After recently serving as the chief information security officer (CISO) for the state of Maryland, I know, firsthand, the vital role cybersecurity can play in helping the government deliver critical services to its constituents and the risk to their lives if those services are disrupted. Today's CISOs, both commercial and public sector, are facing a number of challenges.
First, the No. 1 challenge is the workforce shortage. There aren't enough qualified and well-trained personnel to fill the demand. Tools can become forced multipliers and bridge the capability gaps inside an organization.
The second challenge is the inability to tell a compelling story that supports continuing funding of security tools. As a CISO, you need to be able to go to a board or an executive and offer a "Let me tell you why this investment is good for the organization" that resonates with the person that hears the story. Metrics around every tool, every program, and more are key elements to be shared.
The third challenge is the rate of change in the current technology ecosystem. While new technologies such as ChatGPT and AI are quickly becoming productivity accelerators for security analysts and other users, adversaries have access to the same tools and are learning how to leverage them for malicious purposes. Yet today, the potential benefits of these tools outweigh their potential risks, with the proper user education and governance in place, which we will discuss later in this piece.
Learn to Embrace Change
To counter these challenges, CISOs first must learn to embrace change.
So, how do we solve the problem of the workforce shortage? A big part of the solution comes with embracing recent technology in safe and considerate ways. For a long time, I've seen a lot of CISOs resistant to anything that introduced risk into an organization — a new capability, a new user experience, etc. Yet CISOs who were "Doctor N-O" lost credibility with executives and boards.
While this is a long-standing challenge, I've seen the tide turn over the past four or five years, especially when COVID happened. Just the nature of the event necessitated dramatic change in organizations. During the pandemic, CISOs who said "no, no, no," lost their place in the organization, while those who said yes and embraced change were elevated.
Today we're hitting an inflection point where organizations that embrace change will outpace the organizations that don't. Organizations that don't will become the low-hanging fruit for attackers. We need to adopt new tools and technologies while, at the same time, we help guide the business across the fast-evolving threat landscape.
Speaking of new technologies, I heard someone say AI and tools won't replace humans, but the humans that leverage those tools will replace those that don't. I really like that — these tools become the "Iron Man" suit for all the folks out there who are trying to defend organizations proactively and reactively. Leveraging all those tools in combination with great intelligence, I think, enables organizations to outpace the organizations that are moving more slowly and many adversaries.
Our next biggest challenge is making sure our workforce continues to develop because every day that goes by, every innovative technology that comes out, that rate of change is increasing, and people learn generally in a very linear fashion. We need to address: how do we accelerate our team to learn more, learn faster, to continually develop? Fortunately, there are an increasing number of resources on AI. For example, AI, combined with threat intelligence, will help security teams identify the most critical signatures and signals so action can be taken quickly. Remember, it's not enough to say "we're blocking 8 million threats, or the EDR detected 6,000 potential attacks" — it's about picking out that one serious threat out of that sea of noise.
Time-to-detect to time-to-respond is narrowing. Threat intelligence, automation, and AI are the core components to reduce that gap. Today's modern SOC requires more automated security tasks. With automation, fewer people are needed, more value can be extracted from security tools and, as a result, security spending goes down.
Finally, security vendors must do their part, too. In the past, organizations were sold software and owned it forever. With the security vendors moving to subscription-based software sales, we've transitioned to a point where every year's software sale is a new sale. Security vendors, just like technology vendors, can no longer rest on their laurels. They need to continue to innovate, demonstrate value, and differentiate themselves at a rate of change faster than their competitors and today's cyber adversaries would use against them.