Analytics

9/19/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

As Tech Drives the Business, So Do CISOs

Security leaders are evolving from technicians to business executives as tech drives enterprise projects, applications, and goals.

The tasks topping the CISO's to-do list are slowly shifting, as their core priorities transition from primarily technical expertise to securing business applications and processes.

It's the key takeaway from a new report, conducted by Enterprise Strategy Group (ESG) and commissioned by Spirent, on how CISO responsibilities are shifting as cybersecurity becomes more complex. Researchers polled 413 IT and security pros with knowledge of, or responsibility for, the planning, implementation, and/or operations of security policies and processes.

"There's a transition from a technology focus to a business focus," says Jon Oltsik, ESG senior principal analyst. "And that doesn't preclude the oversight of technology, but the technology is sort of guided by business initiatives, business applications, business goals, things like that."

About 80% of experts say security knowledge, skills, operations, and management are more difficult now compared with two years ago. They attribute the complexity to growth in the number and sophistication of malware, IT projects, targeted attacks, and connected devices.

Nearly all (96% of) respondents say the CISO's role has expanded, and the primary driver of their prominence is increasing difficulty of protecting enterprise data. Nearly 80% point to malware as the primary reason, and many claim between 80-90% of malware attacks target a single device, and 50-60% of malicious Web domains are active for one hour or less.

Organizations are increasingly digital and cyberattackers are taking precise aim to poke holes in their defenses. Oltsik calls it "death by a thousand cuts". CISOs have seen breaches and regulations increase as more people realize the business is driven by tech. "Regardless of what business you're in or process you're talking about, there's an IT underpinning," he notes.

CISOs are becoming part of more board-level discussions to prevent breaches.

"There's a real shift from reactivity to proactivity," says Oltsik. In the past, companies built their defenses and hoped nothing bad would happen. When something eventually did happen, their responses were poorly organized, inefficient, and took a long time to put into practice. What's more, responses were tech-oriented – not business oriented. The answer to compromise was "let's fix the system" and not, "how do we fix the business," he explains. Now, this has changed.

The CISO's Growing To-Do List

How the CISO's responsibilities change depends on the size of the organization, he continues. In a smaller organization they'll be more involved with technology; less so in a larger enterprise.

"They're being asked to participate in board-level meetings, business planning meetings," Oltsik says of CISOs who manage within larger organizations. Especially in larger companies, the CISO is moving more toward business skills and away from technical skills.

Business leaders used to ask the CISO what controls they needed; now they want security embedded in business planning and application development. "You want security expertise in the operations groups, you want that in development groups, you want that in each component of operations, including the cloud," he adds.

CISOs also have a responsibility to convey security data to business professionals, adds Amie Christianson, director of Operations Application Security at Spirent. High-level executive summaries help board members understand the threats affecting their business.

She uses a medical example. "When I get my lab results, I want to see at a high level what they are, and am I within a certain range," she explains. "And that gives me peace of mind." A doctor might see more details and act differently on the data, but a summary tells her everything she needs to know about her health. The same applies for CISOs and security summaries.

More Projects, More Problems

The increase in corporate IT projects is the second-biggest driver of complexity, researchers found, and projects related to IoT and cloud make security a greater challenge. Oltsik says he's seeing more digital transformation applications, more IoT apps, more social media use, and greater reliance on mobile devices and applications.

Business processes and initiatives "are happening at a faster pace than they did in the past; they're being done in an agile manner," he continues. Applications have gone from six-month release cycles to multiple releases per day, and all of that affects security. Security teams used to plan for risk assessments and controls every few months; now, it's every day.

When they face a new project, CISOs who have responsibility from the get-go can address security at the beginning and continuously test it throughout development. Most (86% of) respondents agree integrating security in project planning can lessen the likelihood of a breach, and 79% agree businesses should more frequently test security controls.

As security budgets continue to grow – and researchers found they will among 92% of respondents – businesses are shifting their spending from point tools to more integrated architectures. Professional and managed services are becoming popular as CISOs realize they lack the staff to handle the many security tasks they're assigned.

As for outsourcing, "pedestrian areas" like email security and Web security are the first to leave the business, says Oltsik. While these are the most frequently outsourced, he says he's beginning to explore the implications of using outside firms for threat detection and response.

Ultimately, he anticipates, we'll see the role of the CISO split in two: a chief business security officer, who focuses on the enterprise, and a chief technical security officer who focuses on the systems. Christianson agrees: as security becomes part of the risk conversation, the business-focused CISO will be required to communicate with risk and compliance officers.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: camera, camera everywhere, not a single news to rely on
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16873
PUBLISHED: 2018-12-14
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, b...
CVE-2018-16874
PUBLISHED: 2018-12-14
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in mod...
CVE-2018-16875
PUBLISHED: 2018-12-14
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are ...
CVE-2018-14623
PUBLISHED: 2018-12-14
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulne...
CVE-2018-18093
PUBLISHED: 2018-12-14
Improper file permissions in the installer for Intel VTune Amplifier 2018 Update 3 and before may allow unprivileged user to potentially gain privileged access via local access.