CISO Challenges in a Changing Security Landscape

The role of a Chief Information Security Officer (CISO) is constantly changing. The shifts in technology and the threat landscape, along with the constant need to attract new talent and close the growing skills gap, all add up to a dynamic job. Juggling complex systems and multiple levels of responsibility just adds to the CISO challenges.

See CISOs: The Ultimate Stress Test with Jill Knesek for a complete transcript of the Easy Prey podcast episode.

Jill Knesek is currently the CISO for BlackLine, a financial SaaS company. She’s been running the information security team for almost three years. Before BlackLine, she served as CISO at other companies, including Mattel and British telecommunications company BT Global Services. Her real claim to fame is her time investigating cybercrime for the FBI, including being part of the team that took down Kevin Mitnick.

Jill started her career in computer science, but it was her lifelong dream to be an FBI agent. After eleven years working on computers for the federal government, she got the opportunity to apply to be a special agent. When they realized she had a background in computers, assigning her to cybercrime was the obvious choice. She had planned to stay with the federal government for her entire career, but as she investigated cybercrimes and talked to the victim companies, she realized she could probably do more to help from the private side. So even though being an FBI agent was her goal, she eventually made the hard decision to fight hackers from the private industry side of things.

The Evolution of the CISO Role

When Jill first entered the computer science world, there really wasn’t a CISO role. The Chief Information Officer would often have some security people under them. But they often started as firewall engineers or something similar. Once it got more visibility and became a C-level position, more people in business started becoming interested in it. A lot of CIOs diverted into security, but many CISOs come through the financial or business side, as well.

Jill came to the role through computer science and security, but that’s not always the case. There’s not really a right or wrong path to become a CISO. Passion is more important. One of the challenges of the modern CISO is that they have to wear so many hats. In addition to the security aspects, they also have to present to the board, explain things to the executive committee, and talk regularly with other C-level executives about security. It’s become a true C-lvel position that gets that kind of access.

The CISO and the Board

In the early days, relationships between the security team and the board was much less collaborative than today. At first, security wasn’t even invited to the boardroom. The security team would brief the CIO in case they got any security questions, and the CIO would represent them in the boardroom.

However, some boards were still interested. Jill recalls being in board meetings where most of the executives weren’t paying attention, but as soon as she started talking, they put down their phones and seemed interested.

Making a case for the value of cybersecurity could be difficult sometimes, though. When you’re good at security, nothing bad happens, and executives start to question why they need security people. When something bad happens, they started to ask why they needed security people if bad things happened anyway. A big challenge for security before the CISO became a true C-suite role was getting the right level of support and budget to manage those risks.

If you’re really good at [security], nothing bad happens. … It’s really hard to explain that the reason nothing bad happens is because [you’re] making the right investments.

Jill Knesek

The New CISO Challenges

For most CISOs, budget is much less of a challenge now. Companies for the  most part recognize the value of security. Now the big problem is complexity. There are so many pieces to security. With BlackLine, they have products, SaaS solutions, multiple things in multiple clouds, and complex corporate infrastructure. CISOs have to manage all this, coordinate with the CIO and CTO, and make sure everyone is aligned and not getting ahead of security.

Jill likes to refer to security and the CISO role as a watchman on a watchtower. If you’re not looking into the future and make sure everyone’s on the same page with where you’re going, it’s hard to budget for the right projects, tools, and investments. The CISO’s challenge now often isn’t budget, but figuring out what is most important to invest in next.

I can get the budget if I need it. The case is always just trying to figure out, where do I need to invest next?

Jill Knesek

As more things are internet-connected and more devices and services are in the cloud, not as much is directly under the CISO’s control. When all assets were in a physical data center, it was easier to contain and secure everything. Now there are many different pieces that you have to pay attention to and keep on top of. It’s a constant battle to keep perimeters and understand the attack surface.

If you want to scale your business, you have to start relying on other vendors and code, which introduces an attack vector. One of Jill’s former colleagues referred to it as outsourcing trust. We need to work with vendors, but trust should also come with verification. You have to do your due diligence to make sure you’re not leaving any unknown holes out there.

The Skills Gap in Cybersecurity

Another one of the challenges CISOs face is personnel. There is a huge skills gap right now because not enough people are coming into the industry. Part of that is the perception of stress in a cybersecurity career. A lot of people are reading about cybersecurity, ransomware attacks, and security professionals working nights and weekends with not enough budget or resources, and decide that they don’t want to do that. People aren’t coming out of college ready to make cybersecurity better, automate more, and reduce the stress. They want to go straight to a job where there’s less stress.

