The presence of each third-party application increases the potential for attacks, particularly when end users install them without proper oversight or approval. IT security teams face challenges in obtaining comprehensive knowledge about the apps connected to their corporate SaaS platforms, including their permissions and activities.
In this Help Net Security video, Matt Radolec, Senior Director, Incident Response and Cloud Operations at Varonis, offers advice for CISO-level executives to enhance the security of corporate cloud data.
Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.
As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.
These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.
The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.
This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.
By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.
Who is a CISO?
Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.
A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.
They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.
CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.
They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.
In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.
They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.
The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.
CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.
What are all the Roles and Responsibilities of CISO?
Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organization’s business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organization’s assets.
Risk Management: The CISO is responsible for identifying and assessing security risks to the organization’s information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
Security Incident Response: The CISO leads the organization’s response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
Security Governance and Reporting: The CISO provides regular reports and updates on the organization’s security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.
Security Challenges CISOs Face
CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:
Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industry’s rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.
What are the Security Compliance CISO Should Follow
As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:
General Data Protection Regulation (GDPR): If your organization deals with the personal data of individuals in the European Union (EU), GDPR sets requirements for the protection, processing, and transfer of personal data. It includes principles for data minimization, consent, data breach notification, and the rights of individuals.
Payment Card Industry Data Security Standard (PCI DSS): PCI DSS applies to organizations that handle credit card information. It sets requirements for securing payment card data, including network security, encryption, access controls, and regular vulnerability assessments.
Health Insurance Portability and Accountability Act (HIPAA): HIPAA applies to organizations in the healthcare industry that handle protected health information (PHI). It establishes requirements for the privacy and security of PHI, including access controls, encryption, risk assessments, and breach notification.
Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It sets requirements for financial reporting and establishes controls and processes to ensure the accuracy and integrity of financial statements. While not solely focused on security, it includes provisions for protecting financial data.
National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. It covers risk assessment, security controls, incident response, and continuous monitoring.
ISO 27001: ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It covers various aspects of information security, including risk management, access controls, incident management, and security awareness.
Federal Information Security Management Act (FISMA): FISMA applies to U.S. federal agencies and sets requirements for securing federal information and systems. It mandates risk assessments, security controls, incident response planning, and continuous monitoring.
Security Challenges CISOs Face to Manage Security Team
Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:
Establish Clear Roles and Responsibilities: Clearly define the roles and responsibilities of each team member to ensure everyone understands their specific duties and areas of expertise. This clarity helps streamline operations and avoid confusion.
Set Goals and Objectives: Define strategic goals and objectives for the security team aligned with the organization’s overall security strategy. Communicate these goals to the team and regularly track progress to ensure everyone is working towards the same objectives.
Provide Guidance and Mentorship: Offer team members guidance, mentorship, and professional development opportunities. Encourage skill development, certifications, and staying up-to-date with the latest security trends and technologies—support team members in their career growth.
Foster Collaboration and Communication: Promote a collaborative and open communication culture within the team. Encourage knowledge sharing, cross-functional collaboration, and effective communication channels. Regular team meetings, brainstorming sessions, and updates are valuable for aligning efforts.
Support Decision-Making: Empower team members to make decisions within their areas of responsibility. Provide guidance and support when needed, but encourage autonomy and ownership in decision-making. Foster an environment where team members feel comfortable taking calculated risks.
Establish Incident Response Procedures: Develop clear incident response procedures and ensure the team is well-prepared to handle security incidents effectively. Conduct regular drills, tabletop exercises, and simulations to test and improve the team’s incident response capabilities.
Stay Informed and Adapt: Stay up-to-date with the latest security threats, industry trends, and best practices. Encourage continuous learning and professional development for the team. Adapt security strategies and measures as the threat landscape evolves.
Collaborate with Other Departments: Work closely with other departments, such as IT, legal, HR, and executive management, to ensure security initiatives are aligned with business objectives and integrated into overall organizational operations. Build relationships and foster a culture of security awareness throughout the organization.
Regularly Evaluate and Improve: Regularly evaluate the team’s performance, processes, and procedures. Collect feedback from team members and stakeholders to identify areas for improvement. Implement changes and adjustments as necessary to enhance the team’s effectiveness and efficiency.
Lead by Example: Demonstrate strong leadership skills, integrity, and a commitment to security best practices. Lead by example in adhering to security policies and procedures. Encourage a positive and supportive work environment.
Final Thoughts
CISOs face many common security challenges as protectors of their organization’s digital assets and information.
From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.
CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.
To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.
They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.
While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.
By effectively addressing these challenges, CISOs can enhance their organizations’ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.
Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.
By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.
CISOs can and should push back when they’re presented with budget costs that affect the business. Here’s how.
Today’s enterprise security executives face situations that could really hurt the company’s bottom line. Security teams are trying to modernize security operations in an increasingly porous network environment with ever more sophisticated threats. There are also economic pressures from layoffs, budget cuts, and restructuring.
Even worse, CFOs have heard from CISOs the doom-and-gloom predictions of the potential fiscal disaster of data breaches so often that it’s no longer resonating with them.
The doomer scenario is not hypothetical — global compliance requirements and privacy regulations drive the cost of a breach even higher than just the technical costs. However, CFOs and other C-level executives have heard these warnings so often now that it’s just background information that doesn’t drive their decision making.
Is there a more effective way to help the CFO understand why security needs to be far better funded? Yes: Present the CFO with a shared-risk scenario.
Setting Protection Priorities
Allan Alford, who was a CISO in various industries including technology, communications, and business services before morphing into a CISO consultant, says CISOs should use a different approach to describe cybersecurity issues to the CFO. They should begin by asking the CFO to identify the six most important strategic elements of the business — possibly including the supply chain, manufacturing operations, sensitive future product plans, etc. — then detail their plans for protecting each of those critical areas, Alford says.
The CISO can present the situation to the CFO in the following manner: “Thanks for sharing those priorities. Now, you are saying we need to cut the security budget by 37%. Given the state of the economy in our sectors, that is completely understandable. To make the cuts possible, can you tell me which of these six areas I should stop protecting? We will also need to bring in the line-of-business executive so that you can explain how these changes will impact that area.”
Historically, CISOs, CSOs, CROs, and other security-adjacent executives have been good soldiers, accepting the CFO-ordered cuts and deciding where changes have to be made, Alford says. This conflicts with the CISO’s job: to protect the company — including all intellectual property and all assets.
If the CFO decides to cut back security funding, they need to work with the COO, the CEO, the board, and other senior executives to decide which operations they can afford to not protect. It should not be left to the CISO to make those calls or defend the choices.
In fairness, the decision is rarely black-and-white. But if the CISO positions the budget decisions in this manner, the CFO will see the actual business impact the reductions would have. When the CFO is forced to decide where the cuts will happen and to choose which top-priority division is left undefended, the conversation shifts, Alford says. The CISO can say to the CFO, “We’ll jointly figure out what risks are tolerable, but make no mistake: A 37% cut will put various units at extreme risk. Can the business afford that deep a cut in our defenses?”
The CISO can present cost-effective alternatives to reduce security defenses, rather than eliminating them entirely. Now there is the possibility of negotiating a smaller budget cut. Maybe that 37% cut becomes a 23% cut.
Negotiating as a Group
The conversation shouldn’t begin and end with the CFO, says Daniel Wallance, an associate partner with McKinsey. It should involve the board’s risk committee, the CEO, the COO, and other colleagues who have a role in security spending, such as the CIO and the CRO.
“There is also spend coming from risk management [and] compliance on top of IT. I would engage those functions, as they have shared [security] responsibility and they may actually have dedicated resources,” Wallance says. “I need this to not be a one-on-one conversation. I want to make it a group.”
These conversations with other security executives should happen before and after the CFO meeting, but not during.
The CISO needs to meet with the other security players before meeting with the CFO to learn what overlaps and redundancies currently exist. The CISO also needs to know how much budget flexibility those other executives are willing to offer. That will be crucial information to have while working with the CFO. After meeting with the CFO, the CISO can go back to the other executives and see what they can negotiate as a group.
