3. Personnel. The cybersecurity skills shortage is acute, global, and this situation won't change anytime soon. This means that CISOs must put way more effort into working with Universities and cybersecurity training organizations, participating in STEM programs, hiring and training junior people, and investing in their senior high-value cybersecurity employees. This will demand an honest assessment of security skills and an inclusive culture across the security and IT organization, so CISOs may want to enlist some help from HR experts trained in organizational development. Finally, CISOs should set goals for outsourcing security two types of security tasks: a) Pedestrian tasks like vulnerability scanning, email security, or web filtering that could easily be offloaded to a SaaS provider, and b) Complex High-IQ tasks like security analytics and incident detection where the existing staff may lack skills or adequate staffing to succeed on its own. The ultimate goal is to make the security staff work smarter, not harder.
4. Skills development. Cornell Computer Science professor Fred Schneider has long advocated a broad education for cybersecurity professionals that includes technical, mathematics, business, legal, organizational, and International studies as part of the curriculum. Makes sense to me as today's CISOs need the right chops in each of these areas. I know a lot of CISOs and they tend to come from one of three areas: IT, law enforcement, or military/intelligence. A good foundation but not enough. CISO managers (i.e. CIOs, COOs, etc.) should encourage and reward their security executives for a commitment to continuous education that helps them become better business managers, risk managers, and cybersecurity leaders.
5. Security technology. I realize that my first 4 points sound rather academic but this point one is as practical and necessary as it gets. CISOs must question all of their preconceived beliefs about security technology moving forward for one simple reason - the old model no longer works. This means that CISOs must push their teams to scrutinize every technical decision, bone up on the latest innovation, and explore creative alternatives at all times. As above, they must also emphasize the benefits of a collective security architecture over the individual contributions of individual point tools. Just look at what's happened to security technology in the past few years alone: FireEye refreshed the anti-malware market, Palo Alto Networks reinvented the definition of firewall, and Splunk provided a new model for security data management, data queries, rule creation, and dashboards. In the meantime, companies like Blue Coat, Cisco, HP, IBM, McAfee, and RSA Security gobbled up a bunch of security innovators (ArcSight, NetWitness, QRadar, Solera Networks, Sourcefire, Stonesoft, etc.) to refresh their portfolios and security coverage. CISOs need to "think different" about seurity technology to protect the business - not just IT assets.