Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10:00 AM
David Bradbury
David Bradbury
Connect Directly
E-Mail vvv

How CISOs Can Play a New Role in Defining the Future of Work

Rather than just reacting to security issues in the COVID-19 era, CISOs are now in a position to be change agents alongside their C-suite peers.

When the COVID-19 pandemic began, every CISO across every industry scrambled to get their teams up and running. When we left our physical office space, we left our traditional security strategy behind with it. The theme of remote security has stayed top of mind since March: Cybersecurity experts correctly predicted that cybercrime in a virtual workforce would be a central topic at the recent Black Hat conference, and CISOs have had to rethink 2020 strategy with remote work leading the way.

While the initial remote shift opened the floodgates for many challenges, it also opened pathways to more longer-term strategic opportunities for CISOs. Rather than behaving as "reactors" to security issues and taking a back seat in leadership compared with their C-suite peers, CISOs are now in a position to be change agents. During these unprecedented times, they must pave the way toward securely enabling the future of work and digital experiences and thinking through every potential future threat scenario.  

CISOs have been waiting to prove their worth — and now is the perfect time to do so. Here are four ways they can successfully lead with change and act as more strategic C-level partners.

Carve Out More Time with C-Suite Stakeholders
CISOs and CSOs typically come from a technology background, like me — they usually have a computer science, engineering, or security degree, where there is little emphasis on topics like leading organizational change. The COVID-19 pandemic has introduced roadblocks nobody has ever encountered before, and the CISO has had to weigh in regularly on the security side as broader organizational decisions are discussed. The past few months have challenged CISOs with every type of experience and background to join in the executive ranks and collaborate more with C-suite decision-makers.

For me, this has meant carving out time for more frequent meetings with executives I'd typically only meet with on strategy every couple of weeks. I'm spending more time with my engineering and IT leaders to securely enable our workforce, and I'm also spending more time with our CEO to discuss cyber-risks as they evolve with COVID-19 — specifically, what that means not just for ourselves but also our customers. When I first started a few months ago, I met with him every day for one hour to talk to him about what we should be prioritizing on the security front. Our time was spent discussing the immediate needs and actions that we needed to take as a company, but importantly, we spent a great deal of our time dedicated to looking at how we can leverage our shared experiences to better protect and enable our customers in an ever-increasing threat environment.

Shift Focus from Your Team to the Company as a Whole
While a CISO's day-to-day role before the pandemic might have been centered primarily on initiatives tied to his or her own team, now, every CISO has to broaden and get involved in every team across the organization. A CISO's vision is always to create a culture of security across the organization, and over the past few months, working with customer-facing and other critical frontline teams on specific security measures has surfaced as an undeniably critical priority. 

Depending on the size and nature of your company, this might mean taking time to learn about new roles and getting more deeply ingrained in other team's responsibilities to understand how CISOs can play a bigger part. I myself am spending time working with a number of teams outside of security from customer service to sales and the field to support how we deliver services for a remote work world. As this environment continues to change and remote work becomes permanent, collective action and cross-collaboration must happen to instill security across the entire organization.

Balance Remote Work Vulnerabilities with Transformational Change
The hardest challenge for many CISOs right now is balancing the influx of remote work threats with the need to focus on long-term strategic goals. With remote workers using more tools, apps, and technologies than ever before, we've had to ensure security remains at the forefront and that our employees take time to slow down and consider the security implications of every new technology deployed. At the same time, CISOs need to stay one step ahead and consider how they can play a leading role in changing frontline technology services that facilitate improvements to both workers and customers. 

No matter how many urgent remote work vulnerabilities arise, CISOs must maintain a focus on what comes next. I'm juggling new inbound and quick-turn needs that arise every day but also collaborating with the executive team on our plan for dynamic work and how we'll design, run, and secure our offices of the future. There has never been a better — or more crucial — time for security leaders to have a seat at the decision-making table.

Look to Hire Globally and Expand the Team
CISOs can also make a more strategic impact when it comes to intentional hiring during this time. As we start to break down preconceptions about the effectiveness of working remotely, we'll start to see a movement toward hiring in any location and seeking out candidates with a much broader, more diverse set of experiences and skill sets. 

According to the Cybersecurity Workforce Gap report, by 2022, the global cybersecurity workforce shortage is projected to reach more than 1.8 million unfilled positions. By pushing their organizations to consider a new global, remote pool of talent, CISOs can confront this security skills and talent shortage while further closing the diversity gap in the cybersecurity industry overall.   

While CISOs faced many barriers to overcome in early March during the shift to fully remote work, they've also encountered many opportunities to more strategically collaborate and think about long-term security success. I like to visualize the notion of keeping a hand in strategy with a foot firmly planted on the ground. For me, this means I'm heavily engaged in a dialog with my executive team and leading from the top while also remaining deeply connected with what is happening day in and day out with my own team. Getting that balance right is one of the biggest challenges security leaders face as we deal with the implications of COVID-19. CISOs have a new opportunity to lead with change — not chase it — and fundamentally shift the way in which companies secure their operations and deliver fully digital experiences.


David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/8/2020 | 2:00:01 AM
Cisco's threat policy
Even though many countries have taken measures over getting cyber security many are still being ruied by them this makes cisco to take good measures.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...