David Scholefield, Chief Information Security Officer at Demica, examines the InfoSec landscape for the coming months and how embracing individuality and collaborative potential is a CISOs superpower.
As we look ahead to the security landscape for the second half of 2024, one thing we can guarantee is that there will be many new significant challenges and opportunities that all CISOs will need to consider and address. InfoSec never stands still, and CISOs will have to run faster and harder than ever to keep up.
Cybercriminals, legislative changes, increasingly demanding customers and other stakeholders are all driving ever greater levels of vigilance and focus on the cyberthreats present in an increasingly hostile environment. CISOs need to be aware their main focus should be on protecting the value built by their organisation while also being mindful of its need to remain agile enough to take advantage of a world where technology is accelerating faster than ever and bringing both major change, and opportunity.
It’s certain that the increase in number and sophistication of cyberthreats in the months ahead won’t make this balancing act any easier, but if we keep a few key ideas in mind, we can ensure that at the end of this year, we can look back on clear InfoSec wins, and not the far less palatable alternative.
InfoSec is a team sport
It’s an oft repeated saying in InfoSec that people are the weakest link in any security programme. This is a trite, and lazy assumption that bears a lot more consideration. It’s too easy to blame our fellow colleagues for ‘doing the wrong thing’ in InfoSec terms, but we should be asking why they are put in a position where they are expected to know about (often complex) InfoSec risks and issues and act in an appropriate way.
It’s true that awareness training can help with reducing the risk of people making poor decisions, but we should be looking at people’s working processes and habits and trying to support the right way of working with tools and controls that enables the individual to retain their enormously valuable flexibility and creativity – whilst reducing the likelihood of them causing a significant security incident in the first instance.
We should also be aware that mistakes will happen, regardless of good controls or good intentions, and we should practice defence in depth so that one person’s mistake doesn’t burn the house down. It’s crazy that we expect our colleagues to perform in an increasingly complex and fast changing technical environment with perfect InfoSec expertise simply because they’ve watched a basic video on phishing. Let’s stop blaming people when the inevitable mistake occurs because it doesn’t help them, and it doesn’t help our security.
Of course, there’s a huge industry that has arisen from the misconception that we can easily train our way out of the ‘people risk’. A lot of claims are made of how training and awareness can significantly help with this challenge, but there’s no clear evidence that this works on its own or is even very effective. I’d argue that although good awareness training is certainly valuable, it is far from the most important way to reduce this type of risk. It’s better to threat model the riskiest roles and processes and devise controls that defend against critical impact should specific mistakes arise. This isn’t simple, and it requires in-depth analysis of roles, processes and risk, and you can see why it’s appealing to believe in an easy one-size-fits-all training approach. But I’d argue this isn’t effective when compared to role-specific analysis and defence.
The other side of the coin to the ‘all people are dangerous’ meme should be that InfoSec can’t be implemented and controlled centrally in a single department or team. The team needs to advise, support and empower, but everyone in the organisation needs to be recruited into the InfoSec team as additional eyes and ears – always on the lookout for security risk and potential threats, always ready to suggest their own improvements to working practices and empowered to contribute to the overall infosec effort.
InfoSec isn’t a black art of highly mystic experts, it’s primarily all about people, and all people should be involved. In fact, all employees can be seen as an asset, not as a ‘problem’. As a CISO, if you’re not talking to everyone, everywhere in the organisation about what they do in their role, what they think it means to work securely and listening to their views on all things security, then you’re missing a trick – get out there and talk to everyone and make them part of your team today.
New technology is coming – you’d better be ready
If you ask any number of CISOs what their biggest challenge is right now, then a lot of them will say ‘complexity’. Technology change is accelerating, and with all change comes potential risk; it’s no wonder that CISOs find keeping abreast of new technologies in the organisation daunting. But, if we think it’s a challenge now, we can see an even bigger and more complex behemoth barrelling down the road towards us, with no brakes and no intention of changing course. It’s not going to stop for anyone – and that change is AI.
It’s no exaggeration to say that AI will be one of the most significant technological and social changes that our world has ever seen. As tempting as it may seem to want to slow this change down until we understand the risks as well as the opportunities, any such attempt would be misguided. AI will divide organisations into the timely adopters and non-adopters, and the non-adopters will be out-evolved very quickly. CISOs therefore need to understand and manage the risk of AI, but also take advantage of the power and acceleration it can give to the execution of any InfoSec programme and for business outcomes as a whole.
AI has many risks, and privacy, intellectual property conflicts, ethics and bias are all discussed commonly, but at the same time AI tooling has also come to infosec’s aid and is being quietly adopted by security teams without too much fuss.
From intrusion detection systems, advice on secure coding and vulnerability management and templating policies – the list goes on. Any InfoSec team, should they dig deep enough into their toolbox, will find AI embedded in their systems in numerous places. Of course, this is just the InfoSec team, other teams around the business will also be using AI: some instances will be hidden and even the user is unaware, some adoption is obvious and loudly championed by users and vendors alike. The genie is out of the bottle and there’s no stuffing it back in.
