The presence of each third-party application increases the potential for attacks, particularly when end users install them without proper oversight or approval. IT security teams face challenges in obtaining comprehensive knowledge about the apps connected to their corporate SaaS platforms, including their permissions and activities.
In this Help Net Security video, Matt Radolec, Senior Director, Incident Response and Cloud Operations at Varonis, offers advice for CISO-level executives to enhance the security of corporate cloud data.
Chief Information Security Officers (CISOs) hold a critical and challenging role in todayâs rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.
As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.
These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.
The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.
This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.
By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.
Who is a CISO?
Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organizationâs information security plan.
A CISOâs primary responsibility is safeguarding the confidentiality, availability, and integrity of an organizationâs information assets and systems.
They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.
CISOs play a crucial role in maintaining an organizationâs security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.
They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organizationâs operations.
In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.
They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.
The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.
CISOs are responsible for safeguarding the organizationâs sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.
What are all the Roles and Responsibilities of CISO?
Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organizationâs business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organizationâs assets.
Risk Management: The CISO is responsible for identifying and assessing security risks to the organizationâs information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
Security Incident Response: The CISO leads the organizationâs response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
Security Governance and Reporting: The CISO provides regular reports and updates on the organizationâs security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.
Security Challenges CISOs Face
CISOs face various common security challenges as they strive to protect their organizationsâ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:
Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industryâs rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.
What are the Security Compliance CISO Should Follow
As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:
General Data Protection Regulation (GDPR): If your organization deals with the personal data of individuals in the European Union (EU), GDPR sets requirements for the protection, processing, and transfer of personal data. It includes principles for data minimization, consent, data breach notification, and the rights of individuals.
Payment Card Industry Data Security Standard (PCI DSS): PCI DSS applies to organizations that handle credit card information. It sets requirements for securing payment card data, including network security, encryption, access controls, and regular vulnerability assessments.
Health Insurance Portability and Accountability Act (HIPAA): HIPAA applies to organizations in the healthcare industry that handle protected health information (PHI). It establishes requirements for the privacy and security of PHI, including access controls, encryption, risk assessments, and breach notification.
Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It sets requirements for financial reporting and establishes controls and processes to ensure the accuracy and integrity of financial statements. While not solely focused on security, it includes provisions for protecting financial data.
National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. It covers risk assessment, security controls, incident response, and continuous monitoring.
ISO 27001: ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It covers various aspects of information security, including risk management, access controls, incident management, and security awareness.
Federal Information Security Management Act (FISMA): FISMA applies to U.S. federal agencies and sets requirements for securing federal information and systems. It mandates risk assessments, security controls, incident response planning, and continuous monitoring.
Security Challenges CISOs Face to Manage Security Team
Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:
Establish Clear Roles and Responsibilities: Clearly define the roles and responsibilities of each team member to ensure everyone understands their specific duties and areas of expertise. This clarity helps streamline operations and avoid confusion.
Set Goals and Objectives: Define strategic goals and objectives for the security team aligned with the organizationâs overall security strategy. Communicate these goals to the team and regularly track progress to ensure everyone is working towards the same objectives.
Provide Guidance and Mentorship: Offer team members guidance, mentorship, and professional development opportunities. Encourage skill development, certifications, and staying up-to-date with the latest security trends and technologiesâsupport team members in their career growth.
Foster Collaboration and Communication: Promote a collaborative and open communication culture within the team. Encourage knowledge sharing, cross-functional collaboration, and effective communication channels. Regular team meetings, brainstorming sessions, and updates are valuable for aligning efforts.
Support Decision-Making: Empower team members to make decisions within their areas of responsibility. Provide guidance and support when needed, but encourage autonomy and ownership in decision-making. Foster an environment where team members feel comfortable taking calculated risks.
Establish Incident Response Procedures: Develop clear incident response procedures and ensure the team is well-prepared to handle security incidents effectively. Conduct regular drills, tabletop exercises, and simulations to test and improve the teamâs incident response capabilities.
Stay Informed and Adapt: Stay up-to-date with the latest security threats, industry trends, and best practices. Encourage continuous learning and professional development for the team. Adapt security strategies and measures as the threat landscape evolves.
Collaborate with Other Departments: Work closely with other departments, such as IT, legal, HR, and executive management, to ensure security initiatives are aligned with business objectives and integrated into overall organizational operations. Build relationships and foster a culture of security awareness throughout the organization.
Regularly Evaluate and Improve: Regularly evaluate the teamâs performance, processes, and procedures. Collect feedback from team members and stakeholders to identify areas for improvement. Implement changes and adjustments as necessary to enhance the teamâs effectiveness and efficiency.
Lead by Example: Demonstrate strong leadership skills, integrity, and a commitment to security best practices. Lead by example in adhering to security policies and procedures. Encourage a positive and supportive work environment.
Final Thoughts
CISOs face many common security challenges as protectors of their organizationâs digital assets and information.
From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.
CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.
To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.
They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.
While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.
By effectively addressing these challenges, CISOs can enhance their organizationsâ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.
Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.
By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.
In the wake of the ex-Uber CISO verdict, CISOs ask for clearer rules and less uncertainty in managing disclosures, amid jail-time fears.
Getting cybersecurity incident disclosure right can mean the difference between prison and freedom. But the rules remain woefully vague.
Chief information security officers (CISOs) and their teams know there’s a certain amount of risk intrinsically baked into the job. But the recent sentencing of former Uber CISO Joseph Sullivan for his role in covering up a 2016 data breach at the company has significantly upped the ante.
SolarWinds CISO Tim Brown survived one of the most spectacular security breaches in history in 2020 inan epic supply chain attack, and emerged on the other side with the business â and his professional reputation â intact. In an interview with Dark Reading, he explained that CISOs are asking for clarity on rules around disclosures. The Federal Trade Commission (FTC) has rules, and beyond that, there is a vast and evolving mousetrap of rules, regulations, executive orders, and case law dictating how and when disclosures need to occur, and that’s before anyone considers the impact of an incident on the business.
“Liability is something that has CISOs concerned,” Brown says. “It’s a concerning time and creates stress and angst for teams. We want to be covered.”
A court found Uber’s Sullivan guilty of working to cover up the breach from FTC investigators, as well as trying to keep the breach secret from other Uber executives. Brown acknowledges that Sullivan made the mistake, in the view of the court, of trying to make disclosure decisions unilaterally, without legal guidance, which left him open to prosecution.
Sarbanes-Oxley Act for CISOs?
To avoid making such mistakes, CISOs need something in the mold of the 2002 Sarbanes-Oxley Act, which details financial reporting regulations for chief financial officers (CFOs), Brown says.
In the same way Sarbanes-Oxley prescribes steps that CFOs are expected to take to prevent financial fraud, Brown says that he would like to see new federal regulations that outline CISO requirements for preventing and responding to cybercrime on their watch.
The stakes are high: While Sullivan was only sentenced to three years’ probation for his role in attempting to bury Uber’s data breach, Judge William Orrick used Sullivan’s hearing as an opportunity to send a chilling warning to the next CISO unfortunate enough to find themselves in his court.
“If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison,” Judge Orrick said to Sullivan. “When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”
Disclosure Maze
The litany of hazy rules and emerging guidelines doesn’t provide CISOs and cybersecurity teams with a clear path to compliance, meaning in-house counsel and outside legal advisers have become essential in helping organizations navigate the disclosure process maze.
“Enterprise security teams do not exist in a vacuum when it comes to evaluating disclosure of data breaches and security incidents,” says Melissa Bischoping, director of endpoint security research at Tanium, on the current disclosure landscape. “Their responses must be coordinated with legal and communications stakeholders to ensure they are meeting regulatory and legal requirements, and providing the appropriate level of information to the right consumers of the information.”
