Major cyberattacks are fast multiplying globally, impacting businesses, cities, and national governments. CISOs need insights to take a more effective, analytically driven approach to cybersecurity. In this increasingly dangerous digital-first world, they also need to collaborate with their peers and partners to bolster cyber protection across all levels of the company. Cybersecurity can no longer remain restricted to the IT department. CISOs need to be prepared for when, not if, they experience a breach.
To offer CISOs fresh thinking on how to weather the brewing cyber-storm, ThoughtLab is conducting a multi-client research program titled Cybersecurity Solutions for a Riskier Digital World. We asked experts and sponsors of the study to provide us with valuable decision support and best practices.
As security and resilience become top of mind for corporate boards, what do you see as the biggest change in the role of the CISO?
Larry Clinton, President/CEO Internet Security Alliance: CISOs need to vastly expand their skill set beyond technical expertise (which, of course, they must maintain). They need to lead a full integration of enterprise-wide security structures and help to develop a full culture of security and work far more collaboratively with other elements of the enterprise, such as audit, legal, human resources, public relations, and others. These all need to be integrated into an enterprise-wide risk management team, and the CISO needs to help lead that collaborative structure.
Steve Durbin, CEO, Information Security Forum: The role of the CISO varies significantly across industries, regions, and even individual organizations in terms of seniority, authority, budget, team size, and influence. Engagement with CISOs from ISF member organizations has revealed that CISO job descriptions do not accurately reflect the extent of the role being fulfilled. Roles often expand without additional funding, resources, or support. CISOs are increasingly being held responsible, and sometimes accountable, for circumstances beyond their control. The biggest change in the role of the CISO is the need for the individual to balance opportunity with risk and find their own voice within the organization.
Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: A broadening of the role to think more strategically about the business as a whole and the impact of cyber on the broader business and planning for resiliency outside of just the cybersecurity space.
Simon Chassar, Chief Revenue Officer, Claroty Inc: The biggest change in the role of the CISO is the need to be a business partner at the board level, protecting the organization’s corporate strategy, along with continued production of food or motor vehicles, acquisition or new market entry, the continuous delivery of safe healthcare with protected patient data, etc. and the need to be the secure digital transformation advisor while keeping the corporate strategy functioning securely.
Ravi Srinivasan, CEO, Votiro: Security leaders are business leaders first and IT leaders second. Successful security leaders are collaborating with the lines of business leaders in the company to secure new digital processes and enable secure user productivity.
Mandy Andress, Chief Information Security Officer, Elastic: The role of the CISO has become much more complex over the last 20 years. Responsibilities have grown from leading the team handling real-time threats and mitigation of attacks, to overseeing the security architecture and the protection of the corporate infrastructure, implementing security policies and management designed to foresee and address risk, and maintaining compliance with a growing population of regulations and industry requirements.
And, so-called “soft skills” have become just as important as technical skills. Creating resilience for a company is also about being a trusted communicator, understanding how cyber risks fit into the business overall, and building partnerships across the C-suite.
The pandemic has expanded enterprises’ attack surface area, posing greater threat and risk for possible opportunistic or malicious attacks. Ensuring a strong security program in a remote environment will be a top priority for CISOs in the next few years as they work closely with their peers across the leadership team to build employee awareness of security protocols, and invest in appropriate technology to meet the intricate needs of globally distributed organizations.
Gidi Cohen, CEO and Founder, Skybox Security: CISOs have a starring role in the new normal. Cybersecurity has become a central part of how businesses grow and operate. Their influence with the CEO and board has greatly increased. Radical change brings an opportunity for a dramatic shift in how organizations approach their security programs. The CISO role will no longer be primarily technical. CISOs will broaden their purview to include the ‘business’ of cybersecurity. The modern CISO will make the business case for cybersecurity initiatives and address overall business risk. They will also need to quantify the return on investment of those initiatives. CISOs will be highly knowledgeable about the state of cyber security and the threat landscape. They will share this knowledge with the board in business terms and build proactive security posture management programs that take this global picture into account.
Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Culturally, the CISO needs to be capable of talking to a board of directors in a language that they understand in order to take a strategic, top-down approach to risk management in cyber. One of the challenges here is having the ability to translate cyber risk into financial terms. What will be the ROI from my invest in security? How much risk is the organization carrying? What is our preferred risk posture?
Which cybersecurity best practices should CISOs follow to succeed in today’s riskier world?
Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: I am a big fan of the Center for Internet Security’s (CIS) Critical Security Controls. Those controls map well to other standards and frameworks but for a strategic view of what a strong security program should accomplish, the CIS Critical Controls are a great starting point.
Larry Clinton, President/CEO Internet Security Alliance: The most important point is not to confuse regulatory compliance with actual security. The technical best practices probably ought to be a mixture of the various frameworks (NIST/ISO/FISMA, etc.) but need to be adjusted based on the uniqueness of the organization’s technology, culture, and business plan. However, the organizational best practices that are the most clearly documented as enhancing security are the ones outlined by the National Association of Corporate Directors in their cyber risk handbook (available free of charge at www.nacdonline.org).
Steve Durbin, CEO, Information Security Forum: Applying an approach which is business-centric, risk-based and value-driven. The ISF Standard of Good Practice (SOGP) provides an effective framework for information security policies, standards, and procedures, and is mapped to industry-recognised standards such as NIST CSF, ISO 27002, CIS Top 20, and PCI DSS.
Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Start with the basics: patching, patching, patching! Limit/restrict access and require strong authentication mechanisms. Limit your blast radius—if something bad gets in, limit where it can go and what damage it can do.
Simon Chassar, Chief Revenue Officer, Claroty Inc: Answering this from the perspective of OT and IoT—understand the connected assets across their environment and supply chain to assess the inherent risks. Drive programs of increasing cyber posture across their estate; patches and updates to the latest firmware and versions; and secure connectivity. Apply the three lines of defense across their business and connected industrial environments with the first line of defense as the OT environment, second the SOC, and third the GRC with re-enforcement and governance of the audit committee.
Ravi Srinivasan, CEO, Votiro: Follow the data. CISOs need to shift their focus from infrastructure-centric security to Zero Trust Data Security. Understanding how business-critical data and IP are used in all the new digital processes will help security leaders focus on what matters: enabling secure user productivity and mitigating exposure to data breaches.
Mandy Andress, Chief Information Security Officer, Elastic: Every security program is unique to the company’s needs. When faced with new challenges, people often turn to new technology, but it’s security practitioners who develop new ideas, threat intelligence, and approaches to prevent bad actors from impacting the systems that are so important to keeping organizations functioning. At a high level, CISOs should consider the following best practices:
- Train your staff. Make it meaningful for your environment. There should be ready access to training materials as part of your onboarding process and at regular intervals throughout an employee’s tenure to help ensure your employees are up-to-date on the latest and greatest. After all, humans are the most vulnerable points in any security system.
- Test your system. Send test messages to help train your employees. Hire consultants or have an internal red team to find your weak spots and commit resources to fix those weak spots.
- Understand your data flows. Security teams first need to understand the data flows in their environments so they can ensure that their data only goes where it’s supposed to go. The tools and processes you use should also provide security metrics and, equally importantly, review the data you collect to identify any patterns that may indicate a security vulnerability or team that needs additional education.
The best security programs are simple but effective. It is the responsibility of security leaders to balance the people, processes, and technology to defend their organization. While it is important to choose the right cybersecurity technology, that investment should be proportional to the people running the products and the processes that define their work.
Gidi Cohen, CEO and Founder, Skybox Security: Avoid the avoidable. There is no excuse not to fix a known vulnerability that is exploitable. Many of the attacks over the past few years were caused by bad actors who exploited known vulnerabilities that organizations had enough time to deal with prior to the breach. By proactively conducting exposure analysis, organizations can identify exploitable vulnerabilities and correlate them with their unique infrastructure configuration and security controls to determine where cyber-attacks pose the highest risk.
Darren Thomson, Head of Cyber Intelligence Services, CyberCube: There are any number of standards, regulations and best practices that can be followed and organizations need to focus on those that their specific geographies, regulatory specifications and vertical nuances dictate. As a good, general guidance, the NIST and ISO cyber security standards are a good place to start.
What single piece of advice would you offer CISOs as they aim to secure their organizations against future cybersecurity threats?
Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: Ensure your security journey has commitment from the highest level of your organization’s leadership chain. Developing and implementing a strong security model that enables the business requires commitment from all parts of the organization. Ensure you have the necessary support from above and across your organization.
Larry Clinton, President/CEO Internet Security Alliance: CISOs need to embrace some of the modern cyber risk management tools such as FAIR or X-Analytics that move beyond the traditional check-the-box models favored by regulators. While these compliance regimes may be necessary, the effective CISO will be using these more progressive risk assessment tools that include analysis of the economics of cybersecurity and ties security procedures more closely to the organization’s risk appetite.
