Top 7 Cybersecurity Mistakes CISOs Make


As the very nature of the CISO’s role evolves, both disturbing challenges and exciting opportunities surface. Cybersecurity is a case in point. While cyber risk is growing at an alarming pace, most CISOs lack the resources to address the challenges effectively.

That said, the forward thinking CISOs have the ear of the board. Due to personal accountability, executives and board directors are regularly turning to their CISOs to seek answers.

That means that as a CISO, this is your time to shine, put a plan in place and approach your board.  But before you do, we’ve put together a list of the 7 most common blunders CISO’s tend to make (which you should avoid):

  1. Ignore assets outside the responsibility of IT
    While security breaches eventually penetrate IT systems, most attack vectors commonly emerge from beyond the network perimeter, originating from assets or people that are unrelated to IT. In most high-profile cyber attacks from recent past, the attackers utilized vulnerabilities on 3rd party systems over which the targeted organization has no control. Additionally, we’ve been seeing a concerning surge in malicious content and tools introduced into organizational networks via social media. Ignoring malicious attempts to compromise these “low hanging fruit” is a recipe for disaster.
  2. Limit security training to technical teams
    Every employee or subcontractor could be a target of a phishing or spear-phishing campaign. Most cases of successful breaches which go unnoticed are a result of lack of awareness. Social engineering allows threat actors to specifically avoid trained security professionals and lure in the employees with less awareness. The key is to raise awareness across departments to change the culture of online habits.
  3. Fail to secure executive buy-in 
    Conventional wisdom assumes cybersecurity is a technical initiative. Unless senior executives are engaged and motivated to act, cybersecurity initiatives will fail. In other words, CISOs must evolve to become business leaders, moving away from technological jargon to numbers executives can understand. Executive buy-in is needed to transform what is commonly mistaken as a security concern into a business concern that affects the entire organization.
  4. Assume 3rd party providers will handle security effectively
    While many suppliers are granted access to internal systems, they are rarely screened for proper security protocols. As a result, they introduce significant risk, enabling threat actors to bypass security procedures.  As part of your security measures, you need to make sure your supply chain has (at least) the same security requirements as your organization.
  5. Blindly trust SIEM and other monitoring solutions
    Most SIEM platforms are prone to be misleading as they usually create more noise than actionable data. This eventually leads to incidents being overlooked as they drown in the noise – the needle in the digital hay stack. Any monitoring platform is only as good as the time you invest in it. Since time is an expensive resource, we end up having multiple monitoring platforms that consistently fail to deliver in today’s evolving threat landscape.  If you’re under staffed and don’t have the resources to properly utilize a SIEM or operate a full SOC, consider outsourcing that part of your operations.
  6. Adopt a narrow definition of threat intelligence
    Threat intelligence could be a great initiative to drive a proactive approach to security, when utilized properly. Very often, threat intelligence is limited to the information generated by traditional IT systems and outdated lists of malicious IPs and URLs. Focusing on the organization’s network as a primary security data source can only elicit a fraction of relevant threats. Without access to real time, targeted intelligence that is truly actionable, organizations are effectively “flying blind”.
  7. Underestimate the impact of business growth on security
    All too often, high-growth companies consider security as an after-thought rather than a strategic initiative. It is the CISO’s responsibility to remind management that cybersecurity must evolve organically with the company. Without the proper infrastructure, organizations will find it nearly impossible to build security into an exposed system from the ground up. As relatively unknown companies become successful, security policies must adapt accordingly. The more exposure a company receives, the better the chances of being targeted by threat actors.

As the perimeter blurs, the role of the CISO must evolve. In today’s connected digital world, no system is entirely self-contained. As a result, security technologies and procedures must be updated to address the increased level of cyber risk.

We at CyberInt understand that the CISO’s role may be overwhelming and over the last few years we’ve helped many CISOs in putting some sense and structure into their security programs. Feel free to give us a call if you have a question or would like to run your thoughts by us.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start