Beth Waller, an attorney and chair of cybersecurity and data privacy at Woods Rogers Vandeventer Black, says oversight bodies as well as consumers are driving cybersecurity incident transparency â and shrinking acceptable disclosure windows.
Waller points to a grab bag of regulations pushing disclosures, such as the Security and Exchange Commission’s demand for immediate data incident disclosure for publicly traded companies, as well as federal regulations on sectors like banking, healthcare, and critical infrastructure demanding disclosures within days of its discovery. Department of Defense contractors must notify the DoD of an incident within 72 hours, she points out.
“For international companies, regulations like the Europe’s General Data Protection Regulation (GDPR) drive similar timelines,” Waller says. “More and more, a company that wants to keep a data incident quiet cannot do so from a regulatory or legal standpoint.”
Disclosure Dangers
As pressure mounts on enterprise cybersecurity teams to disclose quickly, Dave Gerry, CEO of Bugcrowd, acknowledges the value of transparency for trust and the flow of information, but explains he is also concerned that rapid disclosure could rob security teams of priceless time to respond properly to cyberattacks.
“Incident disclosure needs to allow for the opportunity for the security organization to rapidly patch systems, fix code-level vulnerabilities, eject attackers, and generally mitigate their systems prior to publicly disclosing details ensure additional security incidents donât come as a result of the disclosure,” Gerry adds. “Identifying the root cause and magnitude of the incident to avoid adding additional fear and confusion to the situation takes time, which is an additional consideration.”
Data ‘Duty of Care’ Defined
Making things more confusing, US state attorneys general are pushing for tougher regulations around cybersecurity incident disclosures, leaving each state with its own unique disclosure landscape riddled with broad, ill-defined requirements like taking “reasonable” actions to protect data.
Veteran CISO and VMware cyber strategist Karen Worstell notes that Colorado AG Philip Weiser took an important step toward clarifying CISO obligations last January, when he offered a definition of “Duty of Care” rules under the Colorado Privacy Act requiring reasonable action be taken to protect personal data.
According to Weiser, the definition was informed by actual cases that have come through his office, meaning it reflected how prosecutors viewed specific data breaches under their jurisdiction.
“First, we will evaluate whether a company has identified the types of data it collects and has established a system for how storing and managing that data â including ensuring regularly disposing of data it no longer needs,” Weiser said in prepared remarks regarding data breach rules. “Second, we will consider whether a company has a written information security policy. For companies that have no such policies or have ones that are outdated or exist only in theory with no attempt to train employees or comply with the policy, we will view more skeptically claims that their conduct is reasonable.”
Waller applauds Weiser’s move to clarify disclosure rules in his state. In Colorado, as well as Virginia, the attorney general has the sole authority to hold someone liable for breaking state privacy laws.
“Colorado Attorney General Weiser’s comments provide helpful background on the security considerations state attorney generals will consider in looking at bringing violations under these new data privacy laws,” Waller says.
Despite such strides forward, for now the rules still leave plenty of room for enterprise cybersecurity teams to get it wrong.
“The current emerging cacophony of new state privacy regulations, coupled with a hodgepodge of state data breach laws, means that we can hope a federal privacy law would eventually address the need for uniform guidance for entities experiencing a data breach,” Waller says.
“In the absence of federal guidance, the legal landscape remains simply complex,” Waller adds.
The slow churning of courts, regulatory bodies, and legislatures means it’s going to take time for all parties to get on the same page. But SolarWinds’ Brown expects more standardized rules for CISOs and their organizations to likely emerge over the next five or so years. In the meantime, he suggests keeping legal teams closely involved in all cyber incident responses.
“It will be evolving, and we will get crisper,” Brown says. “Iâm hopeful.”
CISOs can and should push back when they’re presented with budget costs that affect the business. Here’s how.
Today’s enterprise security executives face situations that could really hurt the company’s bottom line. Security teams are trying to modernize security operations in an increasingly porous network environment with ever more sophisticated threats. There are also economic pressures from layoffs, budget cuts, and restructuring.
Even worse, CFOs have heard from CISOs the doom-and-gloom predictions of the potential fiscal disaster of data breaches so often that it’s no longer resonating with them.
The doomer scenario is not hypothetical â global compliance requirements and privacy regulations drive the cost of a breach even higher than just the technical costs. However, CFOs and other C-level executives have heard these warnings so often now that it’s just background information that doesn’t drive their decision making.
Is there a more effective way to help the CFO understand why security needs to be far better funded? Yes: Present the CFO with a shared-risk scenario.
Setting Protection Priorities
Allan Alford, who was a CISO in various industries including technology, communications, and business services before morphing into a CISO consultant, says CISOs should use a different approach to describe cybersecurity issues to the CFO. They should begin by asking the CFO to identify the six most important strategic elements of the business â possibly including the supply chain, manufacturing operations, sensitive future product plans, etc. â then detail their plans for protecting each of those critical areas, Alford says.
The CISO can present the situation to the CFO in the following manner: “Thanks for sharing those priorities. Now, you are saying we need to cut the security budget by 37%. Given the state of the economy in our sectors, that is completely understandable. To make the cuts possible, can you tell me which of these six areas I should stop protecting? We will also need to bring in the line-of-business executive so that you can explain how these changes will impact that area.”
Historically, CISOs, CSOs, CROs, and other security-adjacent executives have been good soldiers, accepting the CFO-ordered cuts and deciding where changes have to be made, Alford says. This conflicts with the CISO’s job: to protect the company â including all intellectual property and all assets.
If the CFO decides to cut back security funding, they need to work with the COO, the CEO, the board, and other senior executives to decide which operations they can afford to not protect. It should not be left to the CISO to make those calls or defend the choices.
In fairness, the decision is rarely black-and-white. But if the CISO positions the budget decisions in this manner, the CFO will see the actual business impact the reductions would have. When the CFO is forced to decide where the cuts will happen and to choose which top-priority division is left undefended, the conversation shifts, Alford says. The CISO can say to the CFO, “We’ll jointly figure out what risks are tolerable, but make no mistake: A 37% cut will put various units at extreme risk. Can the business afford that deep a cut in our defenses?”
The CISO can present cost-effective alternatives to reduce security defenses, rather than eliminating them entirely. Now there is the possibility of negotiating a smaller budget cut. Maybe that 37% cut becomes a 23% cut.
Negotiating as a Group
The conversation shouldn’t begin and end with the CFO, says Daniel Wallance, an associate partner with McKinsey. It should involve the board’s risk committee, the CEO, the COO, and other colleagues who have a role in security spending, such as the CIO and the CRO.
“There is also spend coming from risk management [and] compliance on top of IT. I would engage those functions, as they have shared [security] responsibility and they may actually have dedicated resources,” Wallance says. “I need this to not be a one-on-one conversation. I want to make it a group.”
These conversations with other security executives should happen before and after the CFO meeting, but not during.
The CISO needs to meet with the other security players before meeting with the CFO to learn what overlaps and redundancies currently exist. The CISO also needs to know how much budget flexibility those other executives are willing to offer. That will be crucial information to have while working with the CFO. After meeting with the CFO, the CISO can go back to the other executives and see what they can negotiate as a group.
The actual CISO-CFO meeting should be just the two executives, to avoid making the CFO feel ganged up on. The discussion should be as friendly as possible to allow for reasonable compromises.
Involving the board’s risk committee is critical, as it is ultimately the board’s role â working with the CEO â to dictate the company’s risk tolerance. If the CFO’s requested budget reductions conflict with that risk tolerance, the board needs to know about it.
“The CISO should be meeting with the risk committee regularly,” Wallance says. “The business may not understand the implications of the budget cut. The CFO is not the only person at issue here.”
Adapting to Market Conditions
Larger trends in the economy also affect CISO budgetary needs.
There is a realistic existential threat to cyber insurance, the net that CFOs have relied on for more than 20 years. Lloyds of London said that it would stop covering the losses from state actor attacks, which is problematic given how difficult it is to prove an attack’s origin and who funded it. Insurance giant Zurich warned it might abandon cyber insurance entirely. And an Ohio Supreme Court decision raised the prospect of other cyber insurance limitations. Those changes could sharply increase the pressure on the CFO to better fund security, given that the enterprise will now be on the hook for the full amount of damages.
A complicating factor is the much-ballyhooed cybersecurity talent shortage. Whether the gap is as big as some say, it’s true that the cost of talent today is higher than what most budgets allow. So, yes, you will have difficulty finding qualified people, but increase the salary enough and, poof â no more talent shortage.
Richard Haag, the VP for compliance services at consulting firm Intersec Worldwide Inc., maintained that the difficulty in acquiring sufficiently experienced talent is a powerful argument in those CFO discussions.
“[I]n security, labor is about the only thing that can possibly be cut. You can’t just swap out firewalls. These agreements are locked in,” Haag says. “You need to say ‘I can barely protect your top strategic areas now. With the cuts you want, I simply won’t be able to defend your top targets and certainly not your not-so-top targets. I need more people, certainly not fewer people.'”
Alford also suggests the CISO point out how they negotiate lower vendor costs. Document it and share it with the CFO to demonstrate that the budget is being spent wisely.
“Demonstrate your efficiencies by driving vendor discounts as low as you can get them to go. CFOs want to know the money is being well spent, and ‘we got a heck of a deal’ does that well,” Alford says.
Finally, the CISO can also make the case for better security delivering more revenue. Does higher security investment make prospective customers more comfortable? Is lack of security making some existing customers leave? For example, if a financial institution chooses to reimburse customers in all fraud situations â rather than what most FIs do, which is to only reimburse in some situations â it could boast that its customers are better protected against fraud, prompting customers to leave competitors. That move would justify higher cybersecurity spend because of the greater acceptance of fraud costs.
“If you can shorten that sales cycle and prove that security gained more sales, it can be highly persuasive to CFOs: ‘Today, three customers walked away, but tomorrow none will,'” Alford says.
Chief information security officers (CISOs) are senior-level executives responsible for overseeing an organizationâs information security strategy and operations. They are responsible for identifying, evaluating and mitigating security risks and ensuring the organization’s information assets are protected from cyber threats and attacks.
CISOs play a critical role in protecting an organizationâs valuable information assets. As such, they must possess a strong understanding of the latest threats and technologies in the cybersecurity landscape. They must also have strong leadership and communication skills and the ability to work effectively with other organizational executives and stakeholders. But why are they often forced to also play the role of firefighter?
When a CISO is referred to as a âfirefighter,â it typically means that they are spending a significant amount of time responding to security incidents and putting out fires rather than being able to focus on proactively preventing those incidents from occurring in the first place. Here are some reasons why a CISO may become a firefighter: Â 1. Lack of resources:Â A CISO may not have sufficient resources (e.g., budget, staff, or technology) to implement a comprehensive cybersecurity program effectively. This can lead to security incidents that require a reactive response.
2. Insufficient risk management:Â A CISOÂ may not have a robust risk management program in place, which means that security incidents are more likely to occur. Without proper risk management, a CISO may be caught off guard by security incidents and have to react quickly to mitigate the damage.
3. Lack of security awareness:Â Employees may not be properly trained on cybersecurity best practices, which can lead to security incidents such as phishing attacks or malware infections. When employees are unaware of the risks, they may inadvertently engage in behaviors that put the organization at risk.
4. Rapidly evolving threat landscape:Â Cyberthreats constantly evolve, so a CISO must be vigilant and adapt to new threats. If a CISO is not proactive in staying up-to-date with the latest threats, they may be caught off guard when a new threat emerges.
5. Organizational culture:Â The organizational culture may not prioritize cybersecurity, making it difficult for a CISO to implement a comprehensive cybersecurity program. If the organization does not prioritize cybersecurity, it may not allocate sufficient resources to the CISO to effectively prevent security incidents. Â To avoid being a firefighter, a CISO must take proactive measures to prevent security incidents from occurring. This includes implementing a comprehensive cybersecurity program, conducting regular risk assessments and educating employees on cybersecurity best practices. By taking a proactive approach, a CISO can reduce the likelihood of security incidents and spend less time reacting to them.
It is important to note that being a firefighter is not necessarily negative, as incident response is a critical component of a comprehensive cybersecurity strategy. While it is important for CISOs to be proactive in identifying and mitigating potential threats, it is also crucial for them to respond quickly and effectively when incidents occur.
Ideally, CISOs should be able to balance their time between proactive prevention efforts and reactive incident response. This requires having a comprehensive security program in place, including technical controls, policies, procedures and employee training programs. By taking a holistic approach to cybersecurity, CISOs can work to reduce the number and severity of security incidents they need to respond to and shift their focus more towards proactive prevention.
A virtual Chief Information Security Officer (vCISO) service may be appropriate for a variety of scenarios, including:
Your clients, collaborators (partners) and some regulatory requirements anticipate the presence of an individual fulfilling the position of Chief Information Security Officer (CISO).
Companies without an in-house CISO: Small and medium-sized companies may not have the budget or need for a full-time CISO. A vCISO service can provide these companies with access to a seasoned cybersecurity professional without having to hire a full-time employee.
Companies experiencing rapid growth or change: Companies that are growing quickly or undergoing significant changes, such as mergers or acquisitions, may benefit from the expertise of a vCISO to help them navigate the cybersecurity implications of these changes.
Companies with limited cybersecurity resources: Some companies may have an IT team but lack dedicated cybersecurity resources. A vCISO can help fill this gap by providing strategic guidance and oversight of the company’s cybersecurity program.
Compliance requirements: Companies in regulated industries, such as healthcare or financial services, may require a CISO to meet regulatory requirements. A vCISO can help these companies meet compliance requirements with standards (ISO 27001) and regulations (PCI, HIPAA, NIST CSF, etc.) without having to hire a full-time CISO.
Cybersecurity incident response: In the event of a cybersecurity incident, a vCISO can provide expertise and guidance to help the company respond effectively and minimize the impact of the incident.
Overall, a vCISO service can be a cost-effective way for companies to gain access to the expertise of a seasoned cybersecurity professional without having to hire a full-time employee.
Weâd love to hear from you! If you have any questions, comments, or feedback, please donât hesitate to contact us. Our team is here to help and weâre always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our websiteâs contact form.
94% of CISOs report being stressed at work, with 65% admitting work-related stress issues are compromising their ability to protect their organization, according to Cynet.
CISOs (Chief Information Security Officers) often face high levels of stress due to the nature of their role. Here are some reasons why CISOs may struggle with stress:
High-stakes responsibility: CISOs are responsible for protecting their organization’s sensitive information and ensuring that the organization’s systems and data are secure from cyber threats. The stakes are high, as a breach could have severe financial, legal, and reputational consequences for the organization. This level of responsibility can create significant stress for CISOs.
Constantly evolving threats: Cyber threats are constantly evolving, which means that CISOs need to stay up-to-date with the latest security trends and technologies. This can be challenging and stressful, as they need to stay one step ahead of cybercriminals.
Budget constraints: CISOs often struggle with limited budgets for their security programs, which can create stress as they need to make tough decisions about where to allocate resources and how to prioritize their security efforts.
Talent shortages: There is a shortage of skilled cybersecurity professionals, which means that CISOs often struggle to find and retain talented staff. This can create stress as they need to find ways to manage their workload and keep their security programs running effectively.
Balancing business needs and security: CISOs need to balance the needs of the business with the need for security, which can create stress as they need to find ways to enable business initiatives while still maintaining a secure environment.
All of these factors can contribute to the high levels of stress that CISOs often experience. To cope with this stress, CISOs may need to develop strong coping strategies such as seeking support from colleagues, practicing self-care, and prioritizing their workload. Additionally, organizations can help by providing their CISOs with adequate resources and support to help them manage their responsibilities effectively.
