Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

CISOs Share Their 3 Top Challenges for Cybersecurity Management

The biggest dilemmas in running a modern cybersecurity team are not all about software, said CISOs from HSBC, Citi, and Sepio.

Diverse business team sitting in open office brainstorming ideas for upcoming project
Source: Cameron Prins via Alamy Stock Photo

Managing risk on a global scale has always been challenging, but in light of the COVID-19 pandemic, CISOs have had to become even more agile. The shift to hybrid work, the rapid deployment of cloud applications, and the move to continuous integration and continuous development (CI/CD) have emboldened threat actors with new and broader targets.

Meanwhile, the number of devices and endpoints on organizations' networks has increased exponentially. Two veteran CISOs lamented the challenges that these changes have imposed during a webinar last week organized by Sepio, an asset detection and risk management startup. Sepio CISO Ilan Kaplan moderated an hour-long discussion with HSBC CISO Monique Shivanandan and Carl Froggett, who was CISO at Citi for 17 years before joining startup Deep Instinct last summer as CIO.

Shivanandan and Froggett shared with Kaplan what they see as three of the most significant challenges the rapidly changing cybersecurity and risk landscape presents.

1. Maintaining Visibility of All Network Assets

Cybersecurity professionals have historically struggled to gain complete visibility into what's on their networks and threats directed at them. Froggett noted that newer cloud-native technologies, such as container-based applications and software-as-a-service (SaaS), offer better visibility than traditional software because modern apps were built to be more secure.

But overshadowing that benefit is the sheer scale of all the components associated with modern applications.

"An asset used to survive five, six, seven years, or longer if you include the underlying operating systems, whereas now the lifetime of the container can be measured in seconds or maybe minutes," Froggett said. That creates "a whole new set of [visibility] challenges from that perspective."

Shivanandan noted that traditional methods of capturing inventories, keeping them up to date, and tracking them were predicated on the notion of adding assets to a network manually. But with modern applications, that doesn't work, she said, because of the scale and the speed by which devices and software are deployed.

"One of the biggest challenges that every CIO and every CISO faces is having that visibility and making sure that visibility is up to date," Shivanandan said.

2. Avoiding New Risks When Adding Apps

Besides addressing the mounds of existing regulatory risks and the current threat landscape, security teams must also avoid being the source of new risks. Asked how they ensure that, Shivanandan said that, while reviewing the source code of every component added to the infrastructure is impossible, HSBC has rigorous processes around onboarding a new technology, which includes "a lot of pen testing and red teaming."

"Unfortunately, with the number of parties we have, we cannot do it for everyone," she added. "We do it for a select few." The problem is "every software change and every new release can knowingly or unknowingly introduce something new. It's a constant battle that we're facing."

Froggett said that Citi has strict processes around onboarding new technology, including pen testing and red teaming, but with the current release cadences, enforcement has become challenging. "Ultimately, you can't usually do source code reviews" of everything that comes in, he said.

3. Recruiting and Retaining Skilled Talent

The shortage of experienced cybersecurity specialists is nothing new, but Shivanandan said it remains one of her top challenges. "All the technology in the world is only as good as the people there to make sure that we install [everything] correctly and keep it up to date," she said.

Despite considerable progress, Shivanandan said it remains difficult for women to break the glass ceiling. She said she believes that men have an outsized presence in senior cybersecurity roles compared with the entire IT industry.

"When you start out at the lower levels, there's [an] equal [proportion of] men and women, 50-50, sometimes even 60-40 women," she said. "Then, as you go through the progression, the women drop out and the men continue to progress from a seniority level."

Nevertheless, women face fewer barriers today compared with when she started out, Shivanandan said. "When I was starting out, they wanted to pat you on the head and say, 'Dear, don't worry your pretty little head. I'll take care of technical things.' But not anymore," she said. "There's no ceiling for a woman to get into any position now. It's a matter of just perseverance."

Shivanandan considers herself fortunate at HSBC, where 40% of her leadership team is women. "The women and the men are both fantastic, and that's the thing that you really want to look for," she said.

During Froggett's nearly 25 years at Citi, most of his bosses were women, he said. "The job's not done for sure, but there is definitely more of a balance [than what] I saw five or 10 years ago."

Shivanandan emphasized that creating a diverse team goes beyond gender. A large portion of her team are neurodiverse, she said. According to research, an estimated 15% to 20% of people have some form of neurodivergence, such as autism, attention deficit hyperactivity disorder (ADHD), mental health conditions, or learning disabilities.

Those conditions are often assets: "That's what makes them fabulous in the job," Shivanandan said. "[But] I think that's probably harder to overcome from a career progression standpoint, from a leadership versus a technical perspective."

About the Author(s)

Jeffrey Schwartz, Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights