What CISOs Should Be Aware Of (But Typically Aren't)
The life of a CISO is a busy one and it can be easy for priorities to get lost in the shuffle. We've polled a group of CISOs and other security professionals to find out what CISOs should be aware of but likely aren't.
CISO Awareness: 21 Security Pros & CISOs Reveal What CISOs Should Be Aware Of (But Typically Aren't)
The role of the Chief Information Security Officer (CISO) is a complex one, requiring the ability to regularly interface not only with other security professionals, but executives spanning every facet of the organization. CISOs are typically responsible for evaluating and implementing the right security tools, within budget, while ensuring that those solutions are properly consolidated (eliminating redundancies and wasteful spend) and are adequate to meet the company's evolving security needs. Additionally, as CISOs are often tasked with overseeing security awareness training, the ability to communicate with all levels of staff in non-technical jargon is key. Beyond implementing security tools and facilitating communication, though, CISOs oversee every facet of an organization's security, mandating the ability to see the forest through the trees - acute awareness of both big picture and atomic-level risks, vulnerabilities, and security concerns is a must at all times. That's where one of the biggest challenges lies for CISOs, and where the need for establishing an experienced, trusted, and reliable team becomes clear.
To gain some insight into common blind spots for CISOs and important considerations that CISOs should be aware of, but often aren't, we reached out to a panel of CISOs and other security pros and asked them to answer this question:
"What should CISOs be aware of that they're usually not?"
Meet Our Panel of CISOs and Security Pros:
Read on to learn more about what today's CISOs are often overlooking, and the most important things to be aware of to ensure a strong security posture within your organization.
Sanjay Deo is the President of 24By7Security. He combines over 20 years of Cybersecurity and compliance experience.
"A number of CISOs get so immersed in day to day operational security activity that..."
They forget to think strategically like a hacker! Hackers do not have a schedule, do not have certifications, they are determined and it takes one vulnerability to breach a secure company. On the other hand, a CISO has to anticipate the risks, risk surface, risk entry points, and related vulnerabilities that can be exploited and with limited resources (employees, unpatched systems, ignorant executive and board) secure the company and protect the intellectual property and customer information.
CISOs must step out of the day to day activities and think strategically. This includes educating themselves, connecting with other peer CISOs, and reaching out to local enforcement agencies such as the sheriff's office, FBI/Infragard, and other industry groups for intelligence information.
Adam Ely is a CISO and start-up entrepreneur advisor.
"There are a few things CISOs should be aware of..."
People want to help. It's easy for CISOs to feel other teams don't care about security, when in reality most don't understand why what they are driving is needed. Truly educating with relevant examples is key to a team's success.
Focusing on what's not working instead of the next great thing. It's easy for CISOs to lose focus on what's in the environment today with all of the new threats emerging. However, focusing on the health of what's been deployed and ensuring those things are working well is often the most valuable defense.
Burn out of the team. With the ever-changing nature of our industry, it's easy for people who love their jobs to push themselves to the breaking point. Even the most productive, passionate person needs rest. InfoSec turnover can be high due to burnout and stress, so managing our team's stress is critical to avoid high turnover and having to rebuild team capabilities.
Jeff Bittner is Founder and President of Exit technologies, an R2 certified, global IT asset disposition company (ITAD). Jeff is a serial entrepreneur and founded the company in 1989 to help enterprises cost-effectively liquidate their IT hardware.
"Like any corporate leader, one must know the customer..."
And a big part of the customer base for many organizations are its users. In the same way that the American car manufacturers paid the price in the late 70s for not fully understanding the needs of car buyers as they watched their Japanese competitors make steady inroads into their domestic markets, CISOs find themselves battling Shadow IT for the same reason. A recent Gartner study shows that less than 50 percent of workers believe their CIOs are aware of digital technology problems that affect them. This disparity grows even more prevalent with younger workers. In order to provide the right technology, CISOs must first understand the fluctuating needs of the company's business units and workforce.
It is essential for today's CISO to fully understand everything about cybersecurity today. While many focus on collecting an arsenal of tools without breaking the bank, they often do not understand exactly what the threats are that they are protecting from. Understanding the enemy, which in this case is today's hacker, is essential to winning the war. In addition to gaining insight into the mindset and motivation of those who continue to attack their organization, they sometimes do not understand what their expected duty of care is, which is the legal measuring stick in a litigation instance.
Sonya Koptyev is the Director of Evangelism at Twistlock, a security platform for containers and cloud native applications. Her mission is to bring the world of secure cloud native development into the hands of every developer, ensuring that they can make the most of these new technologies in a secure way.
"Enterprise CISOs need to be aware of..."
The shifting paradigm that cloud and cloud native architecture introduce to their organizations. Old ways of securing monolithic applications have become obsolete. Now, security best practices must be baked into the complete lifecycle of application development - not only in production, but at the build and at runtime. This means shifting left to bring developers and DevOps into your security strategy, and leveraging CI/CD tools from the start to ensure security and compliance are baked in at every stage of development and deployment.
Jackie Rednour-Bruckman is the CMO of MyWorkDrive.
"CISOs are, more than ever, focused on..."
Data loss prevention and network security but are not making mobile device management a critical piece of an overall security strategy, especially now as remote workers and stakeholders with several devices accessing network data are commonplace.
CEO of Agile IT, Conrad Agramont, has more than 10 years of experience in cloud, hosting, and SaaS for both Microsoft Corporation and managed service providers, having worked behind the scenes to help companies maximize business value through the cloud.
"With the near back-to-back outages of..."
Microsoft's Multi-factor Authentication (MFA) systems in December 2018, a surprising vulnerability was demonstrated. Once the MFA system went down, many large companies were unable to work, as well as being locked out of the admin portals needed to turn MFA off until the incident ended. This type of outage can occur during natural disasters that affect the cell network, as well as being intentionally triggered by a DDOS attack on the MFA servers themselves. The solution, a break glass policy, is a set of procedurally protected credentials that are not defended by MFA, but which can be activated when MFA fails. At this time, admins can set promiscuous conditional access policies (rather than turning off MFA) that allows the company to get back to work. The fact that the December Microsoft outages took unprepared companies down for over fifteen hours indicates it is a blind spot for CISOs implementing conditional access with multi-factor authentication.
Carl Hillier is the Head of Product Marketing at Ephesoft Inc. responsible for Esphesoft's portfolio of intelligent document and data capture solutions. Carl has held senior technical and marketing positions at FileNet (now IBM), Fujitsu and Kofax and ABBYY. He has an extensive background in ECM, BPM & Cloud Computing, and has presented at industry events and conferences throughout the globe.
"Probably one of the hardest roles to fill within a company..."
The CISO must not only protect company data and manage security, but they also get put in charge of weaving security into the fabric of the organization.
A CISO is asked to provide various services such as selecting the right platform, formulate policies, training staff, and boosting security awareness. Threats are becoming increasingly more sophisticated, so finding innovative ways to safeguard data is continuously evolving.
Jesse Tutt is the CEO of Gotta Sleep.
"CISOs are often aware of risks related to..."
Macro level information security or operational risk, financial management, and project management.
Areas CISOs often don't know are deeper areas such as system patches which were created and deployed, but not successfully installed. Another example is staff with local administrator privileges who have logged into websites which were hacked using their work email address and password, as these passwords can be used in password stuffing attempts. Lastly, service account, system, or application User ID passwords are a risk area as they are rarely tracked centrally, enabling them to be readily found should a staff member leave the organization.
Michael Hall, DriveSavers Chief Information Security Officer, develops security protocols to handle critical data for corporations, government, and all DriveSavers customers. Hall has twenty-two years experience in data security and data recovery.
"If a storage device fails..."
Resulting in lost or corrupted digital data, few organizations have the internal resources to recover that data - especially in the case of physical damage or electromechanical failure. The device must be sent to a third-party data recovery vendor. Company-owned devices often hold security-sensitive electronically stored information (ESI), including critical intellectual property (IP), financial databases, accounting files, e-mail exchanges, customer records, PCI, PII and PHI. Most of the data recovery industry does not meet best practice standards to ensure data protection through cybersecurity; therefore, data recovery service providers must be classified as high-risk vendors. If an organization does not perform due diligence before engaging the services of a data recovery vendor, it runs the risk of a data breach that will result in major financial and reputational damage.