Among the CISOs surveyed, 100% said they needed additional resources to adequately cope with current IT security challenges.
Stress issues
The lack of bandwidth and resources is not only impacting CISOs, but their teams as well. According to the report, 74% say they are losing team members because of work-related stress issues, with 47% of these CISOs having more than one team member exit their role over the last 12 months.
Relentless stress levels are also affecting recruitment efforts with 83% of CISOs admitting they have had to compromise on the staff they hire to fill gaps left by employees who have quit their job. More than a third of the CISOs surveyed said they are either actively looking for or considering a new role.
âThe results from our mental health survey are devastating but itâs not all doom and gloom. Our research found that CISOs know exactly what they need to reduce stress levels: more automated tools to manage repetitive tasks, better training, and the ability to outsource some work responsibilities,â said Eyal Gruner, CEO, Cynet.
âOne of the most eye-opening insights from the report was the fact that more than 50% of the CISOs we surveyed said consolidating multiple security technologies on a single platform would decrease their work-related stress levels,â Gruner added.
Key findings from the report include:
77% of CISOs believe that their limited bandwidth and lack of resources has led to important security initiatives falling to the wayside, with 79% of these CISOs claiming they have received complaints from board members, colleagues or employees that security tasks are not being handled effectively.
93% of CISOs believe they are spending too much time on tactical tasks instead of performing strategic, high-value work and management responsibilities. Among the CISOs who believe they are overly invested in tactical tasks, more than a quarter report spending their workday almost exclusively on tactical/operational tasks.
84% of CISOs say they have had to cancel a vacation due to an urgent work matter and 64% report theyâve missed a private event because of work fatigue. More than 90% consistently work 40+ hours per week with no break.
The impact of work-related stress on everyday life
The major takeaway from the survey is that CISOs â and their teams â are suffering from overwhelming amounts of stress and itâs affecting everything from the security of their company to their day-to-day work routines and, ultimately, their life outside of work.
In fact, 77% of CISOs said that work-related stress was directly impacting their physical health, mental health, and sleep patterns.
The company surveyed chief information security officers (CISO) at small to midsize businesses with security teams of five employees or less to better understand their levels of work-related stress and how their mental health is impacting their work life and personal life.
Identity isnât a security problem â itâs the security problem.
This was the takeaway from my recent meeting with a local government CISO in the Washington, D.C. area. Tasked with protecting infrastructure, including the fire and police departments, the CISO turned to CrowdStrike a year ago for endpoint and identity protection.
The CISO outlined the main challenge his team faced: the managed detection and response (MDR) solution in use at the time was unable to keep up with modern security demands. The tool didnât deliver the speed or fidelity he needed. Nor did it provide remediation, leading to long delays between when the tool sent data to the management console and when his thinly stretched security team could investigate and triage alerts.
CrowdStrike FalconÂź Complete solved these problems by providing a bundle of Falcon modules on AWS GovCloud, complete with a virtual team of experts to administer the technology and quickly eliminate threats.
âThereâs a complete difference between our previous MDR and CrowdStrike Falcon Complete. One gives me work to do. The other tells me the work is done.â âCISO, A county in the Washington, D.C. area
Identity Is the New Perimeter
Of everything the CISO shared, it was the identity piece that really stood out to me. According to the CrowdStrike 2022 Global Threat Report, nearly 80% of cyberattacks leveraged compromised credentials â a trend the county sees regularly, he said.
With Falcon Complete, the CISO gets CrowdStrike FalconÂź Identity Threat Protection to stop identity-based attacks, both through services performed by CrowdStrike and via work done by his security operations center (SOC) team.
Check out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat Protection in action.
Below are nine use cases for the identity protection capability, in his own words.
1. We receive executive-level key metrics on identity risks. Falcon Identity Threat Protection provides us immediate value with real-time metrics on total compromised passwords, stale accounts and privileged accounts. As these numbers decrease, our risk and expenditures drop as well, allowing us to prove the value of our cybersecurity investments to stakeholders.
2. We get powerful policies and analytics. Falcon Identity Threat Protection helped us move away from reactive, once-a-year privileged account analysis to proactive real-time analysis of all of our identities, including protocol usage such as Remote Desktop Protocol (RDP) to DCs/critical servers. Many attacks leverage compromised stale accounts, and with Falcon Identity Threat Protection we can monitor and be alerted to stale accounts that become active.
3. We can stop malicious authentications. With Falcon Identity Threat Protection, we can enforce frictionless, risk-based multifactor authentication (MFA) when a privileged user remotely connects to a server â stopping adversaries trying to move laterally. Additionally, we can define policies to reset passwords or block/challenge an authentication from stale or high-risk accounts.
âIâve bought a lot of cyber tools. My analysts unanimously thanked me the day we bought CrowdStrike.â
4. We can alert system admins to critical issues. Adversaries often target critical accounts. Instead of simply alerting the security team, Falcon Identity Threat Protection allows us to flag critical accounts with specific policies and alerts that can be sent directly to the account owner. For example, the owner of a critical admin account for our organizationâs financial systems can be alerted to anomalous behavior around that account, eliminating the need for the security team to reach out to her for every alert.
5.We can investigate behavior and hygiene issues. When reviewing RDP sessions from the last 24 hours, we noticed a former employee, Steve Smith (names changed), remotely accessing a server in our environment from Jane Doeâs computer. Upon investigation, we found Jane Doe was legitimately using Steve Smithâs credentials to perform business functions that Steve was no longer around to perform. We immediately tied Janeâs account to Steveâs to trigger MFA for any authentication. We also reviewed Steveâs permissions and noticed he had extensive local administrator privileges to over 600 computers, which we were able to remove instantly.
6. We can eliminate attack paths to critical accounts. It takes only one userâs credentials to compromise your organization. In previous phishing campaigns that asked users to reset their passwords, 7% of our employees entered their username and password into a fake Microsoft login screen. Falcon Identity Threat Protection shows us how one username and password dump from a single machine can lead to the compromise of a highly privileged account, allowing for full, unfettered access to an enterprise network. We now have the ability to visualize how a low-level account compromise can lead to a full-scale breach.
âWithin two hours of deploying Falcon Identity Threat Protection, we identified 10 privileged accounts with compromised passwords and began resetting them immediately.â
7. We gain awareness of AD incidents. With Falcon Identity Threat Protection, we can now see credential scanning and password attacks on all of our external-facing systems that link to our Microsoft AD and Azure AD logins.
8.We can verify if lockouts are actually malicious. Every day, we face a handful of account lockouts, mostly due to users forgetting their passwords or a system that continues to authenticate after the user has reset their password. With Falcon Identity Threat Protection, we can see all account lockouts and failed authentications, allowing us to immediately understand why a lockout occurred and if malicious activity was involved.
9. We can correlate endpoint and identity activity. Once an alert fires off regarding a potentially misused identity, such as a stale account becoming active after 90+ days of inactivity, we can correlate this information with endpoint-related detections. We simply grab the hostname where the stale account became active, pivot to CrowdStrike FalconÂź Insight XDR, and look for malicious activity and detections on a specific machine. Likewise, if a machine becomes infected, we can use Falcon Identity Threat Protection to investigate who has access to that machine and whether their behavior is normal. This integration is not only unique but essential with identity-based attacks.
âCrowdStrike not only revolutionized the way our SOC operates, it changed the way I sleep at night.â
On January 11, 2023, presiding United States District Judge William Orrick in San Francisco denied the motion of Joe Sullivan, the former CISO of Uber, for a judgment of acquittal. The conviction arose from Sullivanâs agreement to pay attackers who breached the security of the online ride-sharing service and obtained personal information about thousands of users, drivers and riders. Sullivan, a lawyer and a former federal computer crime prosecutor himself, was convicted in 2022 by a jury of concealing and not reporting the Uber attack and of obstructing a federal investigation into an earlier Uber attack by the Federal Trade Commission by concealing the new breach.