The actual CISO-CFO meeting should be just the two executives, to avoid making the CFO feel ganged up on. The discussion should be as friendly as possible to allow for reasonable compromises.
Involving the board’s risk committee is critical, as it is ultimately the board’s role — working with the CEO — to dictate the company’s risk tolerance. If the CFO’s requested budget reductions conflict with that risk tolerance, the board needs to know about it.
“The CISO should be meeting with the risk committee regularly,” Wallance says. “The business may not understand the implications of the budget cut. The CFO is not the only person at issue here.”
Adapting to Market Conditions
Larger trends in the economy also affect CISO budgetary needs.
There is a realistic existential threat to cyber insurance, the net that CFOs have relied on for more than 20 years. Lloyds of London said that it would stop covering the losses from state actor attacks, which is problematic given how difficult it is to prove an attack’s origin and who funded it. Insurance giant Zurich warned it might abandon cyber insurance entirely. And an Ohio Supreme Court decision raised the prospect of other cyber insurance limitations. Those changes could sharply increase the pressure on the CFO to better fund security, given that the enterprise will now be on the hook for the full amount of damages.
A complicating factor is the much-ballyhooed cybersecurity talent shortage. Whether the gap is as big as some say, it’s true that the cost of talent today is higher than what most budgets allow. So, yes, you will have difficulty finding qualified people, but increase the salary enough and, poof — no more talent shortage.
Richard Haag, the VP for compliance services at consulting firm Intersec Worldwide Inc., maintained that the difficulty in acquiring sufficiently experienced talent is a powerful argument in those CFO discussions.
“[I]n security, labor is about the only thing that can possibly be cut. You can’t just swap out firewalls. These agreements are locked in,” Haag says. “You need to say ‘I can barely protect your top strategic areas now. With the cuts you want, I simply won’t be able to defend your top targets and certainly not your not-so-top targets. I need more people, certainly not fewer people.'”
Alford also suggests the CISO point out how they negotiate lower vendor costs. Document it and share it with the CFO to demonstrate that the budget is being spent wisely.
“Demonstrate your efficiencies by driving vendor discounts as low as you can get them to go. CFOs want to know the money is being well spent, and ‘we got a heck of a deal’ does that well,” Alford says.
Finally, the CISO can also make the case for better security delivering more revenue. Does higher security investment make prospective customers more comfortable? Is lack of security making some existing customers leave? For example, if a financial institution chooses to reimburse customers in all fraud situations — rather than what most FIs do, which is to only reimburse in some situations — it could boast that its customers are better protected against fraud, prompting customers to leave competitors. That move would justify higher cybersecurity spend because of the greater acceptance of fraud costs.
“If you can shorten that sales cycle and prove that security gained more sales, it can be highly persuasive to CFOs: ‘Today, three customers walked away, but tomorrow none will,'” Alford says.
94% of CISOs report being stressed at work, with 65% admitting work-related stress issues are compromising their ability to protect their organization, according to Cynet.
CISOs (Chief Information Security Officers) often face high levels of stress due to the nature of their role. Here are some reasons why CISOs may struggle with stress:
High-stakes responsibility: CISOs are responsible for protecting their organization’s sensitive information and ensuring that the organization’s systems and data are secure from cyber threats. The stakes are high, as a breach could have severe financial, legal, and reputational consequences for the organization. This level of responsibility can create significant stress for CISOs.
Constantly evolving threats: Cyber threats are constantly evolving, which means that CISOs need to stay up-to-date with the latest security trends and technologies. This can be challenging and stressful, as they need to stay one step ahead of cybercriminals.
Budget constraints: CISOs often struggle with limited budgets for their security programs, which can create stress as they need to make tough decisions about where to allocate resources and how to prioritize their security efforts.
Talent shortages: There is a shortage of skilled cybersecurity professionals, which means that CISOs often struggle to find and retain talented staff. This can create stress as they need to find ways to manage their workload and keep their security programs running effectively.
Balancing business needs and security: CISOs need to balance the needs of the business with the need for security, which can create stress as they need to find ways to enable business initiatives while still maintaining a secure environment.
All of these factors can contribute to the high levels of stress that CISOs often experience. To cope with this stress, CISOs may need to develop strong coping strategies such as seeking support from colleagues, practicing self-care, and prioritizing their workload. Additionally, organizations can help by providing their CISOs with adequate resources and support to help them manage their responsibilities effectively.
Among the CISOs surveyed, 100% said they needed additional resources to adequately cope with current IT security challenges.
Stress issues
The lack of bandwidth and resources is not only impacting CISOs, but their teams as well. According to the report, 74% say they are losing team members because of work-related stress issues, with 47% of these CISOs having more than one team member exit their role over the last 12 months.
Relentless stress levels are also affecting recruitment efforts with 83% of CISOs admitting they have had to compromise on the staff they hire to fill gaps left by employees who have quit their job. More than a third of the CISOs surveyed said they are either actively looking for or considering a new role.
“The results from our mental health survey are devastating but it’s not all doom and gloom. Our research found that CISOs know exactly what they need to reduce stress levels: more automated tools to manage repetitive tasks, better training, and the ability to outsource some work responsibilities,” said Eyal Gruner, CEO, Cynet.
“One of the most eye-opening insights from the report was the fact that more than 50% of the CISOs we surveyed said consolidating multiple security technologies on a single platform would decrease their work-related stress levels,” Gruner added.
Key findings from the report include:
77% of CISOs believe that their limited bandwidth and lack of resources has led to important security initiatives falling to the wayside, with 79% of these CISOs claiming they have received complaints from board members, colleagues or employees that security tasks are not being handled effectively.
93% of CISOs believe they are spending too much time on tactical tasks instead of performing strategic, high-value work and management responsibilities. Among the CISOs who believe they are overly invested in tactical tasks, more than a quarter report spending their workday almost exclusively on tactical/operational tasks.
84% of CISOs say they have had to cancel a vacation due to an urgent work matter and 64% report they’ve missed a private event because of work fatigue. More than 90% consistently work 40+ hours per week with no break.
The impact of work-related stress on everyday life
The major takeaway from the survey is that CISOs – and their teams – are suffering from overwhelming amounts of stress and it’s affecting everything from the security of their company to their day-to-day work routines and, ultimately, their life outside of work.
In fact, 77% of CISOs said that work-related stress was directly impacting their physical health, mental health, and sleep patterns.
The company surveyed chief information security officers (CISO) at small to midsize businesses with security teams of five employees or less to better understand their levels of work-related stress and how their mental health is impacting their work life and personal life.
On January 11, 2023, presiding United States District Judge William Orrick in San Francisco denied the motion of Joe Sullivan, the former CISO of Uber, for a judgment of acquittal. The conviction arose from Sullivan’s agreement to pay attackers who breached the security of the online ride-sharing service and obtained personal information about thousands of users, drivers and riders. Sullivan, a lawyer and a former federal computer crime prosecutor himself, was convicted in 2022 by a jury of concealing and not reporting the Uber attack and of obstructing a federal investigation into an earlier Uber attack by the Federal Trade Commission by concealing the new breach.
The case centered on the fact that after Sullivan became aware of the breach, he took steps to prevent the breach from being publicly disclosed—noting that “This can’t get out,” and “We need to keep this tightly controlled.” Sullivan also told the incident response team that “This may also play very badly,” based on previous assertions of lack of adequate security at Uber made by the FTC in a then-ongoing civil investigation of Uber. After the breach was known to Uber, the charges alleged that Sullivan negotiated a nondisclosure agreement with the attackers; under Uber’s then-existing bug bounty program, the company would pay $100,000 if they promised to execute a document indicating that they “Did not take or store any data during or through [their] research,” and that they “Delivered to Uber or forensically destroyed all information about and/or analysis of the vulnerabilities,” the attackers discovered. The nondisclosure agreement provided that the attackers certify that they did not take data that, in fact, they had demonstrably taken.
