Editor’s Question: How can CISOs manage expectations and keep pace with emerging trends?

Editor’s Question: How can CISOs manage expectations and keep pace with emerging trends?

BT Security has published the results of a global survey which canvassed the opinions of over 7,000 business leaders, employees and consumers from across the world. The research, conducted in partnership with Davies Hickman Partners, found that in a rapidly changing business environment, the role of the CISO has hugely expanded in its scope and responsibilities. With the research also identifying security as the top priority for businesses after Coronavirus, CISOs have never been more integral to business operations.

The research’s finding that 76% of business executives rate their organisation’s IT strategy as excellent or good at protecting against cybersecurity threats seems like positive news. However, the research also found that this might be misplaced confidence which is leading to complacency, with 84% of executives also saying that their organisation had suffered from data loss or a security incident in the last two years – highlighting the enormity of the task that CISOs face.

The research uncovered several interesting reasons why this might be happening. Less than half of respondents said they had definitely received training on data security, while only one in three were fully aware of the policies and procedures they should take to protect the security of their organisation’s data. As a result, a number of concerning behavioural trends were seen, with 45% of employees saying they’d suffered a security incident at work and not reported it, and perhaps even more worryingly, 15% saying they had given their work login and password to others in the organisation.

Regular cybersecurity training for employees is critical. The research found that nearly two-thirds of consumers would recommend an organisation that makes a big effort to keep their data safe, and a similar number said that security is more important than convenience when choosing who to buy from. The capacity for security to act as a brand differentiator becomes even clearer with the finding that only 16% of consumers strongly trust large organisations to protect their personal data.

In light of these trends, the role of the CISO is simultaneously more critical and more multifaceted than even before. Their job is no longer just to protect against threats and manage risk; they are now expected to play a crucial role in managing brand perception, employee engagement and the strategic adoption of new technologies. In spite of this, the research found that less than half of executives and employees could put a name to their CISO (or equivalent), with a similar ratio of respondents saying that their CISO doesn’t actively communicate with the rest of the organisation.

Kevin Brown, Managing Director of BT Security, said: “This report provides a number of clear examples of how CISOs are expected to provide leadership across an ever-growing number of areas. The huge increase in the pace of Digital Transformation during 2020 has not only further erased the traditional parameters of the role, but also intensified the scale and complexity of threats to protect against. As a result, CISOs must ensure that they have the visibility that not only makes them the first port of call for security incidents, but also ensures they’re placed at the heart of strategic decision-making and planning.”

We heard from a number of industry experts who offer their opinions on the subject.

Charles Eagan, CTO at BlackBerry: “For many CISOs, last year was even more challenging than expected. The world has seen huge changes in the way we live, socialise and work. From a rise in online scams to security incidents around the COVID-19 vaccine rollout, hackers have shown that they are an omnipresent threat. The world has changed and so must our approach to cybersecurity. 

“Many of these challenges will not be easy to fix. The shift to remote working has led the number of endpoints to rise at an unprecedented rate, potentially leaving businesses and employees more vulnerable to cyberattacks. CISOs need to recognise that remote working still poses a huge threat to the organisation. However, that does not mean we lack the weapons to battle this threat. 

“To a certain extent, over the past few years AI has become a victim of its own success – it’s being used as a corporate buzzword, slapped on products and marketing collateral like it were a new coat of paint. But it’s important to remember that, in the cybersecurity realm, AI and ML are not quick fixes. Authentic AI is about empowering human intelligence, not replacing it. The constant talk of automation and the rise of the robots is wildly misplaced; the past year has reminded us just how important people are. AI can’t replace human intelligence where it’s needed most. Instead, we must choose the right problems to solve and react to unforeseen sudden changes in the landscape – changes like a global pandemic. And, if we can use AI to do some of the heavy lifting of security and teach it to be flexible in the face of rapidly changing circumstances, it can prove invaluable in the ongoing battle to keep our organisations and people safe.  

“Going forward, the cybersecurity industry will play a huge part in helping the world return to normality in 2021. However, some things, like flexible and remote working, are here to stay. Embracing technological advances and the continued adoption of AI will allow CISOs to lead their organisations to operate in the new world in whatever way they build back. What has become more obvious to us all over the past year is that humanity is adaptable, but also vulnerable to sudden change and volatility. The tech and cybersecurity sector must continue to innovate and support organisations to help build robust and well-prepared businesses, public services and societies.”

Mike Beck, Global CISO at Darktrace: “A CISO’s role is to empower their organisation to reap the benefits of Digital Transformation. Increased connectivity, rapid adoption of new technologies and the rise of distributed workforces have opened new doors for hackers – but it’s up to the CISO to ensure that this does not hinder innovation.