The case centered on the fact that after Sullivan became aware of the breach, he took steps to prevent the breach from being publicly disclosedânoting that âThis canât get out,â and âWe need to keep this tightly controlled.â Sullivan also told the incident response team that âThis may also play very badly,â based on previous assertions of lack of adequate security at Uber made by the FTC in a then-ongoing civil investigation of Uber. After the breach was known to Uber, the charges alleged that Sullivan negotiated a nondisclosure agreement with the attackers; under Uberâs then-existing bug bounty program, the company would pay $100,000 if they promised to execute a document indicating that they âDid not take or store any data during or through [their] research,â and that they âDelivered to Uber or forensically destroyed all information about and/or analysis of the vulnerabilities,â the attackers discovered. The nondisclosure agreement provided that the attackers certify that they did not take data that, in fact, they had demonstrably taken.
âCorruptâ Obstruction of an FTC Proceeding
Itâs important to note the crimes Sullivan was convicted of. First, he was convicted of violating 18 USC 1505, which relates to the obstruction of some governmental proceeding. In Sullivanâs case, the act of obstruction occurred when he did not reveal to the FTC that Uber had suffered a data breach after the completion of the FTC investigation of a previous data breach and when he paid the attacker to ensure that news of the new breach would not leak.
The trial court rejected Sullivanâs claims that to successfully convict him of obstruction, the government would have to prove that there was some ânexusâ or connection between the thing concealed (the new breach) and the proceeding that was obstructed (the investigation of the old breach). The court ruled that no such nexus need have been proven, as long as the jury had evidence that (1) the FTC action was an agency proceeding, (2) Sullivan was aware of the proceeding and that (3) he âintentionally endeavored corruptly to influence, obstruct or impede the pending proceeding.â The court found persuasive the fact that Sullivan knew of (and indeed had testified before) the FTC proceeding, expressed his desire that the new breach be kept secret and had the attackers execute an NDA preventing them from disclosing the breach as evidence of Sullivanâs corrupt intent to conceal the breach from the FTC.
The trial court also rejected Sullivanâs claims that, to corruptly obstruct a proceeding by not disclosing something, the government would have to establish an actual legal duty to disclose that thing. The FTC was investigating a prior breach. There was no evidence that Uber or Sullivan obstructed or impeded the FTCâs investigation of that breach or concealed evidence related to that breach. However, in the course of deciding what sanction the FTC wanted to impose on Uber for the other breach (and the adequacy of Uberâs overall security program), Sullivan and Uber knew that the FTC would want to know about the new breach (which represented a lapse of security). Thatâs why Sullivan wanted to conceal it.
There are a lot of problems with this theory. Imagine negotiating a plea agreement for someone who was caught shoplifting. In the course of negotiating the plea, the defense lawyer learns (through a privileged conversation) that the defendant has shoplifted other items from other stores after the incident but was never caught. Is there a duty to tell the prosecution? No. In fact, it would violate privilege to do so. What if you instructed the client to either return the items or pay for them (and some extra) in return for the merchant agreeing to âsettleâ the case and not report it to the prosecution? Would that be âcorruptlyâ obstructing the plea negotiations? What if, in a civil lawsuit, a client answers truthfully that he has never been accused of some relevant wrongdoing? Days after the testimony, the deponent is then accused of that wrongdoing. The testimony was truthful at the time, but certainly, the other side would like to know about the new allegations. Are you required to disclose the new allegations? Can you settle the new charges with an NDA to keep the lawyers from learning about them, or would that constitute an obstruction of a judicial proceeding? Would it matter if the allegations in the new cases had some ânexusâ to the one under litigation? Would it matter if the old case had been settled? While the use of the term âcorruptlyâ in the jury instructions implies a requirement of proof that it was the specific intent of the defendant to do something the law prohibited (or refrain from doing something that the law required), itâs not clear what Sullivan did that was âcorruptâ if there was no affirmative duty to disclose. Would he still be guilty of obstruction if he did not have the attackers execute an NDA but simply did not tell the FTC of the new breach? And what if the breach were just a vulnerability that was not exploited; certainly something the FTC would want to know. Itâs not clear how far the court and DOJ would extend this concept.
Misprison of a Felony
The other crime Sullivan was convicted of was âmisprison of a felony,â an archaic common law inchoate crime which punishes anyone with knowledge of the commission of a felony who conceals and does not report the same. The elements of that offense, according to the court, was proof that (1) a federal felony was committed (in this case, âintentionally accessing a computer without authorization and thereby obtaining information from a protected computer, or conspiracy to extort money through a threat to impair the confidentiality of information obtained from a protected computer without authorizationâ); (2) Sullivan had knowledge of the commission of that felony; (3) Sullivan had knowledge that the conduct was a federal felony; (4) Sullivan failed to notify federal authorities and (5) that he did an affirmative act to conceal the crime. For this offense, there did not have to be a legal duty to disclose the felony, just that there was a felony committed.
Unlike the obstruction statute, the misprision statute requires evidence of concealment. The court held that â[t]he $100,000 payment to the hackers and NDA support this, specifically the provision where the hackers promised that they âhave not and will not disclose anything about the vulnerabilitiesâ or their conversations with Uber without written permission.â
I donât doubt that a prime motivation for paying the very high âbountyâ to the hackers and having them execute the NDA was to keep quiet the attack and the vulnerabilities that were exploited.
On the other hand, responsible disclosure principles and bug bounty programs themselves often demand secrecy. This would be particularly true for a vulnerability for which no patch existed. Microsoftâs bug bounty program notes:
CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE Protecting customers is Microsoftâs highest priority. We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Bounty Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. Microsoft will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.
Of course, this compares apples with oranges. The Microsoft program is not a permanent ban on disclosureâjust enforcing a responsible disclosure. In addition, the MS program relates to any relevant disclosuresâvulnerabilities, attacks, etc., and not just actions which would constitute a âfelony.â Does âconceal and not reportâ mean âconceal and never reportâ?
But companies have many reasons for not wanting to disclose felonies that have been committed against them. An employee steals from the company and is terminated with an NDA and a non-disparagement agreement. The company does not report the theft. Did they âconceal and not reportâ a felony? Certainly, or take a sextortion case where attackers obtain access to someoneâs sexually explicit files or pictures and threaten to release them if a cryptocurrency payment is not made. The victim pays the ransom to avoid publicizing the fact that the images exist. Did they âconceal and not reportâ the felony extortion scheme? You betcha. And if payment of a ransom in a ransomware situation is partially motivated by the companyâs desire to avoid publicly disclosing the fact that they were hit by ransomware (and partly to get their files back and get back to work), they are subject to prosecution under the misprision statute.
An overwhelming trend since the 1990âs has been to require companies to reportâeither to the public, to data protection authorities, to law enforcement, to regulators or to third parties by contractâdata breaches, incidents and, in some cases, material vulnerabilities. The Sullivan case rests on the principle that, even if there is no duty to report it, you may find yourself in legal trouble if you donât.
Most small-to medium-sized business (SMBs) hiring a CISO may be challenging business decision to find a suitable and affordablee candidate and the impacts of cyber breach to the SMBs can be devastating since many of those businesses are unable to sustain the costs of breach. A vCISO can provide the expertise needed to ensure your information security, privacy programs are succeeding and your company is prepared to assess and analyze an incident, all at cost-effective price.
DISCâs Virtual CISO (vCISO) service assists organizations to design, develop and implement information security programs based on various standards and regulations. We provide professional security services which includes but not limited to leadership team (strategic) but also a support team of security analysts (tactical) to solve distinct cybersecurity challenges to every organization.
