Aon | Professional Services Practice
The CIOs and CISOs Are Not Alright
Release Date: November 2023 Information security professionals are facing unprecedented levels of stress due to a sustained increase in cybercrime, a shortage of qualified information security personnel, regulatory actions and AI-driven changes to the threat environment.
Key Takeaways
- Professional service firm staff responsible for information security are facing unprecedented levels of stress
- In additional to factors like increasing cybercrime, information security professionals also now face regulatory, shareholder and even criminal actions where they are individually named defendants
- Professional service firms must use creative health benefits to support the valued professionals responsible for their information security
Overview
A U.S. federal jury finding former Uber security chief Joe Sullivan guilty of obstructing a federal investigation in October 2022 raised the stakes for information security professionals. This was the first time a company executive had been found guilty on criminal charges related to the handling of a data breach. Now the SEC is suing a software company and its CISO, alleging they misled investors by concealing vulnerabilities and overstating cybersecurity measures.
This article will explore unique challenges faced by Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) at professional service firms and how their employers can support them.
The Role of the Professional Service Firm’s CIO and CISO
Technology is the lifeblood of a professional services firm and is emerging as greatly the responsibility of CIOs and CISOs. When systems go down because of a human error or a cyber-attack, they can expect enormous pressure from senior management to fix the problem quickly. Employees need to access document management systems, email and videoconferencing. Any interruption in systems availability is a crisis that affects income, reputation and the ability to serve clients.
At the same time, a shortage of qualified technology staff together with constant pressure to maintain productivity and profitability means that CIOs and CISOs are constantly tasked with doing more with less. Many CISOs feel pressured to demonstrate cost-efficiency and “return on investment” when they implement cybersecurity measures. Eliminating any friction security measures may cause is also often demanded. In the aftermath of a cyber-attack, security measures that had been on the roadmap for months, if not years, can suddenly be approved, and implementation demanded within days. For long term success, CIOs and CISOs need to establish and sustain productive relationships with firm leaders that endeavor to recognize the crucial role of the information security function in operating and budgetary discussions.
Current information technology is really only visible when it is not working or disrupts workflows. 99.9% of the time, systems and their operators are seen as invisible assets. But when systems stop working, they and the security measures supporting them will unhesitatingly be blamed. And, despite the fact that the hackers often get into the systems by exploiting weaknesses in the regular workforce (phishing, credential compromise, social engineering, etc.), CIOs and CISOs are seen as the “front line” defense against threat actors who would seek to gain access to data or disrupt the firm’s business.
CIOs and CISOs are painfully aware that their job is on the line in the event of a cyber attack. When incidents occur, it is CIOs and CISOs that are first called upon to defend their prior decisions. Now they are also finding themselves personally facing regulatory and shareholder action and possibly even criminal penalties.
CIOs and CISOs may face this potential personal liability even in situations in which it is proven that they were denied resources or support for measures that would have prevented or mitigated an attack. As a result, ways to mitigate the risks of the role are being sought. A recent Wall Street Journal article quoted a major executive recruiter as saying that increasingly CISO’s are asking for the types of protection that are often granted senior executives, such as being included in the Directors’ & Officers’ Insurance policy (only about 44% of CISOs are included) and provided with severance agreements.
How to Help your CIO and CISO
How information security personnel are viewed within the firm, starts, like most aspects of firm culture, at the top. Firm leaders play an important role in creating a trusting and transparent environment where all involved understand the advisable measures that safeguard the data of clients and colleagues, even when they increase complexity and decrease ease of use – such as longer passwords and multi-factor authentication.
It is crucial that leadership engage to support the issue. For example, a managing partner, COO, or other prominent leader could be featured in relevant training videos, thereby demonstrating the leader’s investment in the subject matter. Such an environment may increase the likelihood that non-technical staff will come forward when they make a mistake like following a suspicious link, thereby giving technical staff a head-start in mitigating, or preventing, a potential incident.
Ultimately, information security should be viewed as not only a top compliance and social responsibility priority, but also as a key business priority – where better security hygiene and governance benefits the firm and its clients. Leaders seeking inspiration can look to the robust physical safety culture prevalent among industrial companies and engineering firms or to Apple’s “Privacy. That’s Apple.” campaign, linking data privacy to core business strategy.
In addition to fostering a security “by design” environment in which the CIO, CISO and their team are supported as important facilitators of the client service process, firms should consider repackaging certain wellbeing benefits already on offer like mindfulness and meditation programs and the employee assistance program (EAP) with a robust counseling benefit.
A firm’s technical staff focuses on the job at hand and may not always be aware of the resources available to them, despite the best communication efforts. In addition to wellbeing benefits, firms could also consider augmenting time away policies to include time off for stressful professional events, such as a cyber incident.
Contact
For more information about supporting those trusted with safeguarding your organization’s data and how Aon can help, please send an email to [email protected] or reach out directly to Jake Delman.
Jake Delman
Senior Consultant
Washington, DC
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.