A decade ago, those now referred to as CISOs were not considered nearly as important as they are today. Nowadays, the same people get a dedicated seat on the board, and CEOs ask them important questions and weigh their responses. The tone of these questions has also changed. They’re now along the lines of: Can you provide insight into whether or not we can buy this company? If you wouldn't mind, can you prepare metrics regarding our cyber posture to present to our stakeholders next week?
Alain Sanchez, EMEA Field CISO at Fortinet, says this change in attitude shows how the CISO has become more deeply involved in decision-making, and that when innovation is involved, the CISO is consulted. Far from being the ‘Doctor No’ of the past, the CISO has become a source of inspiration for innovation, rallying data analysts and software developers under the same banner of secure operations.
A financial burden
As organisations spend more and more of their budgets on protecting against an expanded risk landscape, the financial burden is becoming painfully apparent, says Yoran Sirkis, CEO and co-founder at Seemplicity. “Despite the increase in risk, only 10% of organisations had a higher budget for cybersecurity in 2022 and are still struggling to have an effective and robust cyber posture.”
He says a recent survey found that 70% of companies felt their security budget is being wasted by failing to remediate enough. With the economic downturn and risk of recession, the CISO is going to have to continue to protect the company without any budgetary increases.
Sanchez thinks the CISO role is going to continue to evolve.
“With more risk, more visibility, and more leadership, the role of the CISO becomes much more interesting, embracing every key department of the company, including the lines of production,” he says. “The CISO should keep in mind a holistic approach when considering the benefits of the solutions. They must be fluent in articulating these benefits and expressing them in terms of risks so that the stakeholders understand that the pros outweigh the cons.”
Today’s CISO is not only an expert in technologies, but is also a strategist, an influencer, and a source of inspiration throughout the entire value chain.
Alain Sanchez, Fortinet
Sanchez adds that about 60% of cybersecurity transformation projects are thought to fail because of a lack of user adoption.
“Policies that change the way people work, such as teleworking, ZTNA, or DevOps need to be explained before they are enforced. Explaining the ‘why’ of cybersecurity becomes just as important as implementing the ‘how’. Today’s CISO is not only an expert in technologies, but is also a strategist, an influencer, and a source of inspiration throughout the entire value chain.”
Sirkus believes CISOs should also be making increasingly more use of automation in remediation workflows and should have a clear view of the company’s IT estate. As he says, better visibility should mean a quicker response to threats.
Katie McCullough, CISO of Panzura, says while the role will always be primarily about risk mitigation, it’s also important for CISOs to think creatively to support the business as a whole.
Leaders of change
Today, CISOs serve as leaders of change and enablers of digital innovation, says Sanchez. Digital innovation requires businesses to bring together data, applications, and users in a secure way, across distributed and complex digital and hybrid environments. Cyber risk also continues to escalate, and more complex and sophisticated threats have become ubiquitous, which makes it challenging for CISOs to stay one step ahead of their adversaries.Sanchez says a holistic approach to security is needed, and this means building an architecture that is broad enough to embrace all of the newcomers, such as operational technology, multicloud, and containers.
“This convergence helps organisations to resolve the dilemma between digital innovation and security in an integrated way.”
More risks and vulnerabilities, combined with the global shortage of skilled cyber staff, make every day more complex than the last, says Sirkis. “One of the biggest challenges they’re facing is dashboard fatigue due to the numerous scanners and tools they use, producing endless findings. This can result in a delay in remediation.”
Most breaches in organisations are a result of risks that have already been flagged, Sirkis adds, and could have been avoided if resolved on time. However, CISOs and security teams are struggling to evaluate, prioritise, and assign remediation tasks efficiently and are often overwhelmed.
CISOs face the challenges of ensuring data is secure and that it’s available to those who need it, says McCullough. “The rise in remote working, coupled with the adoption of cloud services, has widened the attack landscape considerably. It’s not that cloud services aren’t secure – they are – but they represent a shift in accountability towards a model of shared responsibility. Not only do businesses need to understand their role in managing their environment, they must also understand the wider threat landscape so they can be agile in reacting to new threats.”
As to trends, Sanchez says he’s seeing some convergence taking place in areas such as IT and OT and that cyber criminals are adopting models traditionally seen among APT groups.
He’s seeing a convergence of security and the network. New and advanced solutions, such as AIOps, integrated zero-trust network access, and AI-enhanced outbreak detection are made more efficient through the convergence of security and network functions into a single platform. CISOs are now getting a budget, Sanchez says, and can hire their own teams. Their responsibilities have also widened, and can now include the remote work policy, the collaborative database, legal reporting, and even the development roadmaps of core applications.
McCullough is seeing some trends with data.
“We know the data is at risk, so data protection and data recovery have to be the two major priorities for all businesses, regardless of size or sector.We need a more proactive, intelligent approach to keep data safe. Right now, the most damaging aspect of a ransomware attack is not the ransom demand itself; it’s the cost and disruption associated with recovery. Businesses that can boost their resilience to the point that they bounce back from an attack in seconds have much less to fear from the attack itself.”
Paradox of protection
When it comes to what keeps CISOs up at night, Sanchez says the paradox of fostering innovation while at the same time providing protection is his chief concern. “It’s a paradox because an information system is designed to connect, while a cyber strategy has to protect. The volume, the sophistication, and scale of the attacks create a permanent stress as cybercrime-as-a-service targets both edge devices and core data.”
My aim is to stay one step ahead of the bad actors and prevent the chain of events from happening in the first place.
Katie McCullough, Panzura
He says there is at least one positive aspect of the industrialisation of cyber attacks as malicious tactics and tools are reused, making them easier to detect and counter. And every attempt to penetrate a network creates a precedent.
The cybersecurity skills gap continues to be a serious problem for CISOs worldwide. According to the Fortinet 2022 Cybersecurity Skills Gap Report, the organisations surveyed say the skills gap has contributed to 80% of breaches. Inadequately trained employees and short-staffed teams are making it difficult for companies to keep their critical digital assets safe from threats, which is why cybersecurity awareness and training, among other things, are critical parts of any CISO’s security strategy to protect against threats.
For McCullough the question is, where are the risks? “Unfortunately, the MITRE ATT&CK list continues to grow, so, objectively, we know the risks are expanding. However, as a CISO, it’s your responsibility to evaluate them all and understand to what extent they threaten your organisation.
He says that major cyber attacks – such as ransomware attacks – grab the headlines, but the reality is that for a threat to take hold requires a whole chain of events to have taken place, usually starting with a phishing campaign.
“My aim is to stay one step ahead of the bad actors and prevent the chain of events from happening in the first place.”
* This feature was first published in the February edition of ITWeb's Brainstorm magazine.
Share