Reasons to Consider a Virtual CISO (vCISO)
Expertise covering Industries: vCISOs work with various clients across industries, opening them to events not attainable to CISOs experience in an isolated industry. The security knowledge gained by a vCISO from each client environment is different which ensures an improved expertise to assess the next organization, which positively impacts on the next client project.
Flexibility in Unique Business Environments: vCISOs first gain a thorough understanding of each organizationâs business model, company culture, risk tolerance, and objectives. From there, they gain an understanding of security risks faced by the organization. With a full view of the security landscape, the vCISO will communicate the findings to help clients make the appropriate security decisions for their environment.
Efficiency with Core Competencies: A virtual CISO fills will prioritize security findings where organizations need it most. By focusing on cybersecurity strategy and implementation, vCISOs helps internal security team with control understanding and implementation responsibility. This enables both staff and cybersecurity leadership to remain dedicated to their respective core competencies.
Objective Independence: vCISOs are an independent third party with an objective viewpoint and goals of helping clients make the best security decisions for their business.
Economical: DISCâs vCISO programs generally cost a fraction of a full-time CISO and supporting security team. According to salary.com report, the average salary for a CISO is $260,000 per year in California. On average, DISC’s vCISO clients pay a fraction of what it would cost to hire an in-house CISO.
Most important skills of vCISO: is to translate between business and IT as a facilitator
vCISO risk remediation solution:
What is risk to business
Likelihood of occurrence and what will be the risk to business
Impact of occurring and what will be the risk to business
Cost of fixing, implementing or remediating and what will be the residual risk
Compliance services are emerging as one of the hottest areas of cybersecurity. While compliance used to be mainly the province of large enterprises, times have changed, and it is now a day-to-day concern for a growing number of small and medium businesses.
Even when these organizations are not regulated, SMEs often aim to follow compliance and/or security frameworks either for their own risk mitigation or in order to comply with the standards required by their customers. The driver is often their customersâ supply chain concerns and requirements. As large businesses adopt cybersecurity and compliance frameworks and agree to certain standards, they impose similar demands on their suppliers.
This is a major opportunity for virtual CISO (vCISO) providers assuming they can broaden their offerings to encompass compliance. vCISO service providers perform a vital role in building a comprehensive cybersecurity program for their SME customers.âŻThey ensure that organizations put basic security measures in place to reduce the risk of a cyberattack and adequate safeguards to protect sensitive information. As such, those delivering vCISO services are well-positioned to expand their services into compliance. Some have already extended their service portfolio by adding compliance-related services, adding value to their customers.
While this should be a natural and easy transition, many vCISO service providers struggle to make this move. Adding compliance and audit readiness services may be overwhelming â it requires a specific skill set and may be time-consuming.
Fortunately, vCISO platforms are emerging that integrate the compliance function and automate much of the work allowing vCISO service providers to easily add compliance services to their offering with no extra burden or cost.
The research shows the CISO seat to be relatively industry-agnosticâwith 84% of CISOs having a career history of working across multiple sectorsâwith todayâs CISOs expected to bring more breadth of leadership to their role as they move away from being technical experts.
âTodayâs CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the CIO, which is to act as the primary gateway from the tech department into the wider business and the outside marketplace,â said James Larkin, Managing Partner at Marlin Hawk.
âThis widening scope requires CISOs to be adept communicators to the board, the broader business, and the marketplace of shareholders and customers. By thriving in the âsofterâ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.â
Key findings from the report include:
CISO profiles have changed dramaticallyâ36% of CISOs analyzed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).
More CISOs are being hired internallyâApproximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% hired internally compared to 36% in 2021), but a large gap remains in appropriate successors.
CISO turnover rates have declinedâbut still remain high with 45% of global CISOs having been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-over-year.
CISO roles continue to become more complex
âI would say that you shouldnât have the CISO title if youâre not actively defending your organization; you have to be in the trenches,â said Yonesy NĂșñez, CISO, Jack Henry Associates. âI also feel that over the last eight to 10 years, the CISO role has become a CISO plus role: CISO plus engineering, CISO plus physical security, CISO plus operational resiliency, or CISO plus product security. As a result, weâve seen multiple CISOs that have done a great job with cybersecurity, fusion centers, SOC, and leadership. This has paved the way for the CISO office to become a business enabler and also a transformational technology function.â
Kevin Brown, a seasoned cybersecurity executive, added, âWe have over 100 countries at this point with their own data privacy legislation that makes doing global business in a compliant manner trickier than it used to be. As a result, in most organizations weâre seeing a tighter connection and collaborative spirit between data officers, CISOs, legal teams and marketing. CISOs have to be in the know on all priorities for these different sectors of the business so they can take them into account when writing policiesâitâs a more complex job than it ever used to be.â
More organizations are appointing CISOs from within
The research shows a decrease in the percentage of CISOs hired externally (62%) in the last year, compared to 2021 (64%), indicating a potential shift towards an organizationâs next CISO already operating inside the business.
Larkin went on to say, âAs the importance of information security has grown, boards of directors, regulators, and shareholders have demanded greater controls, better risk management as well as more people and departments focusing on defending a company and its assets. Fortunately, this has had the positive side effect of creating more internal succession for the CISO positionâorganizations can look for risk and control focused talent in more places than just the office of the CISO.â
âNow candidates are being internally promoted to the role of CISO from IT Risk, Operational Risk Management, IT Audit, Technology Risk & Controls, among others,â Larkin added. âNot only does this give regulators more comfort that there are multiple sets of eyes on this at the leadership level, but it has also vastly increased the size of the succession talent pool and is helping to future-proof the information security industry as a whole.â
CISO turnover rates are still high for several reasons
âThe not-so-secret secret is that no CISO can accomplish much in one or two years. Most CISOs change roles because of one of three reasons,â shares Shamoun Siddiqui, CISO at Neiman Marcus Group.
âFirst, their skillset is not up to par, and they get quietly pushed out by the company. Due to the extremely high demand for security leaders, often individual contributors get elevated to the role of CISO, and they get overwhelmed within months. Second, they have an insurmountable task with unrealistic expectations, and there is a lack of support from their peers and from the leadership of the company. The company may be paying lip service to cybersecurity but may not be forward-thinking enough to make it a priority. Third, they just get enticed by a better offer from somewhere else. There is such a shortage of security professionals and security leaders that companies keep offering increasingly high salaries and benefits to CISOs.â
Another factor leading to high turnover is poor hiring decisions that are a result of a lack of scrutiny and due diligence in the recruiting process. While the immediate need may outweigh a more thorough vetting, fast tracking a CISO hire can have adverse effects if there are other, more suitable candidates out there.
More good news: We know how ransomware âgangsâ work and, for the most part, what theyâre after.
Ransomware is opportunistic and the barriers to entry for operators are relatively low as the tools, infrastructure, and access that enables these attacks have proliferated across various online illicit communities through the ransomware-as-a-service (RaaS) model. Ransomware affiliates can rent the malware and be paid a commission from the victimâs extortion fee.
Initial access brokersâi.e. threat actors who sell ransomware operators and affiliates access into victim networksâare constantly scanning the internet for vulnerable systems. Leaked credentials from breaches and other cyber incidents can lead to brute force or credential stuffing attacks. Employees need to constantly be aware of increasingly sophisticated social engineering schemes. Threat actors can use any of these mechanisms to breach systems, escalate privileges, move laterally, and ideally take actions on objectives, dropping that malware on a victimâs network and encrypting all of their files.
But one of the most effective ways to stop a ransomware attack is to deny them access in the first place; without access, there is no attack. The adversary only needs one route of access, and yet the defender has to be aware and prevent all entry points into a network. Various types of intelligence can illuminate risk across the pre-attack chainâand help organizations monitor and defend their attack surfaces before theyâre targeted by attackers.
Vulnerability intelligence
The best vulnerability intelligence should be robust and actionable. For instance, with vulnerability intelligence that includes exploit availability, attack type, impact, disclosure patterns, and other characteristics, vulnerability management teams predict the likelihood that a vulnerability could be used in a ransomware attack.
