: 

• • When a faulty Crowdstrike update in July 2024 affected Microsoft devices across the world, airline outages and customer suffering dominated headlines.
  • In 2022, a major Rogers disruption in Canada involving malfunctioning routers affected millions of internet, mobile, and banking customers, including some emergency 911 systems.
  • After a February 2024 outage, AT&T discovered that “nearly all” customer data from most of 2022 had been exfiltrated, risking personally identifiable information (PII) in the wrong hands.
  • An “expired ground station certificate” at Starlink in 2023 took satellites down for several hours, highlighting the risks of poor certificate management to overall operations.
  • Cisco experienced a similar issue in 2023, when expired certificates on inherited SD-WAN hardware brought down cloud, data storage, and e-commerce services.

These incidents have brought cybersecurity firmly into mainstream consciousness. This heightened visibility extends beyond consumer awareness; boards of directors and C-suite executives must also pay closer attention to security risks and their potential consequences. 

While this increased attention gives CISOs a more prominent seat at the table, not all visibility is positive. CISOs face intense scrutiny for their decisions, and the pressure to deliver results is high. 

The role of the CISO has evolved dramatically in response to this increased scrutiny, and so has the level of personal liability. The SolarWinds supply chain attack, for example, resulted in fraud charges filed against CISO Timothy Brown; at Uber, a data breach led to a criminal conviction and three years’ probation for former CISO Joseph Sullivan.

Compounding these challenges are emerging regulations geared towards protecting the public, such as the SEC’s four-day disclosure rule, or the forthcoming NIST updates to cryptographic algorithms. These regulations are important and helpful for improving cybersecurity practices, but they also increase the workload and complexity of a CISO’s role.

An approach to take to avoid the hot seat? “If it isn’t written down, it didn’t happen.” CISOs with comprehensive documentation and auditing have information to rely on when faced with regulatory challenges or outside investigations.

While they provide expert advice and recommendations, the final say often lies with other executives, board members, or department heads. 

For example, a CISO might recommend implementing multi-factor authentication (MFA) for Salesforce, but if Salesforce is owned by the sales team and under their budget, they are ultimately responsible for it and will have the final say on whether this measure is deployed. Effective communication and collaboration between CISOs and other stakeholders is essential to create efficient, progressive change. 

The CISO’s role ultimately involves both security and risk management. Given the limited resources and time constraints, it’s essential to prioritize efforts based on the organization’s risk appetite. Understanding the business’s tolerance for risk is key to determining which security measures are implemented and when. 

Working as a CISO can feel like you’re in the hot seat. As technology innovation explodes, there are a few common approaches to cool things down: 

Document everything

We said it before, and we meant it: write it down, and escalate the issue with your executive team. This meticulous approach to documentation isn’t just about keeping records; it’s about making sure every risk assessment, recommendation, and decision is on paper. 

When a CISO identifies a potential threat or security gap, they bring it to management’s attention, outline the possible consequences, and assess the organization’s appetite for risk to get everyone on the same page before proceeding. In the event of an incident or audit, comprehensive documentation can be a lifesaver.

Embrace legal and compliance teams

Regulations can be powerful allies in managing risk. In the hornets’ nest of stringent rules and heightened scrutiny, your legal and compliance teams can help you guide the business toward the right amount of risk–neither too cautious nor overly exposed. Legal experts in particular play a role in identifying the cost of getting something wrong, which can help you make an informed decision that aligns with business objectives and security goals. 

Get a seat at the table and keep it

It’s no longer enough for CISOs to speak tech; you must also be able to speak the language of business. Executives want to know not just what risks are being mitigated, but the value of each line on the budget. CISOs who can clearly articulate how your strategies reduce risk and contribute to the company’s overall goals are more likely to secure the resources and support they need. 

Leverage the expertise of strategic, trusted partners

Managed service providers and other strategic partners bring specialized expertise to your business, helping CISOs prioritize the trade-offs between integrating new technology and addressing the organization’s specific needs. At Keyfactor, our managed PKI services come with access to PKI experts who can help organizations understand the full scope of certificate management. Partner with experts in the coverage your organization lacks to make informed decisions that balance innovation with security. 

Collaboration, communication, and documentation can make the CISO seat feel a little less toasty–or at least spread the warmth around to be manageable. 

As the CISO role continues to evolve, the ability to speak the language of business remains a necessity. Clear communication helps get buy-in from key stakeholders and conveys the true risks and trade-offs inherent in any security decision. This communication is essential to aligning security strategies with your business objectives and empowering your organization to understand and support security measures. 

The rapid pace of technological advancement, from AI to quantum computing, presents challenges and opportunities for cybersecurity. Working with trusted partners can help CISOs navigate emerging tech and prepare them to integrate new innovations without compromising security. 

Check out the full panel discussion to hear directly from industry leaders about what’s on their mind: the strategies and insights shaping the future of cybersecurity.