In addition to tapping into traditional assets, the best CISOs leverage a powerful but often overlooked reserve: their organization’s development community.   

The job of a modern Chief Information Security Officer (CISO) is becoming more complex by the day. Despite organizations having access to the largest array of defensive tools, platforms, hardware and programs ever created, cybercrime is still rampant, affecting companies and organizations of all sizes worldwide. No enterprise, legal or otherwise, has grown larger or faster over the past few years as cybercrime. The estimated cost of global cybercrime was $6 trillion in 2021 and is expected to balloon to $10.5 trillion by 2025. If cybercrime were categorized as a country, it would rank as the world’s third-largest economy, behind only the United States and China. So, the deck is already heavily stacked against CISOs.

In addition, they contend with a growing cybersecurity skills shortage. If money and skilled personnel were unlimited, companies could hire thousands of cybersecurity professionals to watch over every aspect of their business and online operations. Even if this far-fetched scenario was possible, there really aren’t large numbers of skilled cybersecurity people available to hire in the first place. Worldwide, there are currently about 3.5 million cybersecurity jobs that are unfilled, and that number could reach 85 million by 2030.

Because of all those headwinds, many CISOs have become resigned to their fate, accepting that other than buying a bunch of defensive tools and waiting to react to whatever attack eventually breaches those defenses, there is not much else they can do. Consequently, the turnover rate of CISOs is incredibly high these days, with many CISOs leaving their jobs because they don’t feel they have the resources to be successful, or getting fired for poor performance that is only partially their fault.

But it does not have to be that way. The best CISOs today are able to thrive despite the seemingly impossible odds. And they do it by tapping into resources beyond the latest “shiny new object” cybersecurity tool being advocated in the market.

Thriving, not just surviving

What separates superstar CISOs from the rest of the pack is that they are keenly aware of the burgeoning threat landscape and the cybersecurity skills shortage, but they don’t give in to despair. Instead, they use their existing assets to great effect, including tapping into a hidden source of strength that is critically overlooked as a security resource: their development teams.

In the era of DevSecOps hype, it’s common to say that security is everyone’s responsibility. But that only extends so far, and there are limits to what untrained and unmotivated workers, especially those who don’t work in IT, can actually do to make their organization more secure against cyberthreats. For example, in the real world, travelers at a busy airport should feel responsible for reporting an unattended bag sitting alone in a suspicious location. However, they aren’t trained to actually inspect that bag to look for threats, or empowered to take any actions on their own. At a company, it's one thing to make everyone aware of cybersecurity, and another to actually educate them to make their organization more secure within the context of their role, or to use the defensive tools they already have in place to counter threats and squash vulnerabilities.

For that, companies need to invest in upskilling. It’s far better, and oftentimes easier, to invest in the talented, loyal staff that are already a part of your organization than to try and hire new people from the outside. But even then, putting those learning resources in the best place to get the required results is key. And one of the best, most underutilized areas to start upskilling is within the developer community – something that top CISOs have learned.

Developers already understand IT since they write much of the code for the programs being used by their organizations. And they are often ready, willing and able to upskill in cybersecurity to help make them even more amazing at their jobs. In fact, in the recent Secure Code Warrior State of Developer-Driven Security survey, 92% of the developer respondents said that getting security training was important to them. Smart CISOs are tapping into that enthusiasm, and providing developers with the education pathways they want and need, with the payoff being a reduction in common vulnerabilities, not to mention less pressure on overworked AppSec personnel.

Making sure developers get the right upskilling and support

The best CISOs know that upskilling is critical to success. But not just any training will do, especially for the development community who already have a good baseline understanding of IT. A “check-the-box” program won’t offer much return on investment, and will likely frustrate developers into poor performance and a lifelong hatred of working with security teams. 

Likewise, any solution that impedes their workflow, fails to stay agile with enterprise security goals, or cannot deliver the right education at the right time in an easily digestible format, is unlikely to result in foundational security awareness or skills. 

Other secrets of superstar CISOs

Exemplary CISOs are also able to address other key pain points that traditionally flummox good cybersecurity programs, such as the relationships between developers and application security (AppSec) teams, or how cybersecurity is viewed by other C-suite executives and the board of directors.

For AppSec relations, good CISOs realize that developer enablement helps to shift security farther to the so-called left and closer to a piece of software’s origins. Fixing flaws before applications are dropped into production environments is important, and much better than the old way of building code first and running it past the AppSec team at the last minute to avoid those annoying hotfixes and delays to delivery. But it can’t solve all of AppSec’s problems alone. Some vulnerabilities may not show up until applications get into production, so relying on shifting left in isolation to catch all vulnerabilities is impractical and costly. 

There also needs to be continuous testing and monitoring in the production environment, and yes, sometimes apps will need to be sent back to developers even after they have been deployed. A great CISO, with a foot in development and security, can smooth out those relations and keep everyone working as a team.

Getting other C-suite executives onboard with better security might be an even more difficult challenge, with leadership outside the CISO and CIO normally looking at business objectives and profits before anything else. To counter that, superstar CISOs know how to show a direct correlation between better, more mature cybersecurity and increased revenue, and how it can even provide a competitive advantage against the competition.

It’s not easy being a CISO, and certainly more challenging than at any other point in history. But those CISOs who master that adversity are becoming true superstars within their companies and communities. They competently employ agile developer upskilling, champion security culture, streamline relationships between the traditional rivals of development and AppSec teams, and encourage leadership to foster a security-first approach from the top down.