Steve Durbin, CEO, Information Security Forum: Engage proactively with stakeholders at all levels inside the organisation—e.g., be forthcoming with the business, drive the conversation with the board, fight for time beyond quarterly meetings where cyber is only a small part of the agenda, help address and answer difficult questions regarding cyber, and demystify misconceptions.
Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Focus on the basics of good cyber hygiene. Once the foundations are in place, you can build on top of that to address specific types of threats or tools needed to address unique requirements your business may have.
Simon Chassar, Chief Revenue Officer, Claroty Inc: Implement best of breed control technology. Prioritize risk management and identify critical assets that drive business continuity and minimize business operational risks. Address both your baseline cyber posture, GRC, and monitor the environment for threats. Increase your cyber skills capability and increase cyber awareness training for non-cyber personnel. Leverage the latest threat intelligence and do tabletop exercises on breaches or attacks, including negotiation training with mal actors.
Ravi Srinivasan, CEO, Votiro: Outsource security operations and response so that you can free up resources to focus internal efforts on securing data and the usability of new digital business services. Evaluate any new security technologies based on usability for new digital businesses, open APIs for ease of IT integrations, and simplifying operational support.
Mandy Andress, Chief Information Security Officer, Elastic: Focus on the basics. The fundamentals of security hygiene for any environment are still the best protection to today’s threats. Change defaults, disable unnecessary services, default deny inbound network traffic, and patch!
Gidi Cohen, CEO and Founder, Skybox Security: Don’t focus on threats; focus on vulnerabilities. Threats are changing all of the time, are out of your control, and most are irrelevant to your organization considering your security posture. However, all of your vulnerabilities are yours to address. Focus on what you can control, such as eliminating exposure to cyber risk. This includes assessing, prioritizing, and remediating vulnerabilities on time to avoid a breach. It also includes tightening processes and implementing automation to ensure you don’t open your organization to new risk through misconfigurations or making policy changes without validation.
Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Enlist help from specialists. Do not try to do everything yourselves. Make sure that you have access to world-class solutions, threat intelligence and data through carefully selected partnerships.
What is the largest mistake that CISOs should avoid making in the future?
Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: While the concept of a “Zero Trust” security model sounds good and everyone agrees, it is a complex journey that is not easy or cheap. The biggest mistake a CISO should avoid is thinking that Zero Trust can be achieved with just a new technology solution. Reworking the existing security architecture to incorporate more micro-segmentation, continuous monitoring and analysis, and attribute-based adaptive authentication will be a significant investment.
Steve Durbin, CEO, Information Security Forum: Overestimating or making assumptions regarding the organization’s cyber resilience capabilities and, thus, not testing them (i.e., not conducting regular assurance activities such as cyber simulation exercises).
Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Avoid thinking that all your employees need to come from a traditional IT, computer science, or data management background and that they need a four-year degree. We need creative problem solvers—hackers do not restrict who can hack! We need to be as “open minded” about the resources we employ to fight the good fight, as the threat actors are about fighting to bring us down.
Simon Chassar, Chief Revenue Officer, Claroty Inc: Assuming that they will not be breached, attacked, or be a victim of a supply chain impact.
Ravi Srinivasan, CEO, Votiro: CISOs maintain their responsibilities to govern security policies and compliance, while the lines of business continue to rapidly innovate, migrate, and adopt new technologies and multi-cloud services. CISOs should partner with the business leaders to balance modernizing mid-/long-term initiatives (often infrastructure-centric) with near-term initiatives (data-centric) to secure digital business enablement.
Mandy Andress, Chief Information Security Officer, Elastic: Learning from my own mistakes, focus on people first. I have always looked at security as the equal combination of people, process, and technology. While I talked about them in that order, I usually focused on technology first, then process, and people last. No technology can fully protect an organization in today’s environment. Having the right people in the right roles that can creatively apply technology to your environment, adapt defenses to new threats, and communicate to your users with a high degree of empathy will further the success of your program more than any technology or process.
Gidi Cohen, CEO and Founder, Skybox Security: Don’t underestimate what is required to transform cybersecurity programs. Buying more point products won’t solve your problems. This creates a false sense of security. Instead, you should focus on maturing your security programs to a place where it is at least properly managed and monitored, if not continuously optimized and improved. Tighten your processes to manage the products you do have, ensure you are getting the full value from those products and put the right talent in place to manage your entire security estate.
Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Taking a “technology first” approach to risk mitigation. Start with business strategy, governance and gap analysis. Technology needs to be deployed in line with these and not in a reactionary way.