A lot of the people Jill ends up working with are those in corporate IT or cloud engineering who work closely with her team and end up thinking security stuff seems cool. She likes transferring internal people because they come with the knowledge of how the company is connected and the systems work – she just has to train them on the security tooling. It’s a balancing act. We need to figure out how to get more talent into the cybersecurity space earlier in a career path so we can build on that.

Solutions for the Talent Gap

Jill thinks we need to start introducing cybersecurity at a high school level. It’s a complicated topic, but there are lots of other computer classes in high school. Most students have either a computer or an iPad and are working in online cloud environments. That’s an opportunity to get in early. Once they get to college, they may have already decided what they want to do. If they weren’t exposed to cybersecurity earlier, they may not have considered it, or thought it was too complicated, intimidating, or stressful.

Jill just wants to consider it as an interesting career path. She loves what she does, and as long as she keeps her brain sharp she can do it forever. The longer you do it, the better you get at it. There are a ton of open positions and not enough people to fill them. Salaries are really good. And most cybersecurity jobs are happy with remote workers. These careers have a lot of benefits if we can get more young people to consider them.

Burnout and Stress are Challenges for CISOs

The CISO role is a high-stakes, always-on role, and Jill is a hands-on leader. She’s not only managing a security team but actively involved in real-time decision-making. The CISO is expected to be the central figure during an incident, coordinating with teams and the executive board. This can lead to extended hours and weekends away from family, especially when crises demand immediate attention.

Articulat[ing] technical problems into business level … there’s not many people in the organization that can do that job as well as the CISO.

Jill Knesek

The C-suite carries a lot of responsibility for companies, and there’s a lot of pressure for them to be doing everything in the middle of a crisis. For CISOs, mitigating burnout means not everything can be on fire. For some companies, every incident means the sky is falling, and that’s for people outside of security too. It’s important to quickly identify the impact of an incident and figure out if you need to pull out the stops and get everyone involved after hours. The key is to not overthink, get to the bottom of what’s going on, and manage it.

Plan Ahead and Stay Calm

The CISO plays a critical role in managing the attitude and emotional stress of a team or company. It’s important to balance urgency with level-headedness. The incident is important and urgent, but at the same time, it’s something you deal with every day. A lot of response should be muscle memory. You’ve dealt with similar things before, so you know what to do.

A small incident is not that different than a big incident. Just a [different] level of stress and visibility.

Jill Knesek

Jill tries to build that muscle memory with her team by discussing minor incidents. Every time you go through something that wasn’t actually a big deal and talk about lessons learned, you’re creating muscle memory to deal with bigger issues. When you’re facing a crisis, it feels less stressful because it’s what you’ve already been doing. Jill has a friend who loves motorcycles, and she and her husband like to drive through a particular canyon. In a car, you have to go back and forth following all these curves. In a motorcycle, you can straighten out the curve and have a more direct ride. The CISO’s challenge is to straighten out that curve for the company, keeping them from getting too high or too low.

Incident Response Tips

Jill recommends that every time there is a small incident, treat it as if it could have been big. Study it and learn from it. Remember that how you respond to small incidents now is exactly what you will do in the middle of a big incident. You’re practicing your incident response process all the time.

You have to learn from all those small incidents and treat them like a learning opportunity.

Jill Knesek

Jill currently works at a company that provides SaaS solutions. There are little incidents happening in the background all the time, not necessarily security-related ones. She and her team can watch how the other teams handle and manage incidents. The more you do, the better you get at them. The key is to figure out how and why it happened so you can be prepared in the future. Once you’ve learned what could have gone better or what you could have done better, you can explore how to apply what you learned.

Foster a Collaborative Team

The biggest challenge Jill sees for CISOs and security teams in terms of incident response is just not spotting incidents fast enough. So she tries to foster a culture where false alarms are better than something slipping through. If a junior or inexperienced team member is in doubt, she wants them to pull the alarm, get someone more senior involved, and figure out if it’s an incident as early as possible. She lets them know that she’s going to be more upset if they saw something and didn’t report it because they assumed it wasn’t a big deal than if they raise a false alarm.

Many junior and younger people have a different perspective, too. A lot of people in senior roles didn’t grow up with the cloud. It was a different world. Bringing in people with different perspectives and encouraging them to speak up and learn will always be beneficial. Some things can be solved in a thousand different ways, and the solution you come up with may be even better than the one Jill came up with. Collaboration is essential and it leads to better outcomes. If you know something the team can learn from, Jill wants to be able to put it into effect and see if there’s a better way to solve the problem.

Connect with Jill Knesek on LinkedIn. She is always active and looking to help the community and share her knowledge and expertise.