Courtney H. Jackson
Courtney H. Jackson is a seasoned IT professional with over 20 years of certified hands-on experience. She holds a Master of Science in Information Security and Assurance, in addition to nearly a dozen IT career certifications (e.g., CISSP, CISM, CEH). She worked an Executive role as a Chief Security Officer (CSO) for a multi-million dollar company for over three years before starting her own private cyber security company, Paragon Cyber Solutions LLC, based in Tampa, FL.
"CISOs should be more aware of internal threats..."
Most security incidents involve employees, whether it is intentional or not. That's why a thorough and frequent security awareness program is critical for businesses to protect their critical information and assets. Employees should be made aware of phishing and social engineering tactics so they know how to properly safeguard business information and prevent falling victim to attacks.
Bob Bruns is the Chief Information and Security Officer for Avanade, a leading digital innovator and joint venture between Microsoft and Accenture.
"I think most CISOs, by nature, will endeavor to..."
Think through all the scenarios for enterprise risk associated with their business, relying on their teams to help make them aware these risks. However, I believe there are probably a few material topics to be more aware of. First, people are our biggest risk - not process or technology. We should not underestimate the power that educating our people can have in fostering a strong security posture. I also think that most CISOs historically have looked at a best of breed model that has resulted in hundreds of products for them to manage across their enterprise. I believe that a Better Together philosophy - an integrated and holistic ecosystem - has more value and, at the end of the day, provides a stronger foundation of protection, than a siloed approach. Finally, CISOs should assume they're going to be breached. The key is how do you manage it. Make sure you have a plan, that everyone understands it, and that it has been tested across your business at every level. Being prepared for Incident Management is half the battle.
Dejan Draguljevic is the SVP Business & Corporate Development at Pradeo. With nearly 20 years of experience in enterprise mobility, in both hardware and software, Dejan focuses on growing Pradeo's leadership across various regions. He accompanies enterprises facing new challenges of IT security.
"CISOs often ignore that mobile applications represent the weakest link in their security chain..."
In 2017, 42 million attack attempts on mobile devices have been registered globally according to Kaspersky Lab, showing a growing interest of cybercriminals in mobility.
Looking closer, the Pradeo Lab observed that 77% of mobile attacks are led through mobile applications. Indeed, 59% of Android apps and 42% of iOS apps silently perform data exfiltration.
The current challenge for CISOs is to strike a balance between mobility and security, by protecting their mobile collaborators while offering them the flexibility they need to be productive.
To do so, they need to equip themselves with a mobile threat defense solution that precisely reveals applications behaviors and allows to block unwanted ones.
Dr. Art Langer
Dr. Art Langer is a Professor of Professional Practice, Director of the Center for Technology Management, and Academic Director of the M.S. in Technology Management programs at Columbia University. He is an author and has published numerous articles and papers relating to service learning for underserved populations, IT organizational integration, mentoring and staff development. Prior to joining the full-time faculty at Columbia University, Dr. Langer was Executive Director of Computer Support Services at Coopers and Lybrand, General Manager and Partner of Software Plus, and President of Macco Software.
"CISOs tend to be technical people who see things black and white..."
While this is an asset from a managing risk perspective and certainly they can do so without fail, over managing risk can also hinder business practices. So it's imperative they are capable of striking the balance of managing risk and procedures while ensuring the business is functioning properly and securely.
Secondly, because they spend most of their career behind the scenes, they are not always seasoned at making business cases or speaking with executives, they need to hone in on their soft skills and learn how to successfully present a risk/exposure/protection business strategy that puts the execs at ease as well as acclimate themselves with the challenges of the business.
Grant Elliott is the President & CEO of Ostendio, a cybersecurity and risk management SaaS platform. He is the former COO and CISO of Voxiva (acquired by WellTok), an integrated messaging and patient engagement platform. He has over 10 years' experience developing and managing cybersecurity programs and supporting regulatory audits. Before working at Voxiva, Elliott held senior positions at AT&T.
"CISOs are aware of the latest technology and tools available..."
But often overlook how people will interact with said technology. People cannot be automated. The best we can do is teach employees information to enable them to make the correct choice when faced with different situations.
Security budgets are delegated to the CISO, who often sits within the IT function, meaning solutions tend to be tech rather than people focused. While technology should play a key role in any cyber defense strategy, risk management must come first and in the cloud-based, IOT orientated environment we operate in, no technology can, on its own, ring-fence our data.
Therefore solutions need to be a combination of people, process and technology, and that makes it more challenging for the IT-oriented CISO. Organizations need to stop treating their people as the problem, but rather as the first line of defense. Investments need to be made in better training, better vendor management - and data needs to be viewed less in terms of 'Ownership' and more around 'Right of Use' and 'Right of Access'.
CISOs need to be aware of managing risk - and that means people, processes AND technology.
Jeremiah Cruit is a seasoned Chief Information Security Officer with 25+ years of leadership experience in the financial, telecommunications, and manufacturing sectors. Before joining ThreatX, he implemented a security program that resulted in no compromised systems for over three years and has been recognized for creating innovative fraud protection and incident response programs.
"One of the biggest things that some CISOs are blind to are..."
Any security issues not covered by a compliance framework (of which there can be many). This leads to "good enough" or "just enough" security approaches to simply maintain compliance. As we know we see, "compliant" companies are compromised over and over again (think Marriott).
There continues to be a blindness to monitoring systems that are already in place and logging events. Unless someone is closely and regularly paying attention and analyzing those logs or automation systems there often is a false sense of security from this. A great example of this is implementing a WAF but only putting it in monitoring mode, so you may be able to go look at security events retroactively but can't react to them in real time.
Mike is the partner in charge for HORNE Cyber. His primary focus is to enable clients to fully leverage technology innovations by providing the insights critical to safeguarding their business, customers' critical data and brand reputation while gaining return on investment from IT regulatory compliance activities. He is responsible for cybersecurity, information technology audit, regulatory compliance and business solution implementation.
"In our experience, we have found that most CISO/CIOs are..."
Very capable of developing and implementing a winning security strategy for the organization. However, they often fall victim to over trusting their staff. In the security space, "trust" alone is not enough. The most impactful strategy for a CISO/CIO is "trust but verify." Even for organizations with a high qualified internal team, a second set of eyes to verify accuracy and effectiveness is extremely beneficial when it comes to any and all security efforts. This "trust but verify" strategy allows for a more diverse thought process which often makes a huge difference in increasing an organization's security awareness.
Daniel Smith is the head of security research at Radware.
"Security roles are constantly evolving today highlighting the need and..."
Importance to measure oneself. Often times, the real costs of a data breach are much higher than originally forecasted. In our 2018-2019 Global Application and Network Security Report, respondents estimate the average cost of a cyberattack at $1.1M. Today's environment, where companies are migrating from legacy to the cloud or even born in the cloud, presents certain risks that cannot be ignored. Changes in recourses as the industry evolves could leave CISOs with a feeling of uncertainty as internal and external risks are unclear. Failures to understand the environment and maintain basic security hygiene can be costly.
Ofer Amitai is the CEO and Co-Founder of Portnox. Ofer has over 20 years experience in network security, from managing the security division at Xpert Integrated Systems to being Microsoft Regional Director of Security, Ofer is a proven innovator and thought leader in network security. Mr. Amitai holds a B.Sc. in Computer Science.
"Every piece of knowledge (in life) is divided to three categories..."
- Things you know
- Things you know that you don't know
- Things you don't know you don't know
For CISOs, the greatest challenge is to uncover the last one and move it toward the top. The first thing that (especially) new CISOs are not aware of is what their network consists of. Which devices connect, what type of devices, and whether they are managed / unmanaged. Knowing what you have should be the first step in risk mapping, which leads to prioritization and eventually mitigation of risks.
As an example, an IP address connecting to an Internet forum is a normal thing, but if this IP address is actually your IP Security camera, that can be a strong indication that this IP security camera is compromised and acting as a bot and that forum delivers the commands for that bot.