“Corrupt” Obstruction of an FTC Proceeding
It’s important to note the crimes Sullivan was convicted of. First, he was convicted of violating 18 USC 1505, which relates to the obstruction of some governmental proceeding. In Sullivan’s case, the act of obstruction occurred when he did not reveal to the FTC that Uber had suffered a data breach after the completion of the FTC investigation of a previous data breach and when he paid the attacker to ensure that news of the new breach would not leak.
The trial court rejected Sullivan’s claims that to successfully convict him of obstruction, the government would have to prove that there was some “nexus” or connection between the thing concealed (the new breach) and the proceeding that was obstructed (the investigation of the old breach). The court ruled that no such nexus need have been proven, as long as the jury had evidence that (1) the FTC action was an agency proceeding, (2) Sullivan was aware of the proceeding and that (3) he “intentionally endeavored corruptly to influence, obstruct or impede the pending proceeding.” The court found persuasive the fact that Sullivan knew of (and indeed had testified before) the FTC proceeding, expressed his desire that the new breach be kept secret and had the attackers execute an NDA preventing them from disclosing the breach as evidence of Sullivan’s corrupt intent to conceal the breach from the FTC.
The trial court also rejected Sullivan’s claims that, to corruptly obstruct a proceeding by not disclosing something, the government would have to establish an actual legal duty to disclose that thing. The FTC was investigating a prior breach. There was no evidence that Uber or Sullivan obstructed or impeded the FTC’s investigation of that breach or concealed evidence related to that breach. However, in the course of deciding what sanction the FTC wanted to impose on Uber for the other breach (and the adequacy of Uber’s overall security program), Sullivan and Uber knew that the FTC would want to know about the new breach (which represented a lapse of security). That’s why Sullivan wanted to conceal it.
There are a lot of problems with this theory. Imagine negotiating a plea agreement for someone who was caught shoplifting. In the course of negotiating the plea, the defense lawyer learns (through a privileged conversation) that the defendant has shoplifted other items from other stores after the incident but was never caught. Is there a duty to tell the prosecution? No. In fact, it would violate privilege to do so. What if you instructed the client to either return the items or pay for them (and some extra) in return for the merchant agreeing to “settle” the case and not report it to the prosecution? Would that be “corruptly” obstructing the plea negotiations? What if, in a civil lawsuit, a client answers truthfully that he has never been accused of some relevant wrongdoing? Days after the testimony, the deponent is then accused of that wrongdoing. The testimony was truthful at the time, but certainly, the other side would like to know about the new allegations. Are you required to disclose the new allegations? Can you settle the new charges with an NDA to keep the lawyers from learning about them, or would that constitute an obstruction of a judicial proceeding? Would it matter if the allegations in the new cases had some “nexus” to the one under litigation? Would it matter if the old case had been settled? While the use of the term “corruptly” in the jury instructions implies a requirement of proof that it was the specific intent of the defendant to do something the law prohibited (or refrain from doing something that the law required), it’s not clear what Sullivan did that was “corrupt” if there was no affirmative duty to disclose. Would he still be guilty of obstruction if he did not have the attackers execute an NDA but simply did not tell the FTC of the new breach? And what if the breach were just a vulnerability that was not exploited; certainly something the FTC would want to know. It’s not clear how far the court and DOJ would extend this concept.
Misprison of a Felony
The other crime Sullivan was convicted of was “misprison of a felony,” an archaic common law inchoate crime which punishes anyone with knowledge of the commission of a felony who conceals and does not report the same. The elements of that offense, according to the court, was proof that (1) a federal felony was committed (in this case, “intentionally accessing a computer without authorization and thereby obtaining information from a protected computer, or conspiracy to extort money through a threat to impair the confidentiality of information obtained from a protected computer without authorization”); (2) Sullivan had knowledge of the commission of that felony; (3) Sullivan had knowledge that the conduct was a federal felony; (4) Sullivan failed to notify federal authorities and (5) that he did an affirmative act to conceal the crime. For this offense, there did not have to be a legal duty to disclose the felony, just that there was a felony committed.
Unlike the obstruction statute, the misprision statute requires evidence of concealment. The court held that “[t]he $100,000 payment to the hackers and NDA support this, specifically the provision where the hackers promised that they ‘have not and will not disclose anything about the vulnerabilities’ or their conversations with Uber without written permission.”
I don’t doubt that a prime motivation for paying the very high “bounty” to the hackers and having them execute the NDA was to keep quiet the attack and the vulnerabilities that were exploited.
On the other hand, responsible disclosure principles and bug bounty programs themselves often demand secrecy. This would be particularly true for a vulnerability for which no patch existed. Microsoft’s bug bounty program notes:
CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE Protecting customers is Microsoft’s highest priority. We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Bounty Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. Microsoft will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.
Of course, this compares apples with oranges. The Microsoft program is not a permanent ban on disclosure—just enforcing a responsible disclosure. In addition, the MS program relates to any relevant disclosures—vulnerabilities, attacks, etc., and not just actions which would constitute a “felony.” Does “conceal and not report” mean “conceal and never report”?
But companies have many reasons for not wanting to disclose felonies that have been committed against them. An employee steals from the company and is terminated with an NDA and a non-disparagement agreement. The company does not report the theft. Did they “conceal and not report” a felony? Certainly, or take a sextortion case where attackers obtain access to someone’s sexually explicit files or pictures and threaten to release them if a cryptocurrency payment is not made. The victim pays the ransom to avoid publicizing the fact that the images exist. Did they “conceal and not report” the felony extortion scheme? You betcha. And if payment of a ransom in a ransomware situation is partially motivated by the company’s desire to avoid publicly disclosing the fact that they were hit by ransomware (and partly to get their files back and get back to work), they are subject to prosecution under the misprision statute.
An overwhelming trend since the 1990’s has been to require companies to report—either to the public, to data protection authorities, to law enforcement, to regulators or to third parties by contract—data breaches, incidents and, in some cases, material vulnerabilities. The Sullivan case rests on the principle that, even if there is no duty to report it, you may find yourself in legal trouble if you don’t.
The research shows the CISO seat to be relatively industry-agnostic—with 84% of CISOs having a career history of working across multiple sectors—with today’s CISOs expected to bring more breadth of leadership to their role as they move away from being technical experts.
“Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the CIO, which is to act as the primary gateway from the tech department into the wider business and the outside marketplace,” said James Larkin, Managing Partner at Marlin Hawk.
“This widening scope requires CISOs to be adept communicators to the board, the broader business, and the marketplace of shareholders and customers. By thriving in the ‘softer’ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”
Key findings from the report include:
CISO profiles have changed dramatically—36% of CISOs analyzed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).
More CISOs are being hired internally—Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% hired internally compared to 36% in 2021), but a large gap remains in appropriate successors.
CISO turnover rates have declined—but still remain high with 45% of global CISOs having been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-over-year.
CISO roles continue to become more complex
“I would say that you shouldn’t have the CISO title if you’re not actively defending your organization; you have to be in the trenches,” said Yonesy Núñez, CISO, Jack Henry Associates. “I also feel that over the last eight to 10 years, the CISO role has become a CISO plus role: CISO plus engineering, CISO plus physical security, CISO plus operational resiliency, or CISO plus product security. As a result, we’ve seen multiple CISOs that have done a great job with cybersecurity, fusion centers, SOC, and leadership. This has paved the way for the CISO office to become a business enabler and also a transformational technology function.”
Kevin Brown, a seasoned cybersecurity executive, added, “We have over 100 countries at this point with their own data privacy legislation that makes doing global business in a compliant manner trickier than it used to be. As a result, in most organizations we’re seeing a tighter connection and collaborative spirit between data officers, CISOs, legal teams and marketing. CISOs have to be in the know on all priorities for these different sectors of the business so they can take them into account when writing policies—it’s a more complex job than it ever used to be.”
More organizations are appointing CISOs from within
The research shows a decrease in the percentage of CISOs hired externally (62%) in the last year, compared to 2021 (64%), indicating a potential shift towards an organization’s next CISO already operating inside the business.
