Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

8/27/2020
10:00 AM
David Bradbury
David Bradbury
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How CISOs Can Play a New Role in Defining the Future of Work

Rather than just reacting to security issues in the COVID-19 era, CISOs are now in a position to be change agents alongside their C-suite peers.

When the COVID-19 pandemic began, every CISO across every industry scrambled to get their teams up and running. When we left our physical office space, we left our traditional security strategy behind with it. The theme of remote security has stayed top of mind since March: Cybersecurity experts correctly predicted that cybercrime in a virtual workforce would be a central topic at the recent Black Hat conference, and CISOs have had to rethink 2020 strategy with remote work leading the way.

While the initial remote shift opened the floodgates for many challenges, it also opened pathways to more longer-term strategic opportunities for CISOs. Rather than behaving as "reactors" to security issues and taking a back seat in leadership compared with their C-suite peers, CISOs are now in a position to be change agents. During these unprecedented times, they must pave the way toward securely enabling the future of work and digital experiences and thinking through every potential future threat scenario.  

CISOs have been waiting to prove their worth — and now is the perfect time to do so. Here are four ways they can successfully lead with change and act as more strategic C-level partners.

Carve Out More Time with C-Suite Stakeholders
CISOs and CSOs typically come from a technology background, like me — they usually have a computer science, engineering, or security degree, where there is little emphasis on topics like leading organizational change. The COVID-19 pandemic has introduced roadblocks nobody has ever encountered before, and the CISO has had to weigh in regularly on the security side as broader organizational decisions are discussed. The past few months have challenged CISOs with every type of experience and background to join in the executive ranks and collaborate more with C-suite decision-makers.

For me, this has meant carving out time for more frequent meetings with executives I'd typically only meet with on strategy every couple of weeks. I'm spending more time with my engineering and IT leaders to securely enable our workforce, and I'm also spending more time with our CEO to discuss cyber-risks as they evolve with COVID-19 — specifically, what that means not just for ourselves but also our customers. When I first started a few months ago, I met with him every day for one hour to talk to him about what we should be prioritizing on the security front. Our time was spent discussing the immediate needs and actions that we needed to take as a company, but importantly, we spent a great deal of our time dedicated to looking at how we can leverage our shared experiences to better protect and enable our customers in an ever-increasing threat environment.

Shift Focus from Your Team to the Company as a Whole
While a CISO's day-to-day role before the pandemic might have been centered primarily on initiatives tied to his or her own team, now, every CISO has to broaden and get involved in every team across the organization. A CISO's vision is always to create a culture of security across the organization, and over the past few months, working with customer-facing and other critical frontline teams on specific security measures has surfaced as an undeniably critical priority. 

Depending on the size and nature of your company, this might mean taking time to learn about new roles and getting more deeply ingrained in other team's responsibilities to understand how CISOs can play a bigger part. I myself am spending time working with a number of teams outside of security from customer service to sales and the field to support how we deliver services for a remote work world. As this environment continues to change and remote work becomes permanent, collective action and cross-collaboration must happen to instill security across the entire organization.

Balance Remote Work Vulnerabilities with Transformational Change
The hardest challenge for many CISOs right now is balancing the influx of remote work threats with the need to focus on long-term strategic goals. With remote workers using more tools, apps, and technologies than ever before, we've had to ensure security remains at the forefront and that our employees take time to slow down and consider the security implications of every new technology deployed. At the same time, CISOs need to stay one step ahead and consider how they can play a leading role in changing frontline technology services that facilitate improvements to both workers and customers. 

No matter how many urgent remote work vulnerabilities arise, CISOs must maintain a focus on what comes next. I'm juggling new inbound and quick-turn needs that arise every day but also collaborating with the executive team on our plan for dynamic work and how we'll design, run, and secure our offices of the future. There has never been a better — or more crucial — time for security leaders to have a seat at the decision-making table.

Look to Hire Globally and Expand the Team
CISOs can also make a more strategic impact when it comes to intentional hiring during this time. As we start to break down preconceptions about the effectiveness of working remotely, we'll start to see a movement toward hiring in any location and seeking out candidates with a much broader, more diverse set of experiences and skill sets. 

According to the Cybersecurity Workforce Gap report, by 2022, the global cybersecurity workforce shortage is projected to reach more than 1.8 million unfilled positions. By pushing their organizations to consider a new global, remote pool of talent, CISOs can confront this security skills and talent shortage while further closing the diversity gap in the cybersecurity industry overall.   

While CISOs faced many barriers to overcome in early March during the shift to fully remote work, they've also encountered many opportunities to more strategically collaborate and think about long-term security success. I like to visualize the notion of keeping a hand in strategy with a foot firmly planted on the ground. For me, this means I'm heavily engaged in a dialog with my executive team and leading from the top while also remaining deeply connected with what is happening day in and day out with my own team. Getting that balance right is one of the biggest challenges security leaders face as we deal with the implications of COVID-19. CISOs have a new opportunity to lead with change — not chase it — and fundamentally shift the way in which companies secure their operations and deliver fully digital experiences.

 

David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
@rya
100%
0%
@rya,
User Rank: Apprentice
9/8/2020 | 2:00:01 AM
Cisco's threat policy
Even though many countries have taken measures over getting cyber security many are still being ruied by them this makes cisco to take good measures.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27986
PUBLISHED: 2020-10-28
** DISPUTED ** SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position is "it is the administrator's responsibility to configure it."
CVE-2020-27981
PUBLISHED: 2020-10-28
An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III before 5.4.5 allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy...
CVE-2020-24707
PUBLISHED: 2020-10-28
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.
CVE-2020-24708
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
CVE-2020-24709
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.