Every CISO will have to think about the balance of managing the risks of inevitable widespread adoption, with the advantages it brings in agility, speed and productivity. Adoption is inevitable and so we need to be prepared: if you’ve not thought about a security position on AI and how it fits into both your security programme and your risk log yet, I’d start today.
Compliance shouldn’t be theatre
Customers like compliance, state authorities like compliance, insurers like compliance, but, for some reason, many CISOs and other security professionals who are asked to implement security compliance programmes most certainly do not. Why? And should we learn to love this InfoSec cast-out a little bit more?
For some organisations, InfoSec compliance is security ‘theatre’. It’s a flashy, checkbox ticking exercise where any audit is merely a process of proudly waving policy whilst loudly proclaiming how important security is to the organisation. A kind of bluff-and-hope approach to compliance in which the CISO relies on an accommodating auditor to overcome the little actual effort taken to comply. Compliance is seen as a nuisance and a blocker to ‘real’ security work.
I’d argue that this approach is ignoring one of the most powerful tools in the InfoSec toolbox, and by misunderstanding the advantages of a genuinely implemented compliance programme, a CISO can end up creating risk and liability when they could be increasing protection and realising hugely positive InfoSec outcomes.
Consider ISO/IEC 27001: it’s an internationally recognised standard for the implementation of a management system for information security. Over the past few decades, information security experts have considered and debated its content until it now represents hundreds of thousands of hours of informed consideration of what constitutes a quality InfoSec programme – and it’s free (well, a copy of the standard will cost a few hundred dollars, but in the InfoSec world this is practically free).
This is like having hundreds of experts providing advice over your shoulder every day, solving the kind of challenges people have faced for years. This isn’t specific to ISO, the same expertise can be found in PCI-DSS, or NIST CSF, or CIS, or many other security standards.
So, adopting a compliance standard and actually implementing it in the spirit in which it has been created can be like having a whole other team of experts on your side and can drive real improvements; including the consideration of areas of InfoSec you may not be familiar with, suggested tried and tested controls, and new technologies and tools you may not have thought of. What’s not to like?
Compliance can also be a powerful tool in assessing suppliers. Not just the presence of a certificate for complying with an InfoSec standard (which may have been the result of some clever theatre – see above) but a proper consideration of the scope and context for the compliance and the review of the appropriate application of any controls defined by the standard.
I’d argue that if a CISO isn’t using a compliance standard to drive improvements in their program then they can quickly turbo-charge their efforts and outcomes by deeply understanding at least one security standard appropriate to their operations and adopting it whole-heartedly. I’m promoting this positive GRC approach even though I’m a technical CISO, so that should be enough prompting to anyone still sceptical about the value of this activity. 2024 should be the year that standards made their presence felt and drove real improvements in program implementation – if you’re not on board yet, hop on and enjoy the ride.
CISOs and the board
2024 will see an acceleration in the changes to reporting lines for CISOs and their teams. It’s a trend that has been increasing over the last few years but as boards have become more aware of what they need from the CISO role, and from their InfoSec function as a whole, they are making more informed decisions about who their CISO should report to.
More and more organisations are expecting their CISOs to take a place on the board and this change in reporting reflects the fact that information security is no longer thought to be just a purely technical area and therefore most likely to report into the CTO or CIO. There is also an understanding that asking a CISO to report to a CTO or CIO can give rise to a conflict of interest. CTOs and CIOs create value in organisations whereas CISOs protect value; sometimes these considerations are in conflict, and they need to be championed equally and in such a way that the board can make critical decisions on prioritising one or the other if and when required.
It is also becoming increasingly understood that InfoSec is a strategic consideration for an organisation and feeds into decision making around the direction of the company, its processes and initiatives, its market positioning and other non-technical areas of company governance and management.
All CISOs should be constantly considering their reporting lines and providing advice to their management team on whether there are advantages to changes in this aspect of their role. My prediction is that 2024 will see a lot of changes in this area, and CISOs will start to provide more value to the strategic side of the business – to the benefit of all.
In summary
The months ahead are going to be even more challenging to CISOs and their security team but there are tools and approaches that can make a real difference and help to ensure positive outcomes throughout the year.
Recruiting everyone in the organisation into your InfoSec team and understanding that they are not ‘the biggest weakness’ but can be ‘the greatest strength’ will go a long way. Not relying on one-size-fits-all InfoSec training, and not having a blame culture, whilst understanding the individual needs, qualities and collaborative potential of all employees is a CISO’s superpower.
Being ready to adopt AI and embrace its advantages whilst understanding and controlling the risk will define the year for many CISOs – if you’ve not considered this yet, I’d start running very fast right now.
Adopting the expertise available in security compliance standards and turbo-charging their genuine adoption can please customers, authorities and insurers, but much more importantly, can hugely improve a security programme’s implementation and effectiveness. Don’t ignore this curated body of expertise in 2024 and lean into the free knowledge on offer.
Regularly assessing your reporting lines and empowering senior management in making decisions around changing these where appropriate should be constantly under consideration. Make 2024 a year where you feel confident that you are in the right place in the org-chart to be most effective and of most value to the organisation.
And finally, if you’re a CISO reading this and regardless of whether you agree with all that is presented here, good luck for the coming year, it’s going to be an adventure.