Larkin went on to say, “As the importance of information security has grown, boards of directors, regulators, and shareholders have demanded greater controls, better risk management as well as more people and departments focusing on defending a company and its assets. Fortunately, this has had the positive side effect of creating more internal succession for the CISO position—organizations can look for risk and control focused talent in more places than just the office of the CISO.”
“Now candidates are being internally promoted to the role of CISO from IT Risk, Operational Risk Management, IT Audit, Technology Risk & Controls, among others,” Larkin added. “Not only does this give regulators more comfort that there are multiple sets of eyes on this at the leadership level, but it has also vastly increased the size of the succession talent pool and is helping to future-proof the information security industry as a whole.”
CISO turnover rates are still high for several reasons
“The not-so-secret secret is that no CISO can accomplish much in one or two years. Most CISOs change roles because of one of three reasons,” shares Shamoun Siddiqui, CISO at Neiman Marcus Group.
“First, their skillset is not up to par, and they get quietly pushed out by the company. Due to the extremely high demand for security leaders, often individual contributors get elevated to the role of CISO, and they get overwhelmed within months. Second, they have an insurmountable task with unrealistic expectations, and there is a lack of support from their peers and from the leadership of the company. The company may be paying lip service to cybersecurity but may not be forward-thinking enough to make it a priority. Third, they just get enticed by a better offer from somewhere else. There is such a shortage of security professionals and security leaders that companies keep offering increasingly high salaries and benefits to CISOs.”
Another factor leading to high turnover is poor hiring decisions that are a result of a lack of scrutiny and due diligence in the recruiting process. While the immediate need may outweigh a more thorough vetting, fast tracking a CISO hire can have adverse effects if there are other, more suitable candidates out there.
A global survey from recruitment firm Marlin Hawk that polled 470 CISOs at organizations with more than 10,000 employees found nearly half (45%) have been in their current role for two years or less.
James Larkin, managing partner for Marlin Hawk, said that rate is slightly lower than the previous year when the same survey found 53% of CISOs had been in their positions for less than two years.
Overall, the survey found that current turnover rates are at 18% on a year-over-year basis. Approximately 62% of CISOs were hired from another company, compared to 38% that were promoted from within, the survey also found.
However, only 12% of CISOs are reporting directly to the CEO, while the rest report to other technology leadership roles, the survey revealed. It also found that more than a third of CISOs (36%) that have a graduate degree also received a higher degree in business administration or management, a 10% decline from the previous year. A total of 61% have higher degrees in another STEM field, the survey found.
Finally, the survey showed only 13% of the respondents are female, while only 20% are non-white.
The role of the CISO continues to expand—and with it the level of stress—as cyberattacks continue to increase in volume and sophistication, noted Larkin. It’s not clear whether or how much stress levels are contributing to CISO turnover rates, but it is one of the few 24/7 roles within any IT organization, added Larkin.
The role of the CISO has also come under more scrutiny in the wake of the conviction of former Uber CISO Joe Sullivan on charges of obstruction. Most CISOs view their role as defending the corporation but, in general, Larkin noted that most of them would err on the side of transparency when it comes to managing cybersecurity.
The one certain thing is that CISOs are more valued than ever. A PwC survey of 722 C-level executives found that 40% of business leaders ranked cybersecurity as the number-one most serious risk their organizations faced. In addition, 58% of corporate directors said they would benefit most from enhanced reporting around cybersecurity and technology.
As a result, nearly half of respondents (49%) said they were increasing investments in cybersecurity and privacy, while more than three-quarters (79%) said they were revising or enhancing cybersecurity risk management.
As a result, CISOs generally have more access to resources despite an uncertain economy. The issue is determining how best to apply those resources given the myriad platforms that are emerging to enhance cybersecurity. Of course, given the chronic shortage of cybersecurity talent, the biggest challenge may simply be finding someone who has enough expertise to manage those platforms.
In the meantime, most of the training CISOs and other cybersecurity professionals receive will continue to be on the job. CISOs, unlike other C-level roles that have time available for more structured training, don’t have that luxury.
The coming new year is a good moment for chief information security officers to reflect upon what they’ve learned this year and how to apply this knowledge going forward.
“If companies are not going to learn these lessons and mature their security practices, we will see increased scrutiny in audits and third-party risk assessments, and this may have a financial, reputational, operational, or even compliance impact on their business,” says Sohail Iqbal, CISO at Veracode.
1. Don’t wait for a geopolitical conflict to boost your security
2. The population of threat actors has exploded, and their services have become dirt cheap
3. Untrained employees can cost a company millions of dollars
4. Governments are legislating more aggressively for cybersecurity
5. Organizations should keep better track of open-source software
6. More effort should be put into identifying vulnerabilities
7. Companies need to do more to protect against supply chain attacks
8. Zero trust should be a core philosophy
9. Cyber liability insurance requirements might continue to increase
10. The “shift-left” approach to software testing is dated
11. Using the wrong tool for the wrong asset will not fix the problem
12. Organizationsneed help understanding their complete application architectures
The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security. CISA is in charge of enhancing cybersecurity and infrastructure protection at all levels of government, coordinating cybersecurity initiatives with American U.S. states, and enhancing defenses against cyberattacks.
To assist businesses in enhancing their security capabilities, CISA offers free cybersecurity products and services.
Cyber Hygiene Vulnerability Scanning
You can register for this service by emailing vulnerability@cisa.dhs.gov. Scanning will start within 3 days, and you’ll begin receiving reports within two weeks. Once initiated, this service is mostly automated and requires little direct interaction.
Cybersecurity Evaluation Tool (CSET)
This tool provides organizations with a structured and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
Checklist for implementing cybersecurity measures
This document outlines four goals for your organization:
Reducing the likelihood of a damaging cyber incident
Detecting malicious activity quickly
Responding effectively to confirmed incidents
Maximizing resilience.
Known Exploited Vulnerabilities (KEV) Catalog
The KEV Catalog enables you to identify known software security flaws. You can search for software used by your organization and, if it’s found, update it to the most recent version in accordance with the vendor’s instructions.
Malcolm network traffic analysis tool suite
Malcolm is comprised of several widely used open source tools, making it an attractive alternative to security solutions requiring paid licenses.
The tool accepts network traffic data in the form of full packet capture (PCAP) files and Zeek logs. Visibility into network communications is provided through two interfaces: OpenSearch Dashboards, a data visualization plugin with dozens of prebuilt dashboards providing an at-a-glance overview of network protocols; and Arkime, a tool for finding and identifying the network sessions comprising suspected security incidents. All communications with Malcolm, both from the user interface and from remote log forwarders, are secured with industry standard encryption protocols.
Malcolm operates as a cluster of Docker containers, isolated sandboxes which each serve a dedicated function of the system.
Vulnerability management has always been as much art as science. However, the rapid changes in both IT networks and the external threat landscape over the last decade have made it exponentially more difficult to identify and remediate the vulnerabilities with the greatest potential impact on the enterprise.
With a record of 18,378 vulnerabilities reported by the National Vulnerability Database in 2021 and an influx of new attack techniques targeting increasingly complex and distributed environments, how can CISOs know where to start?
Why has maintaining network visibility become such a challenge?
Heavy investments into digital transformation and cloud migration have rendered significant, foundational changes to the enterprise IT environment. Gartner predicts end-user spending on public cloud services will reach almost 600 billion in 2023, up from an estimated $494.7 billion this year and $410.9 in 2021.
Long gone are the days when security teams could concern themselves only with connections to and from the data center; now they must establish effective visibility and control of a sprawling, complex network that includes multiple public clouds, SaaS services, legacy infrastructure, the home networks of remote users, etc. Corporate assets are no longer limited to servers, workstations, and a few printers; teams must now secure virtual machines on premise and in the cloud, IoT devices, mobile devices, microservices, cloud data stores, and much more – making visibility and monitoring infinitely more complex and challenging.