With this information in hand, vulnerability management teams, who are often under-resourced, can prioritize patching and preemptively defend against vulnerabilities that could lead to a ransomware attack.
Threat intelligence
Having a deep and active understanding of the illicit online communities where ransomware groups operate can also help inform methodology, and prevent compromise. Organizations must be able to monitor for, and be alerted to, stolen login credentials before they reach criminal actors. This intelligence can mitigate account takeover and break the chain leading to brute force or credential stuffing attacks.
Technical intelligence
When cyber threat actors successfully infiltrate your network, the subsequent attack is not always immediate; sometimes, they will install tools that can help them further invade and seek access to the most valuable data. Technical intelligence helps security teams detect indicators of compromise, or IOCs, and the presence of Cobalt Strike beacons, which can unknowingly be present in your systems and later help a ransomer carry out an attack.
Prevention through preparedness
In order to help employees and executives understand various ransomware-related risks, organizations should seek to implement tabletop exercises designed by companies with expertise preparing for, and responding to, a ransomware event. These simulated scenarios should cover how to spot (and report) social engineering schemes like phishing attacks, which lure employees to click on links or interact with harmful attachments that could allow ransomware malware to be deployed on company devices.
By spending time building out and rehearsing a response plan prior to an attack scenario, your team will be equipped with informed decision-making during a ransomware-related emergency. But rest assured: Itâs best to have the right intelligence at-hand, including the data, expert insights, and tools that can help to prevent an attack in the first place and keep your organization running without interruption.
A global survey from recruitment firm Marlin Hawk that polled 470 CISOs at organizations with more than 10,000 employees found nearly half (45%) have been in their current role for two years or less.
James Larkin, managing partner for Marlin Hawk, said that rate is slightly lower than the previous year when the same survey found 53% of CISOs had been in their positions for less than two years.
Overall, the survey found that current turnover rates are at 18% on a year-over-year basis. Approximately 62% of CISOs were hired from another company, compared to 38% that were promoted from within, the survey also found.
However, only 12% of CISOs are reporting directly to the CEO, while the rest report to other technology leadership roles, the survey revealed. It also found that more than a third of CISOs (36%) that have a graduate degree also received a higher degree in business administration or management, a 10% decline from the previous year. A total of 61% have higher degrees in another STEM field, the survey found.
Finally, the survey showed only 13% of the respondents are female, while only 20% are non-white.
The role of the CISO continues to expandâand with it the level of stressâas cyberattacks continue to increase in volume and sophistication, noted Larkin. Itâs not clear whether or how much stress levels are contributing to CISO turnover rates, but it is one of the few 24/7 roles within any IT organization, added Larkin.
The role of the CISO has also come under more scrutiny in the wake of the conviction of former Uber CISO Joe Sullivan on charges of obstruction. Most CISOs view their role as defending the corporation but, in general, Larkin noted that most of them would err on the side of transparency when it comes to managing cybersecurity.
The one certain thing is that CISOs are more valued than ever. A PwC survey of 722 C-level executives found that 40% of business leaders ranked cybersecurity as the number-one most serious risk their organizations faced. In addition, 58% of corporate directors said they would benefit most from enhanced reporting around cybersecurity and technology.
As a result, nearly half of respondents (49%) said they were increasing investments in cybersecurity and privacy, while more than three-quarters (79%) said they were revising or enhancing cybersecurity risk management.
As a result, CISOs generally have more access to resources despite an uncertain economy. The issue is determining how best to apply those resources given the myriad platforms that are emerging to enhance cybersecurity. Of course, given the chronic shortage of cybersecurity talent, the biggest challenge may simply be finding someone who has enough expertise to manage those platforms.
In the meantime, most of the training CISOs and other cybersecurity professionals receive will continue to be on the job. CISOs, unlike other C-level roles that have time available for more structured training, donât have that luxury.
The coming new year is a good moment for chief information security officers to reflect upon what they’ve learned this year and how to apply this knowledge going forward.
“If companies are not going to learn these lessons and mature their security practices, we will see increased scrutiny in audits and third-party risk assessments, and this may have a financial, reputational, operational, or even compliance impact on their business,” says Sohail Iqbal, CISO at Veracode.
1. Don’t wait for a geopolitical conflict to boost your security
2. The population of threat actors has exploded, and their services have become dirt cheap
3. Untrained employees can cost a company millions of dollars
4. Governments are legislating more aggressively for cybersecurity
5. Organizations should keep better track of open-source software
6. More effort should be put into identifying vulnerabilities
7. Companies need to do more to protect against supply chain attacks
8. Zero trust should be a core philosophy
9. Cyber liability insurance requirements might continue to increase
10. The “shift-left” approach to software testing is dated
11. Using the wrong tool for the wrong asset will not fix the problem
12. Organizations need help understanding their complete application architectures
In this Help Net Security video, Frank Kim, CISO-in-Residence at YL Ventures, discusses the growing role of CISOs in investment firms and how their role as advisors helps drive cybersecurity startups.
Frank works closely with cybersecurity startup founders on ideation, product-market-fit, and value realization, on an in-house and regular basis.
He provides them with what can be considered an important perspective into the needs of modern CISOs, security teams, and businesses, and he specifically guides them on how to make security solutions provide business value at business speed, resolving the gap between business and tech latency.
As organizations begin to address the risks of an increasingly complex digital landscape, they are recognizing that cybersecurity challenges are compounded by a lack of available talent and skills to mount a necessary defense. The digital skills shortage in the U.S. is at a critical point, highlighting a need for increased investment in workforce training. The Biden White House recently said that roughly 700,000 cyber-defense-related positions nationally are unfilled.
Clearly, CISOs and leaders across the C-suite are focused on the challenge, and many are investing heavily in shoring up gaps in their cybersecurity approach. In an age when a cyberattack can be an existential threat to any organization, cybersecurity engineers will serve as the first responders to such threats.
But organizations are struggling to fill these roles. Cyber professionals face ever-increasing pressure to keep up with more sophisticated and complex threats. The burnout in the profession is significant. Whatâs more, there hasnât been a good understanding of the variety of jobs that there are in cybersecurity, and the various skills that can be leveraged for those jobs.
What complicates the effort to fill these roles are the demands placed on them. A strong cybersecurity professional must have advanced skills and experience in the following: meeting the immediate needs of securing the enterprise while also satisfying regulators and compliance officials; keeping a close eye on protections for customers and their personal data; and, if an incident occurs, navigating those interactions and coordinating with law enforcement. These are skills rarely found together.
In fact, not only is there a challenge in filling day-to-day roles within the cybersecurity portfolio, there is also a leadership gap. Many highly skilled cybersecurity professionals avoid taking leadership positions in the field precisely because they do not feel prepared to take on these multivariate tasks.
The solution rests in a two-pronged approach.
#1. Leverage cybersecurity frameworks and automation.
Organizations need to reduce the demand on crisis cyber defense by deploying automated platforms and technologies, such as zero trust security, to screen out threats and examine their entire value chain â including suppliers, vendors and others who may be the source of the greatest potential risks. As part of this effort, trained cybersecurity professionals should be deployed during the software development lifecycle and across business processes so that security and protections can be embedded by design rather than bolted on later.
Vulnerability management has always been as much art as science. However, the rapid changes in both IT networks and the external threat landscape over the last decade have made it exponentially more difficult to identify and remediate the vulnerabilities with the greatest potential impact on the enterprise.
With a record of 18,378 vulnerabilities reported by the National Vulnerability Database in 2021 and an influx of new attack techniques targeting increasingly complex and distributed environments, how can CISOs know where to start?
Why has maintaining network visibility become such a challenge?
