Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

01:00 PM
Connect Directly
E-Mail vvv

3 Things Every CISO Wishes You Understood

Ensuring the CISO's voice is heard by the board will make security top of mind for the business, its employees, and their customers.

CISOs in the security industry hold a unique position: as security leaders, they have the influence and access to purchase products and make decisions that can drastically affect the security posture of an organization. They are also expected to fall on their sword in the event of a security incident going public. 

Related Content:

With Cloud, CDO and CISO Concerns Are Equally Important

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

But the role of the CISO is as diverse as it is dynamic, varying massively depending on the organization, and is a role that's constantly in flux. Here are three things that every CISO wishes you knew.

The CISO's Role Is Changing Before Our Eyes
When the need for a security leader first appeared, as computing and the use of the Internet became widespread, they represented something of an isolated figure. The role was viewed by other members of the business as a subject matter expert, there to put out fires and deal with security concerns in a self-contained manner. The less that other areas of the business heard from the CISO, the better. 

In the 18 years I have been working in security, this relationship has changed drastically, in line with how security has evolved. Now it is common to see data breaches making headlines, affecting share prices, and causing high-profile board member resignations. 

As such, we're starting to see a trend where CISOs report directly to the CEO in order to keep them informed of security concerns. This position moves security leaders out of the realms of a trusted subject-matter expert into a much more complex role within the business ecosystem: a risk adviser. This role can often make the CISO's job much more politically sensitive. For example, a CISO might have to report weaknesses or vulnerabilities, which would fall under the CIO's remit, and therefore have the potential to create friction at an executive level. This is why I think it's so important that the CISO has a direct and unfiltered line of communication to the CEO so that politics are left out of decisions that need to be made purely with risk prevention in mind.

In addition, by elevating the visibility and importance of a company's cybersecurity program, security practitioners are empowered to take responsibility not just for technology decisions (what's the best way to address a specific requirement) but also to problem solve to reduce risk and increase long-term performance and growth. Business controls, user policies, supplier assessments, all contribute to creating a best practices cybersecurity program that supports the entire business ecosystem.

CISOs Are Capable of Helping Other Areas of Business Function
The increasing importance of security to wider business concerns has provided CISOs with ample opportunity to help in other areas of the business. For example, the CISO can provide insight relative to best practices toassist customers with configuring their own security systems. This is especially important if the customer in question has not reached a level of maturity where they have a CISO of their own. This advisory role can be crucial in fostering, maintaining, and developing good working relationships with customers, and can even help to generate fresh streams of revenue for the business. 

This is of particular importance to CISOs working at security companies: Being able to impart the technical knowledge of the product as both a practitioner and a salesperson can be invaluable. CISOs can also be extremely useful in the "soft power" they can offer their company, as company spokespeople, public spokespeople, and influencers. 

Questions of Ethics and Technology Are More Important Than Ever
Although the role of the CISO has undertaken significant diversification in recent years, one facet of their role remains: CISOs are security practitioners, directly involved on the front lines of defending organizations from threat actors. 

Considering this purist view of what a CISO does, it's of paramount importance that questions of ethics remain at the forefront of conversations around new and emerging technology. As the pace of technology development grows exponentially, we are provided with a plethora of new technologies to protect our corporate environments. 

However, every new tool, defensive method, or technique developed by defensive security teams is also accessible to threat actors: Creating an artificial intelligence or a machine learning product to defend from threats will conversely provide black hats with the same technological opportunities for attack that we are provided for defense, elevating and escalating the battle even further. This is of particular concern when considering the extremely well-funded criminal and nation-state organizations, for whom cybercrime has become a key operational priority. 

This possibility of reverse engineering needs to be considered during the development of these technologies, with industry and expert consultation, as well as regulatory frameworks in place. Technology does not have any morals, or allegiances, and can be deployed by anyone, regardless of their motives.

When I first started in security, only the smartest hackers would be able to get access to tools that would allow them to take advantage of systems or people. Now there's a whole underground economy and anyone can go buy a botnet or get some ransomware and leverage it. It's so accessible, and that's a really big issue. For security practitioners, this means that any decision to deploy innovative new technology, even if it appears to be the best tool for their needs, must also consider how hardened, or secure, this new solution is from reverse engineering by external attackers.  

The issues of cybercrime are not going away and will become increasingly more important in the coming years. This means that the role of the CISO, or other technology leaders, needs to be elevated in accordance with the importance of the role. While the role of the CISO is one that is subject to almost constant change, ensuring that they have a voice within the business and the security community more widely will help ensure the position remains relevant. The CISO is still the person in the best position to protect enterprises and individuals alike from the ever-expanding threat landscape.

Vanessa Pegueros is the Chief Trust & Security Officer at OneLogin, an IDaaS (Identity as a Service) provider, where her responsibilities include enterprise security, compliance, privacy and IT.  Vanessa also serves on the Audit Committee of the Boeing Employee Credit ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/6/2021 | 8:53:41 PM
CISOs have way more responsability than many might think. This article really shows that!
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-25
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostProcessCallback().
PUBLISHED: 2021-10-25
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostParseDeviceConfigurationDescriptor().
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.t...
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud OfficeOnline application prior to version 1.1.1 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is locat...
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. Ther...