In many cases, security investments have not kept up with the rapid increase in network scope and complexity. In other cases, agile processes have outpaced security controls. This results in security teams struggling to achieve effective visibility and control of their networks, resulting in misconfigurations, compliance violations, unnecessary risk, and improperly prioritized vulnerabilities that provide threat actors with easy attack paths.
Adversaries are specifically targeting these blind spots and security gaps to breach the network and evade detection.
What are the most common mistakes being made in attempting to keep up with threats?
With the average cost of a data breach climbing to $4.35 million in 2022, CISOs and their teams are under extraordinary pressure to reduce cyber risk as much as possible. But many are hindered by a lack of comprehensive visibility or pressure to deliver agility beyond what can be delivered without compromising security. One of the most common issues we encounter is an inability to accurately prioritize vulnerabilities based on the actual risk they pose to the enterprise. With thousands of vulnerabilities discovered every year, determining which vulnerabilities need to be patched and which can be accepted as incremental risk is a critical process.
The Common Vulnerability Scoring System (CVSS) has become a useful guidepost, providing security teams with generalized information for each vulnerability. Prioritizing the vulnerabilities with the highest CVSS score may seem like a logical and productive approach. However, every CISO should recognize that CVSS scores alone are not an accurate way to measure the risk a vulnerability poses to their individual enterprise.
To accurately measure risk, more contextual information is required. Security teams need to understand how a vulnerability relates to their specific environment. While high-profile threats like Heartbleed may seem like an obvious priority, a less public vulnerability with a lower CVSS score exposed to the Internet in the DMZ may expose the enterprise to greater actual risk.
These challenges are exacerbated by the fact that IT and security teams often lose track of assets and applications as ownership is pushed to new enterprise teams and the cloud makes it easier than ever for anyone in the enterprise to spin up new resources. As a result, many enterprises are riddled with assets that are unmonitored and remain dangerously behind on security updates.
Why context is critical
With resources like the National Vulnerability Database at their fingertips, no CISO lacks for data on vulnerabilities. In fact, most enterprises do not lack for contextual data either. Enterprise security, IT, and GRC stacks provide a continuous stream of data which can be leveraged in vulnerability management processes. However, these raw streams of data must be carefully curated and combined with vulnerability information to be turned into actionable context – and it is this in this process where many enterprises falter.
Unfortunately, most enterprises do not have the resources to patch every vulnerability. In some circumstances, there may be a business case for not patching a vulnerability immediately, or at all. Context from information sources across the enterprise enables standardized risk decisions to be made, allowing CISOs to allocate their limited resources where they will have the greatest impact on the security of the enterprise.
Making the most of limited resources with automation
There was a time when a seasoned security professional could instinctively assess the contextual risk of a threat based on their experience and familiarity with the organisation’s infrastructure. However, this approach cannot scale with the rapid expansion of the enterprise network and the growing number of vulnerabilities that must be managed. Even before the ongoing global security skills shortage, no organization had the resources to manually aggregate and correlate thousands of fragments of data to create actionable context.
In today’s constantly evolving threat landscape, automation offers the best chance for keeping up with vulnerabilities and threats. An automated approach can pull relevant data from the security, IT, and GRC stacks and correlate it into contextualized information which can be used as the basis for automated or manual risk decisions.
Nearly a third of CISOs or IT security leaders in the United States and the United Kingdom are considering leaving their current role, according to research by BlackFog.
Of those considering leaving their current role, a third of those would do so within the next six months, according to the survey, which polled more than 500 IT security leaders.
The report also found that, among the top issues security pros have with their current role, the lack of work-life balance is the most troublesome—cited by three in 10 survey respondents.
More than a quarter (27%) of respondents said that too much time was spent on firefighting rather than focusing on strategic issues.
Twenty percent said they felt that keeping their teams’ skill levels in line with new frameworks and models such as zero-trust was a “serious challenge”, while 43% of respondents said they found it difficult to keep pace with the newest innovations in the cybersecurity market.
Using Automation to Ease the Pressure
Phil Neray, vice president of cyber defense strategy at CardinalOps, a detection posture management company, said both CISOs and security operations center (SOC) personnel take pride in being cybersecurity defenders for their organizations and both groups feel the pain of information overload and constantly being on call to respond to the latest emergencies.
“What needs to change? The CISO’s peers in the business need to understand that cybersecurity risk is a top business risk, not just an IT issue, and they need to allocate higher budgets to support a higher level of staffing in the SOC,” he said.
In addition, Neray said by investing in more automation for the SOC, CISOs and their teams will be freed from performing mundane tasks.
“This way, they can direct their human creativity and innovation toward proactive activities like threat hunting and remediating gaps in their defensive posture, rather than always being reactive,” he explained.
Darren Guccione, CEO and co-founder at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, added that there is “absolutely no denying” that being a CISO is one of the most difficult and demanding roles in any company.
“The board of directors and fellow business leaders must support their CISO’s priorities and needs, particularly when they’re faced with a cyberattack or data breach,” he said. “Without that support, talented CISOs won’t stick around as there are plenty of other job opportunities awaiting them.”
Indeed, the BlackFog report noted recruiting is a challenge globally and with stiff competition to attract the best talent, organizations need to address the well-being and work-life balance issues that have persisted across the industry.
Acknowledging CISO Burnout
Sounil Yu, CISO at JupiterOne, a provider of cybersecurity asset management and governance solutions, noted that CISOs face an uncommonly high risk of burnout due to the nature of security work.
“Burnout is more common than most realize,” he said. “Acknowledging burnout risks is an important way to be supportive and to let team members know that they are not alone.”
Yu pointed out that CISOs cannot personally shoulder the burden of mitigating burnout.
“Instead, CISOs should educate their company’s board and fellow executive leaders on security burnout risks and collaborate with HR to improve resources such as employee resource programs, flexible working arrangements and systems of reward and recognition,” he said.
John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, said CISOs are facing the same burnout risk as cybersecurity professionals with one key difference–the CISO is the designated ‘throat to choke’ when things go awry.
“One of the biggest changes to be made in the C-suite to improve the situation for security leaders would be focusing on freeing the CISO to work on strategic issues,” he says. “Constant firefighting burns out everyone up and down the ladder. You can handle that with line staff with job rotation, but the CISO needs to have the resources to make their life better overall.”
Bambenek added that mandatory PTO that involves someone else tending to the fires while the CISO is gone would help, too.
“PTO where you are still on call isn’t PTO,” he noted. “It’s just working from home.”
He explained that organizations that are well-funded should have emerging technology labs where they can explore both new technology and new security tools to help address the challenges CISOs are facing.
“A big part of this problem is threats evolve with rapid changes in technology—security is playing catch-up behind both,” Bambenek said.
CISOs are working overtime and can’t always switch off from work, according to a recent Tessian report.
Recent headlines have shown that security stakes have never been higher, and it’s likely this high level of pressure that’s causing 18% of security leaders to work 25 extra hours a week. That’s double the amount of overtime that they worked in 2021. While many are hopping on the “quiet-quitting” trend, CISOs have the opposite problem.
In this Help Net Security video, Josh Yavor, CISO at Tessian, offers a personal perspective on dealing with burnout as a CISO.
As data breaches’ financial and reputational costs continue to reach new heights, cybersecurity should be on top of mind for leadership across every industry.
Recent Proofpoint research found that 65% of board members believe their organization is at risk of material cyber attack in the next 12 months. Worryingly, 47% feel their organization is unprepared to cope with a targeted attack.
In this Help Net Security interview, Chris Konrad, Area Vice President of Security, Global Accounts at World Wide Technology, offers advice to CISOs that are increasingly under pressure, discusses using a security maturity model, discusses interesting security technologies, and more.
What advice would you give to a newly appointed CISO that strives to improve security strategy?
CISOs can no longer focus strictly on developing technical capabilities and protecting their organizations. Executives and boards are looking to CISOs to make investments that drive growth with a holistic security framework.
