Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/23/2020
10:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

From Zero to Hero: CISO Edition

It's time for organizations to realize that an empowered CISO can effectively manage enterprise risk and even grow the business along the way.

Traditionally, CISOs have borne the brunt of blame for cyber events that affect an organization. Because CISOs are the leaders in charge of data security, any breach has been seen as a mistake on their part and consequences doled out accordingly. However, as companies' understanding of cybersecurity has evolved, this is starting to change in fundamental ways; today's CISO faces an unprecedented opportunity to be hailed as a hero, rather than condemned as a villain, in the aftermath of a cyberattack.

Case in point: A few years ago, a security event erupted inside a security vendor's own internal network. The internal security team was using the company's own products, and the CISO had been granted access and permissions to modify the products' code locally along with other resources to adapt them to his own use. When the attack occurred, the modifications he and his team had made were the difference between a large-scale, publicly reportable event and a significantly smaller incident that was entirely manageable.

During the incident, the security teams responded alongside product development teams and explained to developers how the attack worked, along with the modifications they'd made that helped stop the attack. In tandem, the CISO was briefing the C-suite and board regularly, including how the depth and breadth of product modifications made by the security team made a difference. Specifically, he explained how the company's products were modified to block attacker communications and how the products were made to interface with security products from other companies to enhance the speed of the blocks.

Rather than blame, second-guess, or threaten the CISO with his job, development executives praised the security team's product innovations to those in the C-suite, who then pulled the CISO into a larger product development role that ultimately increased business.

What It Takes to Be a Modern CISO
While this template may not necessarily be repeatable across industry sectors, it helps illustrate some important shifts in how companies behave after a major security incident

With new attacks forming faster than the technologies to fight them, holding CISOs to an entirely unrealistic standard doesn’t actually serve anyone. The truth is that no matter how many technologies are deployed or how good the security posture is, 100% protection from cyberattacks is simply not possible. Perhaps senior leadership and boards of directors are finally starting to acknowledge this fact, or perhaps they're starting to realize that a successful response to an attack, along with actions by other parts of the organization, contribute to the ultimate scale and scope of the event.

CISOs are uniquely capable of gauging cyber-risk and how to reduce it. Experienced CISOs understand the threats their companies face and know how to deploy the optimal mix of people, processes, and technologies, weighed against threats, to provide the best possible level of protection. Organizations that understand this are leading the charge in shifting the perception of the CISO from technical manager to strategic risk leader.

Given this shift in industry and perception, it's only a matter of time before CISOs' skills and expertise — along with their well-managed team — will be needed to prevent disaster. When that moment occurs, however, the difference between success and failure lies in the degree to which they've been empowered by the organization to take the necessary steps — before, during, and after an attack.    

What Do Empowered CISOs Look Like?
First, they have strong social support within their organizations. They are involved in decision-making that affects overall security across the enterprise.

Second, they have authority over the cyber-risk management budget, including insurance, as well as overseeing response and recovery efforts. CISOs typically have to coordinate many parties when an attack hits, including outside counsel, insurance providers, incident response contractors, and infrastructure recovery contractors. Having responsibility without budget or authority is a recipe for failure at a critical time.

Finally, the board and senior leadership recognize that no solution for cyber threats is perfect, and an increase in attack frequency means that eventually one will succeed. They understand that blaming the CISO after a cyber incident is unfair and deprives the organization of an opportunity to learn from the experience, with a professional who is best positioned to make the company safer in the future.

As the tide of perception continues to shift in favor of today's CISO, it's important to remember that empowering the role with support, authority, and resources can make all the difference to your organization's unsung CISO hero.

Related Content:

 

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.