The role of the Chief Information Security Officer (CISO) has notably changed since the COVID-19 pandemic – arguably the biggest catalyst for such a change as people transitioned to remote working.
The widening attack surface has become a major challenge for CISOs, causing an increased level of responsibility like never before. This has inevitably affected the stress levels associated with the job, with more and more companies attempting to eradicate this across their organisations. CISOs are now challenged with adapting their management style in order to facilitate the change.
According to Dale Heath, Technology Lead at Rubrik A/NZ, “the role of the CISO is more important today than it has ever been.” Heath says that attackers today are “acting with intention – they are going after supply chains to gain more access to more data, they are focusing on specific companies and zeroing in on specific industries.”
The ransomware threat is a significant contributor to the attack landscape and Heath calls for a new approach to cybersecurity in order to mitigate such detrimental attacks. “A holistic security approach – combining infrastructure, cloud and data security (or end-to-end Zero Trust security) – is required to help keep an organisation safe,” said Heath. “This means bringing together prevention, detection and investigation as well as ensuring data resilience, data observability and data recovery.”
But what does this mean for the role of the CISO? Heath believes that it means the responsibilities of the CISO and CIO and colliding. “The need for IT and security teams to collaborate and partner has never been more paramount,” he said. “The main priorities should be focused on reducing the risk of data loss, ensuring your data is resilient to these attacks and enabling rapid recovery after an attack. It’s more than just dedicating resources towards trying to stop an attack from happening in the first place.
Heath says that organisations should accept that it is not a matter of if, but when they’ll be hit with ransomware or a cyberattack. “Forward-looking CISOs and their security teams, in partnership with their IT teams, are working to prepare and minimise the disruption when the inevitable occurs, ensuring they have a cyber-resiliency plan and data security strategy in place when they need it the most – turning what could have been a catastrophic event, into a minor inconvenience,” said Heath.
Industry experts talk to us about their thoughts on the changing role of the CISO and how this has impacted their management style…
Heather Gantt-Evans, CISO, SailPoint
The role of CISO first emerged as organisations embraced digital revolutions and began relying on new data streams to help inform business decisions. As technology continued to advance and become more complex, so too did threat actors who saw new opportunities to disrupt businesses by stealing or holding that data hostage for ransom.
As the years have gone by and cyberattacks have become more sophisticated, the role of the CISO has had to change. The CISO has evolved from being the steward of data to also being a guardian for availability with the emergence of more destructive and disruptive attacks. As a result, CISOs today must be highly adaptable and serve as the connective tissue between security, privacy and ultimately, consumer trust.
In terms of management style, there’s a fine balance between continuing to make progress on strategic initiatives that will reduce risk and improve security maturity, while also being adaptable enough to stop and pivot as needed. It’s also important to communicate clearly to your teams the need to balance these priorities. I think the key is to continue leading with the same level of diligence as CISOs have traditionally been, never letting their foot off the gas — because those looming in the shadows of the Dark Web certainly aren’t slowing down.
As CISOs we also need to embrace information sharing and collaboration in order to take our organisations from being one step behind cybercriminals to being two steps ahead at all times.
Geoff Schomburgk, Vice President for Asia Pacific at Yubico
COVID-19 and the evolution of Working from Anywhere (WFA) have both accelerated Digital Transformation for many businesses. At the same time, cyberthreats are growing in intensity and sophistication. Further, the line between our business and personal online presence is blurring, which means that all employees are now potential targets and need to be cyber-aware and cyber-safe. Cybersecurity is no longer the responsibility of the CISO’s office, it is a broader corporate responsibility.
Implementing robust technology solutions to protect digital assets remains a core component of the role of the CISO. Facilitating Digital Transformation with Zero Trust frameworks and securing identity as the new perimeter are technical challenges they must face daily. However, the role is now evolving from the protector and enforcer of systems and policy, away from the technical expert to a broader risk management role with strategic responsibility.
As businesses become more digital, the CISO must be aware of the evolving regulatory and compliance landscape and the implications for data privacy and data security. What is the value of the data the business has – data such as personal information, financial information or medical information, for both employees and customers? Who might want that information and what value does it have for them? The CISO needs to understand the business risks and more importantly the consequences if that data is compromised.
Adoption of cyber-safe practices in an organisation is the best way to mitigate these risks. So, the CISO also must be engaging and educating people at all levels – from the board down – on the importance of cyber hygiene. This requires a focus on solutions that are not only secure but easy to use, deploy and manage. Passwordless authentication is one obvious example that is highly secure, easy to implement and easy to use.
