The pressures that CISOs face are rising, but it must be remembered they are human. Neil Thacker, Chief Information Security Officer for EMEA at Netskope, shares his thoughts about the role of the CISO and the optimistic future ahead.
With an increasingly sophisticated threat landscape and an ever-expanding attack surface, the list of things keeping CISOs up at night never seems to stop growing. When a company’s data is stolen, no matter how robust their security system is, all the outside world sees is that the organisation failed to protect themselves. They often do not see the strengths of the organisation’s defences, the many attacks they’ve stopped daily and the measures and actions taken to selflessly protect data.
The weight of success vs the potential of a security incident to derail that success sits heavily on a CISOs’ shoulders: Have all the known threats been mitigated to an acceptable level? Does the business have the cybersecurity training and education it needs? Have I presented enough information for the company to take action? Have I done enough?
As much as we want the answer to be quantifiable, there will never be a single measure for this. I therefore encourage CISOs to continuously remind ourselves of not just our weaknesses, but our strengths too.
Security is always on the CISOs mind – but it needs to become a priority for the whole organisation
We know companies will get breached – it’s about when, not if – yet many of these companies have usually mitigated against and thwarted many attacks and invested heavily in cybersecurity, in both time and resources. In the media however, the good work is often not reported with a focus only on the failings.
Most CISOs are cognisant of the constant possibility of a major breach and will work to highlight the risks. However, the responsibility of the CISO is not to take on the risk of the organisation, but to present the information for decisions to be taken by the appropriate teams who ultimately own that risk. I’m not denying our responsibilities – CISOs must be able to collaborate and have open discussions with key stakeholders in the organisation to take the requisite action.
For example, it is our remit to communicate risk effectively and advise the organisation about the potential impact. It is our remit to ensure there is a conscious business decision to continue to invest in cybersecurity, and to implement security-by-design, for example when launching a new product or service.
If a CISO is lucky enough to convince their board that it’s a matter of ‘when, not if’, the next question they’ll get asked is ‘how quickly can we respond to and mitigate the threat?’. CISOs need to ensure they measure the correct metrics, such as: time to detection, and time to mitigation. The longer the time to, typically the bigger the impact.
Performance against these metrics is heavily impacted by the skills shortages many CISOs report. We have already started to look at AI and automation to assist, but it’s not a matter of replacing jobs that already exist, it’s pre-empting the jobs we will need in the future.
These are some of the pressures CISOs face when going into a board meeting, where they’re not only expected to have all the technical answers, but also must have a strong understanding of business risks and how to streamline costs.
Company policy must keep up with the ever-evolving threat landscape
How much CISOs worry all comes down to the value of data – and increasing amounts of data brings an expanding attack surface. With the sheer volume of data now stored and accessed through the cloud, oversight and governance are becoming increasingly complex. Now, ‘attack surface management’ is not just about network and device, it needs to include the cloud.
Similarly for ransomware, new tactics can change the value of the data. It’s not just about protecting the data, it’s also the integrity and confidentiality of the data. Encryption on its own may no longer be a sufficient control, so cyber insurance premiums continue to remain volatile because the legacy control systems that remain pervasive today, are not sufficient.
CISOs must constantly think about current and future controls and exceptions and how to address them, but we are only human and cannot have oversight over all things. We can, however, try to get the most relevant control that can address the threat and therefore ultimately the risk.
The sooner we address complexity, the less complex it becomes
For many organisations, complexity is the enemy. Instead of dealing with it now, they choose to deal with it later – continually adding to the complexity.
Unfortunately, the complexity of an IT environment is not an issue that the CISO can solve alone. There are many decisions that must be made based on specific needs and issues, rather than an overarching strategy. A CISO’s role is to reduce and manage risk by making it more presentable for the C-suite and key stakeholders, against the restraints of tight budgets.
So, what do CISOs have to be hopeful about?
While there are clearly many things keeping CISOs awake, there’s also much to be optimistic about. A major improvement in standards and frameworks is due. For instance, new regulations, standards and frameworks are coming including updates to existing standards that support innovation in our controls (i.e. the ISO regulation has been updated from 2013 to 2022 to account for the rapid technological innovation of the last decade).
On a more personal level, CISOs today can speak with key stakeholders to ensure they are all involved in the decision-making process. We enjoy this aspect of collaboration – the worst thing would be not having a relationship with your wider team. Discussions about cybersecurity are opening up and becoming a company-wide issue rather than just falling on the CISO. We will sleep better knowing that the business increasingly is on our side and supportive in our decision-making.