First, every CISO needs to know what their board’s mission and vision are, as well as what their risk appetite and tolerance are. You can’t secure what you can’t see. No security program can fully eliminate risk or human error, but a mature approach to cybersecurity can mitigate the risks that pose the most danger to organizational objectives and success.
The next step is conducting a comprehensive cybersecurity program assessment to know at what level of risk you are operating. This type of analysis provides rich insights that can be actioned to increase your security program maturity. This analysis also helps to maximize the use of people, processes and technology to reduce risk and increase efficiencies.
Risk management should be a C-suite priority because it is one of the single most important determinants of business value realization. Risk management is the system by which an organization’s portfolio is directed and controlled.
How can an organization leverage a security maturity model to assess its current infosec position?
A security maturity model can help CISOs measure, communicate and visualize improvements and investments in the security program. There are many different maturity models available to help you measure a security program. One I like is the Capability Maturity Model Integration (CMMI), a process improvement maturity model for the development of products and services, developed and published by the Software Engineering Institute of Carnegie Mellon University in Pittsburgh.
Using CMMI in combination with the National Institute of Standards and Technology (NIST), an organization can have one axis measuring people, process and technology and the other axis measuring maturity from nonexistent capability to optimized.
Of course, there is not a one-size-fits-all approach – so security teams must also work with the business to understand what is key to success, and ultimately, growth.
What cybersecurity technologies are you excited about? What can make a difference in this fast-paced threat landscape?
Most organizations are doing some form of tools rationalization or platform consolidation to get a better handle on their investments and reduce overlapping capability and spend. However, there are a few technologies that have caught my eye.
For me, I love seeing how AIOps can help organizations detect, assess and eliminate potential security vulnerabilities — before they are exploited by adversaries or those acting in bad faith. AIOps is starting to transform the way organizations tackle the complex cybersecurity ecosystem.
Innovative organizations, like Cribl, can receive machine data from any source and cleanse and enrich your data before routing it to any logging or SIEM platform, like Splunk, to reduce the total amount of data that needs to be managed. CrowdStrike is enhancing observability through modern log management with LogScale, which is built to ingest and retain streaming data as quickly as it arrives, regardless of volume. Alerts, scripts and dashboards are updated in real-time, and Live Tail and retained data searches have virtually no latency.
What are the biggest challenges the cybersecurity industry will face in the next five years?
Among the biggest challenges are that our adversaries are getting smarter, and they are leveraging much of the same technology that we use to defend ourselves. There is also a wider, and perhaps more concerning, issue around the shortage of skilled resources at a global level. Cybersecurity is one of the most important industries to safeguard our democratic value but more often than not, it’s seen as an overly technical, and therefore, not attractive career. We need to be shining the light on more routes into cyber roles and also accelerating diversity.
One area that’s often overlooked is identifying people within your organization and up-leveling them. Of course, those with earned experience have the hard skills to succeed, but I think an enthusiasm and drive to achieve is just as important. And by prioritizing STEM in early education, we further raise awareness of the field.
World Wide Technology employs thousands of professionals in the STEM fields across the globe and understands the urgency of supporting future tech leaders. WWT annually hosts its STEM Student Forum, an initiative dedicated to educating high school students on the importance of STEM disciplines and the opportunities they present, while also creating positive change in the St. Louis metropolitan area, where WWT’s global headquarters is located.
Not too long ago, the role of chief information security officer was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the CISO role has evolved — growing both in responsibility and stature within a company. The CISO is now a critical member of the executive team, responsible for tying not only cybersecurity, but overall risk management, to the company’s business strategy and operations.
The modern CISO is involved in strategic decision-making, for example, ensuring the business securely embraces digital transformation while assuring the board, clients, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes, and technologies to enable their organization to fulfill its overarching business objectives securely.
Given this evolution in responsibilities, a CISO’s first 90 days on the job should look a lot different today than it did even several years ago.
The First 90 Days
While many CISOs want to immediately demonstrate value by jumping in with big ideas and projects on day one, they will be able to make much more of a long-term impact if they first take the time to understand the company’s mission, values, and business objectives. They also need to get up to speed on core activities, products, services, research and development, intellectual property, and merger and acquisition plans. And they need to understand all potential issues, previous breaches, regulatory or external obligations, and existing technical debt.
With this in mind, here are a few recommendations on what a CISO’s focus should be during their first 90 days on the job.
Gain An Understanding of the Organization’s Larger Mission and Culture
The very first day, begin to deploy a collection of interview and interrogation techniques with a goal of understanding the business, its purposes and its priorities. Interview your employees, midlevel business leaders, and customers to get a sense of all key stakeholders, initial pain points, and how mature the cybersecurity culture is within the organization. Finally, gently interrogate your partners, suppliers, and vendors to determine who is just selling and who is a trusted advisor. Going through this process will open lines of communication, uncover challenges, and help build a 90-day action plan and road map.
Identify the Crown Jewels
Determine which data and systems underpin the company’s strategic mission and core competencies, represent intellectual property, differentiate the enterprise from its competitors, or support major customer segments or revenue lines. These crown jewels are the digital assets that are most likely to be targeted by threat actors, and thus must have their cyber-hygiene efforts accelerated. If the C-suite and board understand these critical areas, they can tell you their risk appetite, and you can implement security strategies accordingly.
Develop a Plan Based on the Company’s Current IT and Business Landscape
Once assets are identified and prioritized, develop a written risk management plan with checklists for deliverables, structure and communication between key internal and external stakeholders. On this latter point, the CISO always must act as an information broker and as a partner to all the key organizational decision-makers. One effective way to do this is to establish formal and informal communication with these roles, so the organization can move forward strategically.
Master the Basics
There are many technologies needed to secure the modern company, but there are a few must-haves that should be implemented right away, if they aren’t already. These are baseline controls, including vulnerability management and anti-malware defenses for the endpoint, and non-negotiable controls, including multifactor authentication, sensitive data encryption, application whitelisting, 24/7 security monitoring, file integrity monitoring, privileged access management, network segmentation, data loss prevention, and a rigorous assessment and audit function connected to vulnerability and patching strategies.
Implement Benchmarks
Prove the value of security plans, processes, and technologies to the C-suite, business unit executives, and the board by implementing benchmarks and maturity assessments that show how the company stacks up against competitors, how security strategies stack up against industry best practices and frameworks, and how security initiatives are enabling the business with secure operations.
Always Treat Security as a Business Problem
Security incidents can result in myriad consequences on the business, and conversely, strong security can help the business succeed in a secure fashion. This is why it’s so important that IT and security teams always remain integrated with the business side of the organization. As part of this, ensure ongoing communication and collaboration between executive leaders, the board, and security leaders. When management understands the business risks posed by cybersecurity threats, they’ll be more apt to pay attention and participate in security efforts.
At the end of the first 90 days, a CISO should be able to answer questions such as: How well protected is the organization? What is our capability maturity against industry standard frameworks? What are our most critical vulnerabilities and cyber-risk scenarios? What data is most important to the organization? What data risks could have the most significant negative impact on the organization? And what will it take to improve the organization’s security posture, and do we have a road map?
While this may seem like a lot to get to the bottom of in a three-month timespan, following these six steps will set your company up for both short- and long-term security and business success.
The role of the Chief Information Security Officer (CISO) is a relatively new senior-level executive position within most organizations, and is still evolving.
To find out how current CISOs landed in that role, their aspirations, the compensation they receive, and which risks they face and responsibilities they shoulder, analysts with international executive search firm Heidrick & Struggles have asked 327 CISOs (and CISOs in all but name) to participate in their 2022 Global CISO Survey.
The results of the survey revealed these main takeaways:
Who reports to CISOs and to whom do the CISOs report?
The main organizational functions that report to CISOs are SecOps (88%); governance, risk, and compliance (87%); penetration testing (87%); security architecture (86%); product and application security (79%); and business continuity planning or disaster recovery (79%).
CISOs mostly report to the CIO (38%); the CTO or senior engineering executive (15%); the COO or CAO (9%); the global CISO (8%); and the CEO (8%). But 88% of them also report to the company board and/or advisory committee.