The industry is on the cusp of replacing passwords and legacy Multi-Factor Authentication (MFA) methods with modern open authentication standards, like FIDO2. These standards will enable widespread adoption of phishing-resistant and usable security, and hopefully, will be able to help CISOs to eradicate an entire class of issues that have long been associated with passwords.
Ammar Hindi, Vice President of APJ Sales, Nozomi Networks
The responsibilities of the CISO have changed considerably due to the pandemic, not just because of the rapid evolution of technology and digitisation, but because the very nature of how we all work has changed.
The CISO now needs to ensure Business Continuity and security with staff operating from multiple remote locations. The attack surface area has increased and lone workers need to be trained or retrained to mitigate and avoid the risk of cybercrime pitfalls created by their new ways of working.
In Australia, the CISO’s role has also been dramatically changed by the recent amendments to the Security of Critical Infrastructure (SOCI) Act, which aim to strengthen the security and resilience of critical infrastructure by expanding the sectors and asset classes the Act covers.
SOCI now mandates the registration of critical infrastructure assets and ensures the adoption of risk mitigation policies to deal with cybersecurity incidents that affect critical infrastructure assets, whether they be defence sites, energy or water plants, data centres, or telecommunications infrastructure. SOCI now means that Operational Technology (OT) environments are front and centre in the daily duties of a CISO.
Similar critical infrastructure legislation is underway or being considered in other Asia-Pacific countries too, which may see a broader OT-focused redefinition of the CISO role across the region.
In light of this new focus, CISOs need to ensure very broad and uninterrupted visibility of OT, Internet of Things (IoT) and IT assets. Guarding against breaches no longer suffices the nuances needed for this role to fully protect organisations and their teams. CISOs need to coach the entire organisation – now likely dispersed between traditional offices, home offices, as well as other remote locations – to adopt security as part of every step in daily business life.
At the highest level, CISOs need to educate on and elevate their own role in the eyes of the boards they sit on or advise. Success in doing this will see talented CISOs command a higher salary and attract people from diverse backgrounds, an important consideration for most cyber-related roles as they require a variety of skillsets.
Brian Spanswick, CISO and Head of IT at Cohesity
My role at Cohesity is both strategic and somewhat unique. Traditionally, these roles are treated as distinctly separate areas of responsibility, however, we’ve deliberately chosen to have a single executive responsible for the overall technology of our company, while ensuring we provide the necessary IT solutions and services to our employees in a secure manner. This ties back to our overall philosophy that security is not just the responsibility of the CISO and security function, but that it must be a company-wide priority and responsibility for smooth operations.
The continued evolution of IT means that no longer is it simply a matter of IT departments having the sole responsibility for providing the hardware and software to end-users. Today, we’re dealing with never-before-imagined levels of flexibility owing to paradigms like remote and hybrid work, Bring Your Own Device (BYOD) and cloud computing. This has expanded the security perimeter beyond what CISOs have direct control over – especially when you have SaaS applications and infrastructure in the cloud. CISOs must now work to determine where the organisation’s core business processes are hosted and how the backup and recovery of those environments and systems can be managed. This is significantly more complicated than when things were on-premise and applications were hosted behind the four walls of the organisation.
So today, the most important aspect of my role as CISO is to ensure my business partners have a detailed and precise understanding of our organisation’s security posture and how the technologies and processes we have in place support their business objectives. For a CISO, there’s perhaps nothing more important than framing your organisation’s security posture within the context of the business, so that non-IT business leaders can participate in security-related decision-making that aligns with their business goals. This also means a change in mindset and learning new management skills. Once you step beyond the domain of purely being a security or technology leader, you need to be able to correctly articulate your point of view. With cybersecurity, you can never state anything with 100% certainty; many security professionals are wary of taking a strong stance. However, to appeal to business leaders, this is essential. CISOs often work hard to provide the facts and leave it to their partners to draw their own conclusions. But doing so would be failing to recognise that these peers don’t have the same security acumen. Strong security leaders aren’t afraid to have a point of view, they state their assumptions and describe the context within which they draw their conclusions.
Finally, it is vital that CISOs keep learning. My approach to learning is a mix of wide engagement with the CISO and InfoSec community to discuss the latest cyberthreats and challenges, including through events, while I also make a conscious effort to do self-learning or research into current trends, techniques and threats.