The role of the startup CISO is a curious thing. The type and volume of work they’re tasked with can vary considerably from year to year and job to job. But zoom out a little, and a few trends start to come into focus.

At the end of 2023, AccessOwl co-founder Philip Eller sat down with several IT security leads working at startups across multiple verticals. Their conversations shed a fascinating light on the priorities of these CISOs as they enter 2024, and the skills they must hone in order to thrive.

Continuity and change

Some started at their company with an urgent mission to enhance security across the board, as is often necessary at a startup. This can make for rapid adjustment and changing priorities over the course of a year or two.

For example, Owkin CISO Leo Cunningham says his job in 2023 was initially one of “stabilization.”

“We had gone a long time without any security leadership because it took that long to hire the right person, and we also had to achieve compliance with the 27001 standards,” he says. “We basically had to cram one year’s worth of work within six weeks.”

Following that period of intense change, 2024 will be somewhat different for Cunningham — who will be focusing on training according to engineering principles and on replacing the company’s cumbersome endpoint detection and other tooling.

Another security leader on a steep trajectory after joining his company is Novatti Group CISO George Abraham.

“Before I joined, we didn’t have a security team or a CISO, and our maturity was really bad. So the founder of our company brought me in to implement a three-year strategy,” he explains. “The first year had a heavy technical and process-oriented focus. So we did a massive ISO 27001 certification. And this year we’re kind of picking up bits and pieces that we could not complete in 2023.”

For others, continuity from year to year is more pronounced. PayByPhone CISO Anton Kaiser has been focused on PCI DSS 4.0 compliance for some time — due to the fact that the firm processes hundreds of millions of card payments each year.

“There are PCI DSS 4.0 requirements that have already been launched, and then there are best practice things that you can do now and that will become mandatory after March 25 [the compliance deadline],” he explains.

Skills and priorities

The CISOs we spoke to have plenty on their to-do lists for 2024. Among the many specialized areas they’re looking to address this year, five themes stand out.

Managing business change

In the startup world, change is constant. That presents CISOs with challenges, as well as opportunities to show how important cybersecurity is in supporting business growth and evolution. That said, M&A-related change can be unsettling. StreamSets Director of Information Security Ross Stapleton-Gray explains that his company is being acquired, alongside webMethods.  

“We certainly expect organizational changes, but we don't know when that will happen. So preparing for unanticipated changes and making it known how we would recommend or how we might react to particular announcements is important,” he explains. “As the infosec team, we should be prepared to say, ‘Can we expand our scope to include webMethods? Or can we change what our focus is, given their focus already is on this particular thing?’”

PayByPhone’s Kaiser has also been forced to adapt due to his firm’s acquisition by Corpay.

“We will help expand Corpay's vehicle payments solutions, which they provide to their B2B fleet customers, so we have to create synergies with Corpay, which means we have to build new products,” he says. “So the focus is on ensuring that the new services we build remain safe.”

New technologies

Something else is a given in the world of the CISO: technology innovation. This means that security leads must constantly be learning — to ensure that they can advise their organization about the potential risks and opportunities that new technology can herald. Generative AI is right at the top of the priority list for many, including StreamSets’ Stapleton-Gray.

“There are a half-dozen different ways it could enter the company, and some of those will have security implications,” he explains. “I'll be at a briefing from legal on their expectation for application of AI, and hopefully will contribute to that. But then I’ll also take whatever comes out of that and evangelize it to the rest of the company.”

Culture and training

This hints at another key focus for many CISOs in 2024 and beyond: the growing need to develop a security-first mindset among employees. This will be top of mind for Stapleton-Gray as he addresses AI’s challenges and opportunities for StreamSets.

“It's on infosec to do security awareness training. But I would say it's also hugely helpful to talk about the impact of technologies on people's work and explain that if AI is going to come down the pike, will it incorporate security and privacy by design?” he says. “For example, how should people regard outside parties and AI: as a threat? Please don't take your marketing plan, put it into ChatGPT, and tell me about it afterwards.”

Novatti Group’s Abraham admits cybersecurity culture is “not where it needs to be,” and he wants to change it by creating security champions among the developer team, and sponsors at a management level.

“It’s not just about users saying they’re not going to click on a phishing test,” he says. “I want people to come and tell me, ‘Hey George, I saw this thing the other day, and it didn’t look good.’ Or even to report stuff at home. I want a conscious mission in the team to uplift cybersecurity culture.”

This kind of proactivity on the part of employees can be a huge benefit to organizations and to CISOs, as it means that issues are uncovered earlier than they might be by intermittent scans or pen testing, Abraham adds.

Compliance

A security-first culture could also help with compliance, another major 2024 priority for the CISOs we spoke to. This can range from voluntary best practice standards like ISO 27001 to certifications like FedRAMP and compulsory rules including NIS2 and DORA — both EU laws with extraterritorial implications for organizations.

“I think the number one priority for us as a company that's small enough where we're trying to go international is ISO 27000 certification,” says Pantheon Platform VP of Information Security Tim Dzierzek. “That is a big deal for us, accomplishing that. But you always run into audits, whether you're doing SOC 2 or PCI DSS et cetera.”

For Katherina Höfer-Samusch, Head of IT at fintech Scalable Capital, DORA will be a big focus. The regulation doesn’t apply just to financial services companies but also to their IT supply chains.

“As customers, we have to make our vendors take more responsibility. We have to review all our contracts again. We have to do monitoring. We need regular meetings where we really work through the inside issues that have popped up with the vendors and go through them,” she explains. “We also need exit strategies in case we want or have to [part ways]. And ideally the companies should also carry out auditing themselves.”

Getting the basics right

A lot of these compliance activities might fall under the kind of cyber-hygiene best practices that CISOs should be managing anyway. Many such activities are cited by respondents as priorities for the coming year.

Zepto Head of Information Security Mariana Paun, has many of these on her to-do list.

“My first priority is better logging and monitoring of our environment — that’s process as well as technology,” she reveals. “The second one is identity and access management in all aspects of it. How to uplift provisioning access, access reviews, and role-based access.”

Pantheon Platform’s Dzierzek points to vulnerability management as critical at a time when record numbers of CVEs are being published.

“I feel like because of the threat landscape we're in now, any kind of vulnerability, you need to understand all of your vulnerabilities,” he says. “Even if you can't or won't fix them, you need to know where they are.”

For SecurityScorecard CISO Steve Cobb, incident response and cross-team collaboration is key to improved vulnerability management.

“We have a world-class threat intelligence team that pulls that data. But it's a different activity to actually use that data and make sure you stay compliant with those vulnerabilities,” he says. “It’s about better communication and collaboration across our teams: knowing who owns what. While the infosec team can say, ‘We need to patch these vulnerabilities,’ we're not the ones that are going to do it.”

Given these challenges, some threats will always sneak through defenses. That’s why detecting and containing them is so important. It’s also why GetAround CISO Mel Reyes is devoting so much time to reducing alert noise for his threat analysts.

“It’s about identifying and reducing the number of alerts,” he explains. “Is the Logitech driver update a real issue? Is the traffic that's coming in from Madagascar a real issue? If I can start to reduce the noise for the teams, then they're not wasting their time…. It’s really important for teams to have that cross-visibility into some of the almost impromptu things that happen. Because if you keep your team separated, then you just cause more noise for them.”

Keeping calm and carrying on amidst all the noise — from the board, threat actors, regulators, and customers — has become the defining theme of the modern CISO’s role. Their ability to do so will no doubt be tested to the limit again in 2024.