CISO roles are often terminal
Most CISOs move laterally into their current role and the career path forward for CISOs is most often to another CISO role, the analysts found.
If they were not CISOs before – and 53% of them were! – they were mostly a deputy CISO, a regional or business unit CISO, and the senior information security executive in their organization.
Many CISOs aspire to be a board member next, but that ambition is unlikely to be realized. Even though cybersecurity experience is sorely needed on boards, many boards still frequently prefer board members with prior board experience, the analysts pointed out.
The Chief Security Officer (CSO) or the Chief Information Officer (CIO) roles are also coveted by many of the respondents.
Threats CISOs are facing and personal risks they are worried about
CISOs say ransomware attacks are the most significant cyber risk to their organization (67%), followed by insider threats (32%) and nation/state attacks (31%).
On a more personal note, CISOs are most worried about stress related to the role (59%) and burnout (48%), and much less about job loss as a result of a breach (25%) or being faced with personal financial accountability for a breach (11%).
“Our survey responses here tell a few different stories,” the analysts noted.
“One is that there is burnout and stress associated with this role, which should lead organizations to consider succession plans and/or retention strategies so that CISOs don’t make unnecessary exits. The second story is that CISOs feel relatively secure in their jobs—job loss as a result of a breach wasn’t the highest risk. That is, in part, because the best CISOs are able to command executive-level protections (D&O insurance coverage and severance, for example) that enable them to do their jobs unencumbered by the threat of career risk.”
CISO compensation keeps rising
“In the United States, reported median cash CISO compensation has risen to $584,000 this year, up from $509,000 last year and $473,000 in 2020. Median total compensation, including any annualized equity grants or long-term incentives, also increased, to $971,000 from $936,000,” the company found.
New CISOs, in particular, saw the highest rises in overall compensation – probably because talent to fill out the role is hard to find and organizations are competing fiercely to take hold of it.
In the UK, the median cash CISO compensation has risen to £318,000 this year, but there was a 14% drop in annual equity.
For those interested, Heidrick & Struggles’s report offers more granular insight on the various factors that impact CISO compensation in different geographical locations.
A poor, permanent hire can be a very expensive error, whereas a mis-hire on a virtual CISO can be rapidly corrected.
The cybersecurity challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmaneuver security controls effortlessly.
As technology races forward, companies without a full-time CISO are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.
How a vCISO Works Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.
The best vCISO engagements are long-term contracts, such as 12 to 24 months. Typically, there’s an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.
What to Expect From a vCISO When bringing a vCISO on board, it’s important that person has three key attributes: broad and extensive experience in addressing cybersecurity challenges across many industries; business acumen and the ability to rapidly absorb complex business models and strategies; and knowledge of technology solutions and dynamics that can be explored to meet specific organizational needs.
The first thing a vCISO will focus on is prioritization, beginning with understanding a company’s risks. They will then organize actions that provide the greatest positive influence on mitigating these risks while ensuring sustainability in the program. The goal is to establish a security approach that addresses the greatest risks to the business in a way that has staying power and can provide inherent value to additional downstream controls.
Having extensive experience in the technical space, a vCISO can take into consideration the full spectrum of options — those existing within the business environment, established products and services in the marketplace, and new solutions entering the market. Just within that context, a vCISO can collaborate with the technical team to take advantage of existing solutions and identify enhancements that can further capabilities in a cost-efficient manner.
The Value of a vCISO One of the most common findings is that companies often have a large portfolio of cybersecurity technology, but very little is fully deployed. Additionally, most tech teams are not leveraging all of the capabilities, much less integrating with other systems to get greater value. Virtual CISOs help companies save money by exploiting existing technical investments that dramatically improve security. And, since the improvement is focused on existing tools, the transition for the IT and security staff is virtually eliminated due to established familiarity with the environment.
Another essential value point of a vCISO is access to an informed and well-balanced view on risk and compliance. While cybersecurity is dominated by technical moving parts, the reality is the board, executive leadership, and management team needs to incorporate cyber-risks and related liabilities into the overall scope of risk across the business at an executive level. In this sense, leadership has a vast array of competing challenges, demands, and risks and some can be even more impactful than cybersecurity.
How to Convince the Executive Team A CEO is under a constant barrage of challenges, problems, risks, and opportunities. Cybersecurity needs to be part of that formula. If one of the core values of having a vCISO is getting meaningful cyber-risk insights, then trust and confidence in that person is paramount and needs to be established from the beginning.
Another challenge is the team dynamic — at the heart of being a CEO is their success as a leader. Introducing what is essentially a consultant can be an adjustment for the team. It’s important that the vCISO hire fits the culture and can easily integrate with everyone on the team including the CIO, CTO, CPO, CRO, etc.
The conversation with the CFO will understandably have a heavy financial tone. For companies debating between a full-time CISO or a vCISO, it’s clear a poor permanent hire can be a very expensive error, whereas a mis-hire on a vCISO can be rapidly corrected.
As organizations continue to come to grips with the byproducts of digitization and new security challenges that often seem insurmountable, a vCISO can be an enormous value. Beyond offering an efficient and cost-effective model, they bring many advantages to businesses with fewer risks than a dedicated resource.
This episode features Rafeeq Rehman. He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:
1. Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.
2. Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.
3. To serve your business better, train staff on business acumen, value creation, influencing and human experience.
4. Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
5. Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.
6. Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.
“Wise is not the one who knows all the answers but the one who knows what questions to ask”
More than an article, this is a conversation starter for the CISO and his/her team: What are your answers for this list of essential question that any information security department must deal with?
Obviously there are many other questions, these are just the foundation for a security program.
These questions are ordered, it will be hard to answer the last ones without having answers for the first ones.
For your organization:
Who are the clients of the information security team?
What are the drivers for security? This will include Business, Technical and Compliance aspects.
What are the business significant security objectives? Have these been agreed with the clients of the information security team?
How do you model your organization and the systems it relies on?
What are the third parties you exchange information with?
What is the list of assets that need to be protected? Who owns them? Who controls them?
What are the threats or risks?
What is the list of security controls or processes you have in place? What is the success criteria for each? How frequently do you check that they are not just effective but successful?
What is the list of non-compliances that need to be remediated?
What is your level of compliance?
What is the list of vulnerabilities that need to be remediated?
What is your level of security (or risk)?
How do you maintain your knowledge base?
What is your level of security maturity? This measures not your security but your ability to maintain and improve your security.
How do you report the activity of the information security team?
How do you report the value of security to your clients?
How do you prove to third parties your level of security?
What do you plan to do to improve the level of security (or decrease risk)?
How easy or difficult was for you and your team to formulate an answer?
If you find these questions too easy, either you are truly great CISO (please share answers) or your suffer a severe case of Duning-Kruger. I will leave to those readers to find out which.
Security operations (SecOps) teams continue to be under a constant deluge of new attacks and malware variants. In fact, according to recent research, there were over 170 million new malware variants in 2021 alone. As a result, the burden on CISOs and their teams to identify and stop these new threats has never been higher. But in doing so, they’re faced with a variety of challenges: skills shortages, manual data correlation, chasing false positives, lengthy investigations, and more. In this article, I’d like to explore some of the threat detection program challenges CISOs are facing and provide some tips on how they can improve their security operations.
CISOs ensure the security operations program for threat detection, investigation and response (TDIR) is executing at peak performance. Let’s look at seven key issues that can affect TDIR programs and some questions CISOs should consider asking their organization, security operations team, and the vendors providing solutions to resolve them.
1. There are too many indicators of compromise (IoCs) or security events happening across a network to properly identify malicious activity. As a result, CISOs are looking for advanced tools that can correlate and analyze this data effectively to eliminate false positives. The last thing any CISO wants is for his/her team to waste time on an event that might simply be a failed login associated with a user incorrectly typing their password multiple times.
Questions to ask: Can I correlate data from any source (such as logs, cloud, applications, network, endpoints, etc.), no matter what it is? Can I fully monitor all these systems, ingest all the telemetry needed, and perform correlation automatically? And what is it costing me to correlate all that data (i.e., what is my solution provider charging)?