“This goes far beyond enforcing security rules. It’s also about embracing emerging technologies capable of watching over critical data and keeping pace with rapid changes to the digital estate – the modern organisation has too many variables for static or siloed security.

“That’s why thousands of CISOs today augment their human teams with AI, shifting attention away from prevention and predicting the attackers’ next moves and focusing instead on understanding the ‘normal’ behaviour across the digital estate, and constantly enforcing that normal when things go amiss.

“When the C-suite invests in these technologies, which spot and stop threats at the earliest signs of compromise, a potential cost centre becomes an opportunity for growth.”

Ron Davidson, VP of R&D and CTO for Skybox Security: “The pandemic has triggered many new cybersecurity challenges that have propelled the role of the CISO to one of extreme importance. Security leaders are under even more pressure to protect the business with security now elevated as a boardroom-level conversation.

“In terms of setting expectations, CISOs should make it very clear now that their security teams will not be able to patch every new vulnerability. According to Skybox Research Lab, 2020 was a record-breaking year for new vulnerabilities. Unfortunately, CISOs do not have more resources to deal with this surge.

“To accurately prioritise remediation, organisations must be able to quantify their threat landscape as it evolves. Steps to ensure security strategy stands the test of time:

  1. Shift to risk-based prioritisation: A shortage of security talent, rapid cloud migration, regulatory compliance rules and the unrelenting changes to the threat landscape have created a perfect storm. There are too many vulnerabilities for an organisation to ever be totally confident that their network is 100% patched. It is simply not possible due to the ever-changing threat landscape. To future-proof security strategies, CISOs must establish a framework that enables risk-based prioritisation across the entire enterprise.
  1. Implement network modelling: A network model is a dynamic representation of the entire enterprise infrastructure – across IT, hybrid infrastructure, Operational Technology (OT) and security configurations. Network modelling provides accurate insight into new risks and enables advanced attack simulation to explore all attack paths. By modelling the entire attack surface, defenders can see all of the exposures that an attacker could infiltrate to determine the best course of action to stop breaches.
  1. Adopt a Zero Trust approach: Traditional network perimeters have vanished. Many organisations are adopting Zero Trust frameworks to verify any connections to their network before granting access to combat this issue. Developing true ‘no trust’ zones is dependent on an understanding of the entire enterprise infrastructure – including all configurations across the environment as the whole. As the enterprise environment evolves, so too must security strategies.”

Israel Barak, Chief Information Security Officer, Cybereason: “We have now reached the one year anniversary of the onset of the COVID-19 pandemic and what was the start of a massive shift to remote working for more than a billion workers around the globe. Coupled with the fact that many organisations are still investigating whether or not they were victimised in the SolarWinds breach, it is easy to see that evolving security strategies and innovation will be a priority in 2021. 

“This year, we can expect many changes that happened during the pandemic, in terms of workforce culture, to become the norm. Because of this, CISOs need to plan on transitioning from maintaining a steady level of service to a state of growth and innovation and embracing this new norm. 

“2021 could be a most challenging year for organisations that haven’t figured out how responding to unexpected events becomes part of their company’s DNA. Companies need a playbook, rather than just a checklist, to respond to the unknown and unforeseen. Building a methodology will help a company stay on course during difficult times and ensure that not only does security remain a priority no matter what situation arises, but that innovation is never an afterthought.

“From a security perspective, CISOs need to ensure that the security programme infrastructure currently in place continues to be extensive, agile and thoughtful enough to enable growth and acceleration in the ‘new norm’. Areas of special attention should include, identity and access management, endpoint and mobile management, security operations and incident response and certainly security awareness and adequate preparation of staff and executive leadership.

“In addition, for any organisation to continually accelerate their organisation’s pace of innovation, agility continues to be important. It’s likely that last year’s shift in computing resources from on-prem to the cloud is part of the ‘new norm’. So too does continually using autonomous technologies to reduce manual overhead and to allow the company to expand its innovation while spending less time on system tuning and maintenance. 

“This agility can’t come without a built-in security suite and programme that is able to scale with the rest of the IT infrastructure. CISOs also need to take a close look at how their organisation’s security programme is architected. For example, can the security infrastructure scale without worrying about additional manual resources to support it? Is the system still architected in the right manner, now that the priority is making sure employees are as efficient as possible while continuing to work remotely?

“It’s important to remember that the challenges facing CISOs in the modern workplace will only shift if/when employees return to their offices in 2021. It’s not as if the end of the pandemic will suddenly leave us all with a dramatic reduction in projects. No matter whether your employees are on-prem or remote, make sure security is never bolted on top of your company’s efforts to innovate and that it is part of the design and implementation phases.”

Browse our latest issue

Intelligent CIO APAC

View Magazine Archive