Tony Gonzalez on Navigating a Global CISO’s Challenges (Part 1): Managing Distraction and Board Relations

The key challenge for CISOs is prioritising daily and weekly activities to tackle high-priority issues. My approach has always been a multi-pronged one that’s not just about technology.

A robust team, strong processes, and the right technology can make security operations more efficient and effective.

CISOs need to adapt swiftly. It’s a matter of having good plans and being ready to throw them out at any given minute. Threat actors continuously devise new methods to breach systems and steal sensitive data. Being quick on your feet and adjusting to these evolving threats is imperative.

To stay ahead in the constantly shifting security landscape, you must balance internal efforts and a good network of advisors, such as consultants and threat analysis sources.

Many challenges are common to organisations, but certain things may be more impactful to one company than another, depending on the sector. Keeping up with industry information and staying attuned to regulatory changes also plays a significant role.

CISOs must build strong relationships with legal counsel, privacy teams, and chief risk officers to determine the appropriate action when an incident occurs.

Reporting an incident or breach should be viewed as a business decision, not solely the responsibility of a CISO. Transparent communication with stakeholders is essential and urgent, even if complete information is unavailable immediately — which is often the case.

Many things go into analysing whether to report an incident or not. The word “breach” has a strong connotation and, when used in error, can create a lot of noise in your organisation. In many cases, issues wound up being incidents, not breaches.

An incident may involve a control failure or an attempt at unauthorised access, but it doesn’t necessarily result in data exfiltration. Defining what constitutes a reportable incident can vary based on regulations and organisation-specific factors – and it’s not a decision you should take only on yourself as a CISO.

For example, we had a “near-miss” process. Even if something wasn’t an actual breach, we still reported it internally. The final decision was in the hands of the legal and privacy officers who had a direct relationship with the regulators.

Building a strong relationship with the board is essential for a CISO, but it doesn’t happen immediately. It’s like trying to turn an aircraft carrier: you can’t do it in minutes; it takes a long time to make that turn.

I remember showing some perimeter attack information to a board and them saying, “My god, 90,000 attempts on the perimeter, that’s a huge amount in a year!” I responded, “Not really, because the snapshot I’m showing you was a two-hour one”. People start to understand the enormity of what you’re up against, but it requires time and patience.

As a CISO, you must prove that you are listening to the board’s concerns and deliver what they are asking for. Over time, the conversation can shift from what they are asking for to what you believe is essential to convey. However, this transition should be gradual to avoid confusion on their part and frustration on yours.

CISOs have more and more responsibilities in the area of risk compliance and governance. The most successful CISOs can blend technical expertise with a deep understanding of business risk.

All businesses grow through acquisition, expanding to new markets, or providing new services to the customer base. A lot of that growth involves using disruptive technologies like AI.

It’s not whether you use AI or not; it’s how you use it, and it comes with data privacy and security concerns. CISOs enable their organisations to make informed decisions that balance risk and reward when using new technologies for growth.

More on how to manage the impact of disruptive technologies and what keeps CISOs up at night in part 2 of our insightful conversation with Tony Gonzalez, Fortune 50/500 Cybersecurity Executive, coming up on our blog. Stay tuned!