Roger Thompson is the CEO of Thompson Cyber Security Labs. He built the first antivirus in Australia, in 1987, and has remained in the business since. He stayed technical, and has sold a number of businesses over the last thirty years. He started his current business, TCSL Research, about two years ago, to research this problem.
"I suspect that most CISOs are not thinking hard enough about firmware security issues..."
Every day, there are of the order of a million new, and unique, bits of malware. Most are produced automatically, by other programs slightly modified, and sometimes encrypted, and just different enough to evade signature scanners. Most are actually extinct within a few days, but have been replaced two or three times since first release. These are typically ransomware, password stealers, downloaders, and backdoors, and nearly everyone is focused on these, but for some time, I've been concerned about a deeper threat firmware attacks. Since about 2007, nearly all computers use a technology called the Unified Extensible Firmware Interface, or UEFI for short. The UEFI typically contains about two hundred compiled C programs. This is a format well understood by attackers and defenders alike. The UEFI programs are supposed to be bulletproof, but they can be updated by Good Guys and if the Good Guys can, guess what? So can the Bad Guys. Anything running in the firmware is running below the kernel and has full control over the rest of the machine, and probably cannot be seen by things running at the operating system level. Eset recently announced the discovery of the first actual firmware rootkit, but prior to that, Lenovo inadvertently put one in their laptops in 2015, and there are other cases, as well.
At the moment, it's a nation-state level play, but we may be confident that the criminals will try to do it, as well.
The next malware battleground is below the OS - in the firmware - and I don't think enough people are thinking about it yet.
Mike Khorev is a Growth Lead at Nine Peaks Media, a digital marketing company that helps businesses generate more leads and grow revenue online.
"One of the most important things a chief information and security officer should be aware of is..."
Their self-awareness of skills. They should have the rare combination of technical understanding, but also outstanding management capabilities and a personality capable of communicating well.
You can't always find this combination in everyone, which is why hiring a CISO is sometimes complicated.
Another useful awareness trait is the ability to speak in terms everyone can understand. Considering the CISO may relay overly technical information to a company's CEO and other board members, using overly technical jargon can easily create confusion.
Also, being more aware of the potential security breaches a company may have is essential. This is where actionable moves like updating certifications can help them keep up to date on the latest threats.
Aligning this security with the goals of the business is not always an easy balancing act. Communicating with everyone so there's a general consensus on technological direction makes a CISO position less stressful.
They should also be aware that they can't do this job alone. Having sharp recruitment and talent management skills is imperative to avoid burnout. Relying on a well-educated and dedicated team will help bring better organization to the CISO's myriad responsibilities.
Yurii Garasym is the Chief Information Officer at ELEKS, and President of the Cloud Security Alliance's Lviv Chapter. He is a recognized professional in the field of security governance, management and operations. He focuses on developing ELEKS' security strategy using emerging security solutions, and integrates these solutions into the company's goals, objectives, strategy and activities.
"CISO as an executive role is completely different from..."
A non-executive role (most often a non-executive CISO, director, head or manager). Anything you do or not do (read: "ignore") impacts your organization. You see the whole range of issues, problems and challenges your company is facing on a daily basis.
If you're planning to become a CISO you should know:
- How much business skills matter these days (financial management, customer service, quality, efficiency, alignment, communication, leadership, negotiation, etc.). You'll mostly be using the acronyms P&L and ROI, instead of DLP and IPS.
- How high the appetite for risk may be at times. There may be cases where mitigation is not the most effective way to deal with risk. You need to understand the context of organization - this will help you make better decisions on strategy: whether to force changes, improve communication, etc.
- How much you can do without increasing your budget. You need to keep two strategies in mind: what you'd do with money and with no money. Ask yourself whether you actually need extra money to document processes, create a new dashboard, review reports, conduct awareness, align KPIs, etc. What about opting for training or courses that are free of charge?
- How important visibility is. It'll be your job to demonstrate and communicate the vision or strategy, to show the results, value and progress, and to motivate your staff. You need to prove that security is or can be business enabler, not a showstopper.