SecurIT 2019: Being a CSO is like Game of Thrones

With the threat climate continuing unabated, the impact of increasing volumes of attacks – and increasing pressure to stop them – has taken its own toll on CSOs who, iOOF Holdings head of cybersecurity and technology risk Ashutosh Kapsé noted, suffer from high burnout rates, job-related physical and mental health issues, loss of a sense of purpose, and constant fears for their jobs.

Two-thirds of CSOs don’t last more than three years in their positions, he said, likening the constant pressure of the CSO role to Game of Thrones – which he illustrated with a montage of the biggest, and most brutal, surprise murders throughout the series’ run.

Like the show’s many ill-fated characters, CSOs often never saw their threats coming – but live in constant fear of the day their number is up.

“CSOs have the sole responsibility for security in a constantly shifting landscape,” he said. “It is expected we are around 24×7 – and every time the SOC escalates something and says the Rapid Response Team needs your attention on this particular issue, my heart drops.”

Despite knowing the important response is ‘don’t panic’, Kapsé said, “it still happens.”

There are strategies for managing this stress, however, and Kapsé offered the audience a few – including proactively updating the board about company exposure to high-profile security vulnerabilities, and boosting the prominence of cybersecurity by tracking and sharing key metrics around patching status, employees’ phishing susceptibility, and so on.

“This is technical information, but in the long run they are indicators of governance,” he said. “Don’t go in to talk with the board and assume you can’t put in anything technical; over time, I have educated the board and made them aware of what they need to look at.”

“Don’t be afraid to give information, as long as you can couch that in terms of the impact on risk management and governance.”

Greater visibility of key metrics had generated strong follow-on benefits: patching practices, for example, improved dramatically once the security team realised their relatively low numbers were being surfaced for everyone to see.

Kapsé also flagged networking as crucial to helping CSOs distribute the pressure of cybersecurity – encouraging both mentorship and the maintenance of a “circle of trusted CSOs”.