Heavy investments into digital transformation and cloud migration have rendered significant, foundational changes to the enterprise IT environment. Gartner predicts end-user spending on public cloud services will reach almost 600 billion in 2023, up from an estimated $494.7 billion this year and $410.9 in 2021.
Long gone are the days when security teams could concern themselves only with connections to and from the data center; now they must establish effective visibility and control of a sprawling, complex network that includes multiple public clouds, SaaS services, legacy infrastructure, the home networks of remote users, etc. Corporate assets are no longer limited to servers, workstations, and a few printers; teams must now secure virtual machines on premise and in the cloud, IoT devices, mobile devices, microservices, cloud data stores, and much more â making visibility and monitoring infinitely more complex and challenging.
In many cases, security investments have not kept up with the rapid increase in network scope and complexity. In other cases, agile processes have outpaced security controls. This results in security teams struggling to achieve effective visibility and control of their networks, resulting in misconfigurations, compliance violations, unnecessary risk, and improperly prioritized vulnerabilities that provide threat actors with easy attack paths.
Adversaries are specifically targeting these blind spots and security gaps to breach the network and evade detection.
What are the most common mistakes being made in attempting to keep up with threats?
With the average cost of a data breach climbing to $4.35 million in 2022, CISOs and their teams are under extraordinary pressure to reduce cyber risk as much as possible. But many are hindered by a lack of comprehensive visibility or pressure to deliver agility beyond what can be delivered without compromising security. One of the most common issues we encounter is an inability to accurately prioritize vulnerabilities based on the actual risk they pose to the enterprise. With thousands of vulnerabilities discovered every year, determining which vulnerabilities need to be patched and which can be accepted as incremental risk is a critical process.
The Common Vulnerability Scoring System (CVSS) has become a useful guidepost, providing security teams with generalized information for each vulnerability. Prioritizing the vulnerabilities with the highest CVSS score may seem like a logical and productive approach. However, every CISO should recognize that CVSS scores alone are not an accurate way to measure the risk a vulnerability poses to their individual enterprise.
To accurately measure risk, more contextual information is required. Security teams need to understand how a vulnerability relates to their specific environment. While high-profile threats like Heartbleed may seem like an obvious priority, a less public vulnerability with a lower CVSS score exposed to the Internet in the DMZ may expose the enterprise to greater actual risk.
These challenges are exacerbated by the fact that IT and security teams often lose track of assets and applications as ownership is pushed to new enterprise teams and the cloud makes it easier than ever for anyone in the enterprise to spin up new resources. As a result, many enterprises are riddled with assets that are unmonitored and remain dangerously behind on security updates.
Why context is critical
With resources like the National Vulnerability Database at their fingertips, no CISO lacks for data on vulnerabilities. In fact, most enterprises do not lack for contextual data either. Enterprise security, IT, and GRC stacks provide a continuous stream of data which can be leveraged in vulnerability management processes. However, these raw streams of data must be carefully curated and combined with vulnerability information to be turned into actionable context â and it is this in this process where many enterprises falter.
Unfortunately, most enterprises do not have the resources to patch every vulnerability. In some circumstances, there may be a business case for not patching a vulnerability immediately, or at all. Context from information sources across the enterprise enables standardized risk decisions to be made, allowing CISOs to allocate their limited resources where they will have the greatest impact on the security of the enterprise.
Making the most of limited resources with automation
There was a time when a seasoned security professional could instinctively assess the contextual risk of a threat based on their experience and familiarity with the organisationâs infrastructure. However, this approach cannot scale with the rapid expansion of the enterprise network and the growing number of vulnerabilities that must be managed. Even before the ongoing global security skills shortage, no organization had the resources to manually aggregate and correlate thousands of fragments of data to create actionable context.
In todayâs constantly evolving threat landscape, automation offers the best chance for keeping up with vulnerabilities and threats. An automated approach can pull relevant data from the security, IT, and GRC stacks and correlate it into contextualized information which can be used as the basis for automated or manual risk decisions.
Nearly a third of CISOs or IT security leaders in the United States and the United Kingdom are considering leaving their current role, according to research by BlackFog.
Of those considering leaving their current role, a third of those would do so within the next six months, according to the survey, which polled more than 500 IT security leaders.
The report also found that, among the top issues security pros have with their current role, the lack of work-life balance is the most troublesomeâcited by three in 10 survey respondents.
More than a quarter (27%) of respondents said that too much time was spent on firefighting rather than focusing on strategic issues.
Twenty percent said they felt that keeping their teamsâ skill levels in line with new frameworks and models such as zero-trust was a âserious challengeâ, while 43% of respondents said they found it difficult to keep pace with the newest innovations in the cybersecurity market.
Using Automation to Ease the Pressure
Phil Neray, vice president of cyber defense strategy at CardinalOps, a detection posture management company, said both CISOs and security operations center (SOC) personnel take pride in being cybersecurity defenders for their organizations and both groups feel the pain of information overload and constantly being on call to respond to the latest emergencies.
âWhat needs to change? The CISOâs peers in the business need to understand that cybersecurity risk is a top business risk, not just an IT issue, and they need to allocate higher budgets to support a higher level of staffing in the SOC,â he said.
In addition, Neray said by investing in more automation for the SOC, CISOs and their teams will be freed from performing mundane tasks.
âThis way, they can direct their human creativity and innovation toward proactive activities like threat hunting and remediating gaps in their defensive posture, rather than always being reactive,â he explained.
Darren Guccione, CEO and co-founder at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, added that there is âabsolutely no denyingâ that being a CISO is one of the most difficult and demanding roles in any company.
âThe board of directors and fellow business leaders must support their CISOâs priorities and needs, particularly when theyâre faced with a cyberattack or data breach,â he said. âWithout that support, talented CISOs wonât stick around as there are plenty of other job opportunities awaiting them.â
Indeed, the BlackFog report noted recruiting is a challenge globally and with stiff competition to attract the best talent, organizations need to address the well-being and work-life balance issues that have persisted across the industry.
Acknowledging CISO Burnout
Sounil Yu, CISO at JupiterOne, a provider of cybersecurity asset management and governance solutions, noted that CISOs face an uncommonly high risk of burnout due to the nature of security work.
âBurnout is more common than most realize,â he said. âAcknowledging burnout risks is an important way to be supportive and to let team members know that they are not alone.â
Yu pointed out that CISOs cannot personally shoulder the burden of mitigating burnout.
âInstead, CISOs should educate their companyâs board and fellow executive leaders on security burnout risks and collaborate with HR to improve resources such as employee resource programs, flexible working arrangements and systems of reward and recognition,â he said.
John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, said CISOs are facing the same burnout risk as cybersecurity professionals with one key differenceâthe CISO is the designated âthroat to chokeâ when things go awry.
âOne of the biggest changes to be made in the C-suite to improve the situation for security leaders would be focusing on freeing the CISO to work on strategic issues,â he says. âConstant firefighting burns out everyone up and down the ladder. You can handle that with line staff with job rotation, but the CISO needs to have the resources to make their life better overall.â
Bambenek added that mandatory PTO that involves someone else tending to the fires while the CISO is gone would help, too.
âPTO where you are still on call isnât PTO,â he noted. âItâs just working from home.â
He explained that organizations that are well-funded should have emerging technology labs where they can explore both new technology and new security tools to help address the challenges CISOs are facing.
âA big part of this problem is threats evolve with rapid changes in technologyâsecurity is playing catch-up behind both,â Bambenek said.Â
CISOs are working overtime and canât always switch off from work, according to a recent Tessian report.
Recent headlines have shown that security stakes have never been higher, and itâs likely this high level of pressure thatâs causing 18% of security leaders to work 25 extra hours a week. Thatâs double the amount of overtime that they worked in 2021. While many are hopping on the âquiet-quittingâ trend, CISOs have the opposite problem.
In this Help Net Security video, Josh Yavor, CISO at Tessian, offers a personal perspective on dealing with burnout as a CISO.
