Managing risk on a global scale has always been challenging, but in light of the COVID-19 pandemic, CISOs have had to become even more agile. The shift to hybrid work, the rapid deployment of cloud applications, and the move to continuous integration and continuous development (CI/CD) have emboldened threat actors with new and broader targets.
Meanwhile, the number of devices and endpoints on organizations' networks has increased exponentially. Two veteran CISOs lamented the challenges that these changes have imposed during a webinar last week organized by Sepio, an asset detection and risk management startup. Sepio CISO Ilan Kaplan moderated an hour-long discussion with HSBC CISO Monique Shivanandan and Carl Froggett, who was CISO at Citi for 17 years before joining startup Deep Instinct last summer as CIO.
Shivanandan and Froggett shared with Kaplan what they see as three of the most significant challenges the rapidly changing cybersecurity and risk landscape presents.
1. Maintaining Visibility of All Network Assets
Cybersecurity professionals have historically struggled to gain complete visibility into what's on their networks and threats directed at them. Froggett noted that newer cloud-native technologies, such as container-based applications and software-as-a-service (SaaS), offer better visibility than traditional software because modern apps were built to be more secure.
But overshadowing that benefit is the sheer scale of all the components associated with modern applications.
"An asset used to survive five, six, seven years, or longer if you include the underlying operating systems, whereas now the lifetime of the container can be measured in seconds or maybe minutes," Froggett said. That creates "a whole new set of [visibility] challenges from that perspective."
Shivanandan noted that traditional methods of capturing inventories, keeping them up to date, and tracking them were predicated on the notion of adding assets to a network manually. But with modern applications, that doesn't work, she said, because of the scale and the speed by which devices and software are deployed.
"One of the biggest challenges that every CIO and every CISO faces is having that visibility and making sure that visibility is up to date," Shivanandan said.
2. Avoiding New Risks When Adding Apps
Besides addressing the mounds of existing regulatory risks and the current threat landscape, security teams must also avoid being the source of new risks. Asked how they ensure that, Shivanandan said that, while reviewing the source code of every component added to the infrastructure is impossible, HSBC has rigorous processes around onboarding a new technology, which includes "a lot of pen testing and red teaming."
"Unfortunately, with the number of parties we have, we cannot do it for everyone," she added. "We do it for a select few." The problem is "every software change and every new release can knowingly or unknowingly introduce something new. It's a constant battle that we're facing."
Froggett said that Citi has strict processes around onboarding new technology, including pen testing and red teaming, but with the current release cadences, enforcement has become challenging. "Ultimately, you can't usually do source code reviews" of everything that comes in, he said.
3. Recruiting and Retaining Skilled Talent
The shortage of experienced cybersecurity specialists is nothing new, but Shivanandan said it remains one of her top challenges. "All the technology in the world is only as good as the people there to make sure that we install [everything] correctly and keep it up to date," she said.
Despite considerable progress, Shivanandan said it remains difficult for women to break the glass ceiling. She said she believes that men have an outsized presence in senior cybersecurity roles compared with the entire IT industry.
"When you start out at the lower levels, there's [an] equal [proportion of] men and women, 50-50, sometimes even 60-40 women," she said. "Then, as you go through the progression, the women drop out and the men continue to progress from a seniority level."
Nevertheless, women face fewer barriers today compared with when she started out, Shivanandan said. "When I was starting out, they wanted to pat you on the head and say, 'Dear, don't worry your pretty little head. I'll take care of technical things.' But not anymore," she said. "There's no ceiling for a woman to get into any position now. It's a matter of just perseverance."
Shivanandan considers herself fortunate at HSBC, where 40% of her leadership team is women. "The women and the men are both fantastic, and that's the thing that you really want to look for," she said.
During Froggett's nearly 25 years at Citi, most of his bosses were women, he said. "The job's not done for sure, but there is definitely more of a balance [than what] I saw five or 10 years ago."
Shivanandan emphasized that creating a diverse team goes beyond gender. A large portion of her team are neurodiverse, she said. According to research, an estimated 15% to 20% of people have some form of neurodivergence, such as autism, attention deficit hyperactivity disorder (ADHD), mental health conditions, or learning disabilities.
Those conditions are often assets: "That's what makes them fabulous in the job," Shivanandan said. "[But] I think that's probably harder to overcome from a career progression standpoint, from a leadership versus a technical perspective."