Structurally, CISOs should Report Directly to CEOs: Dr. Fene Osakwe 

In a recent interview with Kalpana Singhal, Dr. Fene Osakwe, Council Member at Forbes Technology & Cyber Security Mentor, Springboard, we explored the evolving landscape of cybersecurity. Drawing from his expertise, Dr. Osakwe shed light on emerging threats, proactive defense strategies, and the critical role of cybersecurity in today’s digital age 

What are some of the emerging cybersecurity threats that organizations should be aware of, and how are these threats evolving in sophistication and impact? 

Well, I recently published an article on Forbes titled “Top Cybersecurity Trends for 2024,” where I discussed about nine trends. Let’s focus on a few. One significant trend is nation-state-sponsored attacks. With increasing global tensions, countries are paying hackers to compromise other nations’ security, steal data, and disrupt critical infrastructure. Another emerging trend is the automation of cyber attacks, pitting machines against humans. The ease of automating attacks makes them more sophisticated and challenging to combat. Lastly, there’s the issue of burnout among security professionals. The overwhelming responsibilities, compliance requirements, and constant cyber threats contribute to mental health issues within the cybersecurity workforce. 

Being a Chief Information Security Officer (CISO) requires multitasking and vigilance. How can organizations effectively address these evolving cyber methodologies? 

Cybersecurity training is crucial, but it’s no longer sufficient to rely solely on awareness. We need comprehensive training that equips employees with practical skills to identify and respond to threats effectively. Additionally, organizations must leverage machine learning and artificial intelligence in their security architecture to combat sophisticated attacks. Security by design should be integrated into every aspect of product development and processes. Lastly, the board needs to take more responsibility for cybersecurity to ensure adequate resources and attention are allocated to this critical area. 

As the shift to remote work continues, what cybersecurity challenges arise, and how can organizations secure remote endpoints effectively? 

Remote work introduces new vulnerabilities, requiring a proactive approach to security. Beyond awareness training, organizations should implement multi-factor authentication and behavioral analytics to detect unusual activities. Continuous monitoring and agile response mechanisms are essential to mitigate risks associated with remote work. For instance, isolating compromised devices immediately can prevent further damage. 

Ransomware attacks and data breaches remain prevalent. How can organizations enhance their resilience to such threats and protect sensitive data? 

A holistic approach to cybersecurity resilience is vital. Organizations should establish governance frameworks, implement data classification, and deploy robust security controls. Compliance with regulations such as GDPR, PCI, and ISO standards provides a foundation for cybersecurity practices. Additionally, organizations must invest in detection and response capabilities, leveraging tools like Security Information and Event Management (SIEM) solutions for real-time threat detection and orchestration for efficient incident response. 

Zero trust security is gaining popularity. What key principles should organizations consider when implementing a zero-trust strategy? 

Zero trust emphasizes never trusting, assuming breach, continuous validation, and least privilege access. Organizations should authenticate users and devices, validate access continuously, and limit access to the bare minimum required for tasks. This approach enhances security by minimizing the attack surface and mitigating the risk of unauthorized access. 

Zero trust may impact productivity. How can organizations balance security and productivity? 

Data classification is essential in determining the level of security required for different assets. Organizations should apply stringent security measures to critical systems while adopting a more flexible approach for less sensitive areas. By prioritizing security based on the criticality of assets, organizations can minimize disruptions to productivity. 

Who should CISOs report to, and how is this reporting structure evolving? 

Structurally, CISOs should report directly to CEOs, positioning cybersecurity as a business risk rather than a technology issue. While this alignment varies globally, regulations and industry standards increasingly emphasize the importance of cybersecurity oversight at the highest levels. Establishing this reporting structure ensures cybersecurity receives the attention it deserves and aligns with other business functions like finance and marketing. 

Compliance with regulations is crucial. How can organizations effectively navigate compliance requirements while maintaining robust cybersecurity practices? 

A holistic compliance program is key, focusing on aligning cybersecurity measures with regulatory mandates. Rather than chasing individual laws, organizations should adopt a comprehensive approach that addresses common cybersecurity principles across regulations. This entails robust governance, data protection, and proactive monitoring. By implementing a unified compliance framework, organizations can streamline compliance efforts while fortifying their cybersecurity posture. 

What are your top tech and business priorities for the next two to three years? 

My priorities center on leveraging technology for social impact, particularly in education. I aim to scale initiatives that support underprivileged students’ access to quality education. Additionally, I’m working on my second book to further disseminate cybersecurity knowledge. Bridging the gap between technical and non-technical stakeholders remains a priority, as cybersecurity increasingly influences business decisions. Ultimately, my focus is on driving positive change and innovation in both technology and business spheres.