The CISO Role Is Changing. Can CISOs Themselves Keep Up?

  /     /     /  
Publicated : 23/11/2024   Category : security


The CISO Role Is Changing. Can CISOs Themselves Keep Up?


What happens to security leaders that dont communicate security well enough? Ask SolarWinds.



The role of chief information security officer (CISO) has expanded in the past decade thanks to rapid digital transformation. Now CISOs have to be far more business-oriented, wear many more hats, and communicate effectively with board members, employees, and customers alike, or else risk serious security failures.
In a wide-ranging press Q&A at CPX 2024 in Las Vegas, a panel of CISOs and vice presidents (VPs) of international organizations conferred on how digital transformation, bottom line pressures, and lack of security awareness have forced a shift in the nature of their positions–broadly, from being technical to businesslike, and highly social.
Today, they suggested, the difference between an effective CISO — and, by extension, an effective security culture at an organization — is as much about softer communication skills as it is mitigating vulnerabilities and defining policies. In fact, security leaders who thrive with the latter but lack in the former end up exposing their organizations to major breaches.
You asked about the consequences? Dan Creed, CISO at Allegiant Travel Company, asked rhetorically in response to a question from Dark Reading.
Ask SolarWinds
what the consequences are.
The role of the CISO has changed over the past 10 years, and we never really stopped to notice it, Frank Dickson, program vice president for cybersecurity products at IDC, stated in a separate CPX press conference on March 6.
Years ago, the position was created with the relatively narrow cyber risk focus that its still associated with today. But its expanded, thanks firstly to a broadening of the corporate attack surface. Typical breaches used to require vulnerabilities in corporate resources — think Target, Ashley Madison, and the like. Nowadays, particularly since COVID, its
employees emails, phones, and other devices
that instead represent the greatest risk to organizations. As the responsibility of information security has become a collective one, CISOs have been forced out of their silos.
Digital transformation has also moved IT from its siloed corner, straight into the line of business. As Dickson pointed out, About 40% of all the revenue for the [Global] 2000 next year is going to be driven by digital products and services. So what that does is change the nature of IT from a cost-setter, to something thats on the path to generating revenue. And if you think about what that does, that fundamentally changes the role of the CISO. The more that companies today conceive of IT as a business driver, the more CISOs need to be integrated in not just preventing and mitigating cyber risks, but also advising the board on business decisions, and rendezvousing with developers, salespeople, and customers.
The increasingly business-facing responsibilities of the CISO were reflected in an IDC survey revealed at CPX. Of 847 cybersecurity leaders polled, 10% believe that the most important job of a CISO is leadership and team-building skills, and 8% believe its business management skills. Actual cybersecurity awareness and understanding, and IT architecture and engineering skills, received hardly more votes at 12% apiece.
Its not merely that CISOs
should
double as businesspeople — they need to. The consequence of not establishing those relationships [is] you get a culture at the company of Well, its not my responsibility. Like SolarWinds, and MGM. They reset their MFA just by a call to the Help Desk, though they dont understand or realize the consequences of not having security awareness, Creed explained.
The subtlety in Creeds argument — echoed by others at the roundtable — is important. Preventing security lapses by employees is not simply a matter of spreading awareness, they emphasize, because even knowledgeable employees ignore security when their relationship with their security team isnt healthy, or when hygiene is simply too effortful.
[They say] security should be hidden. I take it one step further: security should lubricate business and make it faster, said Pete Nicoletti, Field CISO at Check Point, echoing the evolved philosophy of the modern CISO. He offers VPNs as an example of where limited, old-fashioned CISOs have traditionally slowed business down. How long does that hold my email for: two seconds, or 10 seconds? How long does VPN take for signing up? Are [employees] going to work around it because it takes 22 seconds and authentication? [Its about] trying to make these as transparent and easy to use as possible. Start picking tools that actually speed up the process, to where now you have a competitive advantage.
Some of my earliest initiatives that Im driving are exactly that, Creed seconded. Lets move away from VPN, and get to an always-on where with your laptop, you turn it on, youre fired up, and youre connected into our network, going back through our security stack. The next objective is were now laying the foundation to move to passwordless.
If talking to employees and making security easier for them isnt enough, CISOs can also experiment with alternative incentives. We actually have KPI metrics around security culture. And were getting ready to the point that were going to start actually impacting bonus pools, to where if your department does better, it increases your bonus pool above the norm [. . .] and if you dont, then it hits your bonus, Creed explained.
Then theres the board.
In its survey, IDC asked CISOs and their fellow CIOs what CISOs actually do — like, whether theyre focused on strategic architecture, or whether the job is tactical by nature — and found not insignificant discrepancies in the responses, indicating that even the CISOs closest C-level partners arent totally on the same page.
Creed recalled one such case recently, where We ordered some new 737s. And these are our first e-connected aircraft. [The board] did not include me in the earlier conversations, and then it became a fire drill that all new e-connected aircraft have cybersecurity requirements — that, in fact, if you dont have a network security plan approved and accepted with the FAA on file, you lose your airworthiness certification for those aircraft. Do you think the board, when they first started talking of going down this path of were going to expand the fleet, considered that there might be security implications in that?
So you have to educate them, and explain to them: this is why we need a seat at the table. In every strategic decision thats made for the business, theres risk involved. [. . .] The more you
include us at a seat at that table
, the better that we can protect the business and weigh in on where that risk is at the onset rather than once it becomes a fire, he said.
To that end, in an interview with Dark Reading, Russ Trainor, senior vice president of information technology at the Denver Broncos, offered a simple tip:
Sometimes Ill forward news of the breaches over to my CFO: heres how much data was exfiltrated, heres how much we think it cost, he says. Those things tend to hit home.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
The CISO Role Is Changing. Can CISOs Themselves Keep Up?