Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

// // //
01:00 PM
Connect Directly
E-Mail vvv

3 Things Every CISO Wishes You Understood

Ensuring the CISO's voice is heard by the board will make security top of mind for the business, its employees, and their customers.

CISOs in the security industry hold a unique position: as security leaders, they have the influence and access to purchase products and make decisions that can drastically affect the security posture of an organization. They are also expected to fall on their sword in the event of a security incident going public. 

Related Content:

With Cloud, CDO and CISO Concerns Are Equally Important

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

But the role of the CISO is as diverse as it is dynamic, varying massively depending on the organization, and is a role that's constantly in flux. Here are three things that every CISO wishes you knew.

The CISO's Role Is Changing Before Our Eyes
When the need for a security leader first appeared, as computing and the use of the Internet became widespread, they represented something of an isolated figure. The role was viewed by other members of the business as a subject matter expert, there to put out fires and deal with security concerns in a self-contained manner. The less that other areas of the business heard from the CISO, the better. 

In the 18 years I have been working in security, this relationship has changed drastically, in line with how security has evolved. Now it is common to see data breaches making headlines, affecting share prices, and causing high-profile board member resignations. 

As such, we're starting to see a trend where CISOs report directly to the CEO in order to keep them informed of security concerns. This position moves security leaders out of the realms of a trusted subject-matter expert into a much more complex role within the business ecosystem: a risk adviser. This role can often make the CISO's job much more politically sensitive. For example, a CISO might have to report weaknesses or vulnerabilities, which would fall under the CIO's remit, and therefore have the potential to create friction at an executive level. This is why I think it's so important that the CISO has a direct and unfiltered line of communication to the CEO so that politics are left out of decisions that need to be made purely with risk prevention in mind.

In addition, by elevating the visibility and importance of a company's cybersecurity program, security practitioners are empowered to take responsibility not just for technology decisions (what's the best way to address a specific requirement) but also to problem solve to reduce risk and increase long-term performance and growth. Business controls, user policies, supplier assessments, all contribute to creating a best practices cybersecurity program that supports the entire business ecosystem.

CISOs Are Capable of Helping Other Areas of Business Function
The increasing importance of security to wider business concerns has provided CISOs with ample opportunity to help in other areas of the business. For example, the CISO can provide insight relative to best practices toassist customers with configuring their own security systems. This is especially important if the customer in question has not reached a level of maturity where they have a CISO of their own. This advisory role can be crucial in fostering, maintaining, and developing good working relationships with customers, and can even help to generate fresh streams of revenue for the business. 

This is of particular importance to CISOs working at security companies: Being able to impart the technical knowledge of the product as both a practitioner and a salesperson can be invaluable. CISOs can also be extremely useful in the "soft power" they can offer their company, as company spokespeople, public spokespeople, and influencers. 

Questions of Ethics and Technology Are More Important Than Ever
Although the role of the CISO has undertaken significant diversification in recent years, one facet of their role remains: CISOs are security practitioners, directly involved on the front lines of defending organizations from threat actors. 

Considering this purist view of what a CISO does, it's of paramount importance that questions of ethics remain at the forefront of conversations around new and emerging technology. As the pace of technology development grows exponentially, we are provided with a plethora of new technologies to protect our corporate environments. 

However, every new tool, defensive method, or technique developed by defensive security teams is also accessible to threat actors: Creating an artificial intelligence or a machine learning product to defend from threats will conversely provide black hats with the same technological opportunities for attack that we are provided for defense, elevating and escalating the battle even further. This is of particular concern when considering the extremely well-funded criminal and nation-state organizations, for whom cybercrime has become a key operational priority. 

This possibility of reverse engineering needs to be considered during the development of these technologies, with industry and expert consultation, as well as regulatory frameworks in place. Technology does not have any morals, or allegiances, and can be deployed by anyone, regardless of their motives.

When I first started in security, only the smartest hackers would be able to get access to tools that would allow them to take advantage of systems or people. Now there's a whole underground economy and anyone can go buy a botnet or get some ransomware and leverage it. It's so accessible, and that's a really big issue. For security practitioners, this means that any decision to deploy innovative new technology, even if it appears to be the best tool for their needs, must also consider how hardened, or secure, this new solution is from reverse engineering by external attackers.  

The issues of cybercrime are not going away and will become increasingly more important in the coming years. This means that the role of the CISO, or other technology leaders, needs to be elevated in accordance with the importance of the role. While the role of the CISO is one that is subject to almost constant change, ensuring that they have a voice within the business and the security community more widely will help ensure the position remains relevant. The CISO is still the person in the best position to protect enterprises and individuals alike from the ever-expanding threat landscape.

Vanessa Pegueros is the Chief Trust & Security Officer at OneLogin, an IDaaS (Identity as a Service) provider, where her responsibilities include enterprise security, compliance, privacy and IT.  Vanessa also serves on the Audit Committee of the Boeing Employee Credit ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/6/2021 | 8:53:41 PM
CISOs have way more responsability than many might think. This article really shows that!
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.