2. Correlating data over time is hard. It’s like putting puzzle pieces together from a box filled with multiple puzzles. An attack that occurs once can be difficult enough to identify. But once threat actors are inside an environment, they’ll often do a little activity spread over a longer period (sometimes days, weeks or months later). This makes is almost impossible for a human analyst to take these seemingly disparate events across time and connect them to complete the puzzle.
Most tools also struggle to correlate those seemingly independent events as part of the same attack because they seem unrelated over time. CISOs are responsible for making sure the team has everything it needs (based on constrained budgets) to put that puzzle together before damage is done.
Questions to ask: Do I have a wide variety of data sources and analytics that can process events and correlate them across time effectively? Is out-of-the-box threat content included for real-time attack detection?
3. When piecing together an attack campaign, manual correlation and investigation of disparate security sources drastically extends the time and resources required from a CISO and his/her team. Pulling data from several systems at once is necessary to get the contextual information needed to find out what’s wrong (and how to respond). But in the time this takes, the damage could already be done. This challenge can easily frustrate CISOs that have invested so much time and money in building up the security operations program.
Questions to ask: Does your current team have to do a lot of manual correlation, and how are they able to accomplish that with events that span weeks or even months? Does your team have to search through multiple tools and put together context on their own to see patterns that will help formulate a better response when working with other IT teams?
4. The skills gap remains a problem. However, as more seasoned practitioners who were fundamentally trained across networking, servers, and other aspects of IT are aging out of the workforce, CISOs are being forced to hire more security focused analysts, but with less broad practitioner experience. This is impacting the amount of on-the-job training and experience required (and offered) for them to be effective. There are just not enough skilled cybersecurity professionals in the market today.
Questions to ask: How can my TDIR platform automate certain tasks and bring the right context to the forefront. How can it provide the necessary context that can help a less experienced analyst learn over time and increasingly add value?
5. Vendors are overpromising and underdelivering. When it comes to threat detection, too many vendors falsely claim or exaggerate that they have machine learning (ML), artificial intelligence (AI), multicloud support, and/or apply risk metrics. CISOs are barraged with vendors claiming to offer a silver bullet at worst or using questionable marketing claims at best. Neither delivers what’s promised.
Questions to ask: Does the solution use rule-based ML/AI (which is important to understand considering it’s static in nature, requires updating, and is ineffective at identifying new attacks and variants)? Does multicloud just do correlation (leaving it up to the analyst to determine if an attack is occurring across multi-cloud)? Is risk scoring just aggregated scores from public sources (not leveraging an enterprise-class risk engine powered by analytics)?
6. The tradeoff of cost and budget versus better security visibility can be a painful choice. CISOs often are presented with platforms (like a SIEM) that charge organizations based on volume of data ingested. As an organization grows, charging by data ingested is unpredictable and can quickly lead to rapidly escalating costs in licensing and storage. As a result, CISOs should be looking for solutions that reduce this cost burden, while still allowing the organization to pull in and ingest as much data as possible. The result is better SOC visibility and more effective TDIR.
Questions to ask: For a solution that employs true machine learning, the more data that can be pulled in the better. Does my solution penalize me for bringing in more data? Or does it embrace more data ingestion to offer better visibility and do so by providing flexible licensing? How can my provider help reduce storage costs?
7.Automation can drive efficiency and speed threat detection. This can free up security team members to focus their attention on more intensive tasks. When done effectively, this provides OPEX savings – which means less time and resources spent on simple and manual tasks of low value, while also shrinking the time for high-value tasks. It can also provide better experience for junior analysts, especially when your analytics and automation are transparent, allowing them to learn and improve.
But not all automation is created equal. Solutions that produce too much noise and too many false positives make it difficult to prioritize investigation and automate responses. The more accurate the threat detection is, the more targeted the automated response can be.
Questions to ask: Is automation in the solution inherent across my entire SOC lifecycle? If so, how do I know it’s working and how can I trust that it’s optimizing my operations (for example, can it show that I’m stopping threats earlier in the kill chain)?
As CISOs and their security operations teams look to improve threat detection they’ll face a variety of issues around visibility, cost, flexibility (especially into cloud environments), analytics, prioritization, contextual data and much more. But by working together to understand these challenges – and by arming ourselves with knowledge and the right questions – our industry can continue to evolve and deliver better security operations for our organizations.
Just over a quarter-century ago, the first Chief Information Security Officer (CISO) was minted in the financial vertical, and everyone lived happily ever after. The End.
If only this story was that simple and straightforward! The CISO role has never been cut-and-dry. Despite its longevity, this role is still in its adolescence – full of promise, mostly headed in the right direction, but not quite fully formed.
If you’re a CISO today, or have worked for or watched one from afar, you have felt the reality of the goalposts continually shifting over time, and you have experienced some of the tough questions that may not yet be answered. Where should the CISO report for maximum effect? How does the CISO gain that valuable seat at the executive table, and a regularly scheduled time slot every quarter in front of the board? Is it possible that broad technical competency may be superior to deep technical expertise for this C-level role? And if you are the CISO who thought you signed up for an IT-centric, inward-facing role, I have a few nation-state and cybercriminal actors to introduce to you.
But there are several other less obvious roles that the CISO should consider taking on to help the organization reach its goals, whether its customers are external or internal.
The CISO as brand enabler
Quantifying the value of a corporate brand is tough. But it’s clear that your organization’s brand is as much an asset as the devices and networks that the CISO is charged with protecting – in fact, the brand may be your organization’s largest single asset. A recent Forbes/MASB report states that brand assets drive approximately 20% of enterprise value on average. Doesn’t that sound like something worth protecting?
Yes, the creation and growth of the brand is typically the responsibility of the marketing organization and the CMO (chief marketing officer). But it’s not unusual for marketing to feel like it’s outracing the other business functions, including the CISO, and they are anxious for everyone to “catch up” and join them. The CISO can act as a useful counterweight to help marketing achieve its goals safely, in good times and bad. For example, isn’t it important to fully coordinate a breach response between these two groups in a way that best preserves the value of your brand? Those brands that emerge out of a high-profile information security incident stronger don’t get there by accident.
This is a missed opportunity in many organizations. When was the last time your CISO and CMO sat down alone to discuss each other’s long-term initiatives? And no, the sometimes recurring conversation between these two parties about how the marketing team is leveraging shadow IT doesn’t count here.
The CISO as customer advocate
If the CISO is considered an inward-facing resource only, your organization may be leaving some significant value on the table. Is your CISO considered and leveraged as an extended member of your customer-facing teams? There is often nothing more compelling to a prospect or a customer than the opportunity to hear from a true CISO practitioner about her experiences in the industry around a common challenge.
Another way to bring the CISO closer into the customer orbit: you have some customers who due to their size or potential are at the very top of your essential, must-not-lose list. Your CISO may be more than willing to act as an executive sponsor for the overall relationship between the two organizations. This is a great way to cement that bond with your truly key and strategic customers. You may also discover that same hugely important customer is willing to share details with the CISO that would never be shared with the sales team.
The CISO as product visionary
In many ways, your CISO may be an ideal prospect, a research partner, and a sounding board for new products, services or features your organization plans to introduce. Think about all the angles a CISO deals with every day: B2B connections and data flowing amongst third parties; identifying and securing B2C data and connectivity; monitoring an infrastructure round the clock to recognize and remediate tactical, strategic and regulatory risks; signing off on your organization’s ISO 27001 certification or SOC 2 attestation, and more!
For bonus points, if you are that CISO of today or the aspirational CISO of tomorrow, don’t settle for approaching your job solely in pursuit of how to best secure your organization – ask yourself how you can make your own customers more secure. Sometimes a new feature or service might pop out from that alternative angle, from a perspective that only the CISO can see.
Whether you are the CISO or are a colleague of the CISO, think outside the box. CISOs can absolutely be leveraged in these and other non-traditional roles, to the greater benefit of your organization.
