Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/1/2019
09:30 AM
Sam Abadir, Vice President of Industry Solutions at Lockpath
Sam Abadir, Vice President of Industry Solutions at Lockpath
Sponsored Article
50%
50%

6 Ways Effective CISOs Are Changing their Role

The new normal for forward-thinking CISOs includes coaching, increased visibility, and embracing new technology frameworks and priorities.

Read the trades, and you quickly get the impression that CISOs are stressed about cyberattacks, challenged by staffing shortages, pressured by management oversight and baffled by budgeting. 

The real story is how forward-thinking CISOs are adapting to a new normal brought about by the digital transformation and the meteoric rise in cybercrime. It’s not the kind of adaption associated with Charles Darwin that takes generations for genetic changes to appear. The new skillset equips CISOs for an evolving role.

Here are six ways CISOs are adapting to change:

1.  C also stands for coach
The acronym CISO has taken on a new definition. The "C" now also stands for coach, which means CISOs need to give advice and guidance freely and strike an optimistic tone. Research by the Ponemon Institute shows CISOs are shifting into this coaching role.

The primary driver is a demand to help business lines shore up their cybersecurity defenses.  For example, department heads are now seeking the CISO’s counsel regarding the company’s technology infrastructure in relation to issues like compliance with the company’s acceptable use policy, cybersecurity best practices and talking points for department heads to use with their teams. Some CISOs are being asked to coach executives about GDPR and data privacy and, as a result, are working closely with the chief privacy officer (CPO), or adding the CPO designation.

2.  Embrace organizational leadership
Given the increased reliance on technology as well as new regulations focused on cybersecurity and data privacy, CISOs that can deliver clear, actionable, role-based messages have seen their stature rise. Forward-thinking CISOs are taking advantage of their increased visibility, leveraging their ascension to leadership to further their initiatives.

Showcase how the CISO role benefits the organization and helps progress toward company goals. It’s the secret to securing budget and resources. Speak the company’s language, be mindful of company priorities and show how proposals impact what’s vital to the company.

To illustrate, Jeff Lowder, former CISO and CPO of OpenMarket, a leading mobile messaging company, took inspiration from his company’s mission statement and its reference to trust. An ISO 27001 information security program was labeled “Enterprise Trust Initiative” with a value proposition to “increase customer trust in OpenMarket by providing services that allow us to manage information risk to the right level at the right cost.” It made the program sound more company-centric, which resonated with company executives.

3.  Elevate information security
CISOs are challenged by what to share in the way of findings. Nobody wants to be an alarmist; then again you don’t want to feel like you’re rearranging deck chairs on the Titanic. Forward-thinking CISOs generate reports that offer a top-level view based on organizational goals and risks with supporting data. These CISOs know upper management wants to understand not just the threat level but also risks to assets, the bottom line and reputation.

Surescripts, the nation’s largest health information network, uses a technology platform to create real-time visual reports for the company’s executive leadership. The CISO aggregates and links data from multiple sources to communicate objectively with reputable information. Executives access the high-level review and can dive in deeper where necessary to make data-driven decisions.

4.  Embrace continuous monitoring
More and more, security teams are separating from IT departments and are becoming a separate business function. CISOs own information security, but IT owns asset protection. How well do they know the assets they’re protecting and their configurations? Organizations typically scan monthly or quarterly. Meanwhile, the risk of a breach occurs daily.

Forward-thinking CISOs are investing in systems that can continuously monitor and audit asset security. They are seeing ways to identify asset misconfigurations, as well as uncover unknown assets, applications, and other security risks. Periodic assessments are great for compliance, but for information security in 2019, CISOs need continuous monitoring. No waiting for scans means less stress.

5. Prioritize vulnerabilities
The CISO is ultimately responsible for addressing vulnerabilities to the network and systems. What’s challenging is determining which vulnerability to tackle first, second, third and so on.

A developing best practice among CISOs is prioritizing vulnerabilities based on criticality to the organization. For example, Plamen Martinov, CISO, of The University of Chicago Biological Sciences Division (BSD), directs a team that uses an asset value ranking system based on confidentiality, integrity and availability (CIA) to determine the criticality of the asset. BSD’s platform automatically performs a priority impact analysis that factors in the CIA score with each new vulnerability. It’s more efficient and effective.

Streamlined processes that utilize automation can make CISOs and their staffs more productive. Automation of routine tasks free up time for higher value projects.

6. Leverage frameworks
Frameworks like NIST provide controls and guidance that support the CISO’s efforts to drive information security. Are you leveraging information security frameworks? Forward-thinking CISOs do, and it’s helping them excel in complex compliance environments.

Jeff Lowder, OpenMarket's former CISO, adopted all 18 control families in the NIST SP 800-53r4 framework, plus created a 19th custom control family. Because it’s all in the same platform and following the principle of one control complies with many regulations, OpenMarket maintains compliance with 173 contracts and 254 compliance mandates. If there’s ever an issue, Lowder can use the platform to gain instant visibility into any contract or compliance mandate.

The CISO world is complicated enough. A framework provides an advanced starting point, along with essential guidance and support.

It’s easy to dwell on the negative or fall into the trap of misery loves company. It’s far harder to envision a future for CISOs that’s filled with promise. Forward-thinking CISOs in all industries are taking on coaching, embracing organizational leadership, and adopting frameworks in technology platforms designed for information security management.

As Stephen Hawking said, "Intelligence is the ability to adapt to change." If anybody can adapt to change and thrive, it’s smart CISOs.

About the Author
Sam Abadir, VP, Industry Solutions, Lockpath

Sam Abadir has over 20 years of experience helping companies realize value through improving processes, identifying performance metrics, and understanding risk. Sam has worked with software companies like Lockpath to build the tools that help companies manage risk and create value that enhance performance in a structured and efficient manner.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...