Part IV. Challenges of the Modern CISO: Balancing Security, Accessibility, and Change

Justin Brown

4 min read
Part IV. Challenges of the Modern CISO: Balancing Security, Accessibility, and Change
Photo by Kevin Ku / Unsplash

Introduction

Modern CISOs are walking a tightrope: balancing the need for robust security with growing demands for accessibility, usability, and innovation. At the same time, we’re facing talent shortages, evolving regulations, and third-party risks that complicate the job even further.

These challenges affect everything—trust, efficiency, and leadership strategy—because they require constant trade-offs. You can’t lock everything down without disrupting operations, and ignore security without inviting disaster. The solution is resilience and adaptability. You’ve got to have a plan, move fast when things happen, and lead with purpose. How we, as CISOs, respond to these challenges sets the tone for our organizations. Cybersecurity isn’t just a protective layer; it’s an integral part of modern businesses.

I’ve been lucky to work alongside some brilliant analysts, engineers, and leaders, and I’ve learned that it’s up to us to show the way forward.

Balancing Security with Accessibility and Usability

1. The Accessibility-Usability-Security Paradox

Everyone—employees, customers, stakeholders—wants seamless experiences, but that often conflicts with the stringent security measures we need to protect sensitive data.

Example: After an Account Takeover (ATO) attack targeted one of our senior executives, we pushed to enforce our Identity Provider (IdP) integration across every supported application. Working with application owners, IT engineers, and the access management team took months, but the payoff was worth it:

  • We secured 30+ applications.
  • We cut ATO incidents by 100x.
  • We improved user logins by 10x, simplifying access across the organization.

People don’t realize that security and usability aren’t enemies. When you approach challenges strategically, you can improve both.

2. Strategies for Achieving Balance

  • Zero Trust Architecture (ZTA): This approach creates invisible gates, restricting access only to those who truly need it. It’s about strengthening security while keeping it user-friendly.
  • Conditional Access Policies: These allow dynamic controls based on behavior, location, and device. They allow for adapting security on the fly, cutting risks without slowing people down.

The trick is designing systems that serve the business and its people without compromising protection.

II. Navigating the Cybersecurity Talent Gap

1. Scope of the Talent Shortage

There’s no denying the buzz about the global cybersecurity talent gap, but the number of open positions might be slightly overestimated. What matters is aligning team growth with company growth. As the company scales, so should your team—but throwing more people at problems isn’t always the answer.

2. Building Resilient Teams

Building resilient teams is more than hiring—it’s about mentorship, training, and leveraging tools to scale human effort.

  • I’m a fan of the "see one, do one, teach one" model. Walking team members through the work helps them grow confidently into their roles.
  • Networking at events and connecting with schools has been a massive help in building a talent pipeline.
  • AI hasn’t taken over yet, but it’s a game-changer for dealing with overwhelming data like logs. It can flag anomalies faster, which helps us focus on what matters.

Personal Success Story: Teaching developers to think about abuse cases was a big turning point. It led to more robust applications before testing started, saving time and reducing vulnerabilities. When it came time for third-party penetration tests, they found minimal security bugs, proving the value of this approach.

III. Managing Third-Party Risks

1. Complexity of Third-Party Dependencies

Vendors, suppliers, and contractors are great for boosting productivity and accelerating outcomes, but they come with risks. Mismanaged access controls or supply chain issues can undermine everything you’re trying to protect.

Examples of Common Risks:

  • Uploading unchecked code.
  • Stolen signing certificates.
  • Dependence on Software of Unknown Provenance (SOUP), where you trust open-source libraries to be secure without knowing who built them, or how.

2. Strategic Risk Mitigation

The key to managing third-party risks is asking better questions during onboarding and ongoing reviews:

  • "What is the riskiest way my company uses your service?"
  • "What’s your incident response plan if something happens on your end?"
  • "Do you subcontract, and how do you vet their practices?"

Practical steps include contracts with clear security expectations, regular audits, and tools that monitor vendor activity.

Personal Success Story: I’ve worked with vendors to pinpoint weaknesses in their processes and collaborate on fixes. Listening and understanding their challenges—not just what they can’t do but why—helped us strengthen partnerships and improve outcomes.

IV. Evolving Regulatory Requirements

1. The Regulatory Landscape

The 2023 SEC updates put CISOs in the spotlight. Publicly traded companies now have to file:

  • 8-Ks for material cybersecurity events within four business days.
  • Detailed strategies in their 10-Ks, showing how security risks are managed year-round.

Transparency is the name of the game. CISOs must earn the trust of investors by being clear and honest—but without oversharing or creating panic. Materiality comes down to this: Does this event change how the company operates?

The SolarWinds case has taught us that CISOs aren’t just risk managers anymore. We’re translators and communicators, especially when working with boards and investors.

2. Preparing for New Regulatory Expectations

Every job I’ve started begins with a gap analysis:

  • Where are we now?
  • What’s good enough, and what needs to grow?
  • Which regulations apply to us, and how can we meet those obligations without overburdening the team?

Practical Lessons:

  • During CCPA compliance, we treated California’s requirements as a baseline, even when the industry didn’t require it.
  • For GDPR, minimizing data collection and ensuring robust deletion practices were critical.
  • Understanding auditor priorities kept our SOC 2 and HITRUST reviews focused on what mattered.

Building relationships with corporate counsel has been one of the most valuable strategies for managing governance and compliance.

V. Reflections on Leadership

My leadership style is all about Both/And Thinking—finding ways to solve problems for both security and business needs and embracing a Move Fast and Fix Things mindset.

One of the best lessons I’ve learned comes from my father: open, honest communication is the foundation of trust and effective leadership. That principle has guided me in managing teams, navigating challenges, and driving success across organizations.

Conclusion

The challenges of the modern CISO are complicated, no question. However, the right strategies and strong leadership can turn those challenges into opportunities.

As security leaders, it’s not enough to protect our organizations—we must propel them forward.

How are you addressing these challenges in your organization?

Read more

The Evolving Role of the CISO: Bridging Security, Business, and Innovation - Part II: How the CISO Role Has Evolved

The Evolving Role of the CISO: Bridging Security, Business, and Innovation - Part II: How the CISO Role Has Evolved

Strategic Leadership Intersection of Technology and Business The CISO is a dual-hat wearer: a protector of information assets and a strategic partner to the executive leadership team. The responsibilities revolve around ensuring information is protected from unauthorized access (confidentiality), remains unaltered (integrity), and is accessible to authorized individuals (availability). Beyond

By Justin Brown