Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/31/2020
10:00 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

From Defense to Offense: Giving CISOs Their Due

In today's unparalleled era of disruption, forward-thinking CISOs can become key to company transformation -- but this means resetting relationships with the board and C-suite.

After polling almost 1,300 organizations, EY found that only 36% of organizations take cybersecurity into account when planning new ventures. In its "Global Information Security Survey 2020," the firm reports that the uptick in activist attacks — which the report pegs as the second-most common source of significant or material breaches — illustrates why the cybersecurity needs to be part of every aspect of the business. CISOs who aren't frequently interacting with senior company leaders will likely be overshadowed, potentially resulting in the launch of new products or services that are vulnerable to cyber threats.  

Unfortunately, CISOs aren't there yet, and cybercrime increases by the day. According to EY, six in 10 organizations have weathered a significant cyber incident in the past 12 months, and 48% of boards suspect that cyberattacks and data breaches will affect their business in the coming year. About 21% of the attacks were traced to "hacktivists" — tech-savvy political and social activists — who are second only to organized crime (23%).

Related Content:

Security Leaders Share Tips for Boardroom Chats

Why Data Ethics Is a Growing CISO Priority

Boards Still Working in the Dark
Most boards understand that they need to pay closer attention to cybersecurity. This fact was underlined in the EY report, which indicates that 72% of boards see cyber-risk as "significant." Moreover, CEOs expect widespread corporate cyberattacks will pose the biggest threat to the global economy over the next decade.

But while boards acknowledge cyber-risk exists, just about half (52%) of respondents say that their board is fully up to speed on the nature of those risks. Further, 43% say their board doesn't fully appreciate the value and needs of the cybersecurity team. This should not startle anyone because in 60% of organizations the cybersecurity chief has no official board or executive management role, and only 54% of organizations make cybersecurity a regular item on the board agenda. A mere 32% of security leaders discuss strategic issues and drive change with the board.

This scenario needs to change — but how? A good start would be for CISOs to reconsider the way they communicate with their boards. For example, in the EY report, only a quarter of the respondents could put a dollar figure on the value of their cybersecurity spending in addressing critical business risks.

Cybersecurity Remains an Afterthought
Because activists are waging cyberattacks and digital transformation is now driving the business agenda, the cybersecurity department can't continue to play its traditional reactive role. It has to be on the offensive.

As mentioned earlier, only 36% of the EY respondents say their cybersecurity team plays a part in planning new business initiatives. Instead, the security team should be an integral member of the product planning team rather than being summoned later. EY calls this "Security by Design," where cybersecurity is a central consideration right from the get-go of any new project. If security protection is continually treated as a product retrofit, the result will be expensive, less-than-perfect solutions and clunky implementations. Today, when almost every organization is revising its products, services, operational processes, and organizational structures to align with the realities of digital business, treating cyber threats as an afterthought during product development is a nonstarter.

That said, organizations have a long way to go. The EY report shows they are spending on business as usual, not on new initiatives. In fact, some 17% of organizations spend 5% or less of their cybersecurity budget on new initiatives; 44% spend less than 15%. And while artificial intelligence — currently the best way to combat cyberattacks — is playing a bigger part in organizational decision-making, operations, and customer communications, only 5% cite an increased focus on artificial intelligence.

Agents of Transformation
CISOs are now in a position where they must — somehow — reinvent how they work and how they are perceived within their organizations. Historically, they have been the company's risk-averse first line of defense against cyberattacks, and have been viewed as such. But this state of affairs needs to evolve. 

"CISOs cannot afford to be seen as blockers of innovation; they must be problem-solvers," says Kris Lovejoy, EY Global Advisory Cybersecurity Leader, in EY's report. "The way we've organized cybersecurity is as a backward-looking function, when it is capable of being a forward-looking, value-added function. When cybersecurity speaks the language of business, it takes that critical first step of both hearing and being understood. It starts to demonstrate value because it can directly tie business drivers to what cybersecurity is doing to enable them, justifying its spend and effectiveness."

But do current CISOs have the right skills and experience to work in this new way and serve in a more proactive and forward-thinking role? That's an open question, and the answer will probably demand a new breed of CISO whose job is not driven mainly by threat abatement and compliance. In addition to technical skills, the new CISO will need commercial knowhow, solid communication skills, and the ability to work collaboratively.

Living up to this new job description will require the cybersecurity leader to adapt to new modes of working. It'll be disruptive in the short term, but worth it. It's an opportunity for cybersecurity to become an essential business partner at core of the organization's value chain, one that leads transformation and continually demonstrates its value.

 

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marc Wilczek
50%
50%
Marc Wilczek,
User Rank: Author
9/2/2020 | 2:00:31 PM
Re: The best defense is a good offense...Vince Lombardi
Many thanks, that's great to hear! :-)
gegawe
100%
0%
gegawe,
User Rank: Apprentice
9/2/2020 | 6:45:24 AM
Re: The best defense is a good offense...Vince Lombardi
I must say that overall I am really impressed with this blog.It is easy to see that you are impassioned about you writing.
RichardM23501
50%
50%
RichardM23501,
User Rank: Apprentice
9/1/2020 | 4:02:02 PM
Re: The best defense is a good offense...Vince Lombardi
I see. 

I assumed anyone having forward-looking behaviours and problem solving skills would in fact be a strategic leader. 

A nuance, I suppose.

Watch for my response on LI.

Best.
Marc Wilczek
100%
0%
Marc Wilczek,
User Rank: Author
9/1/2020 | 2:00:43 PM
Re: The best defense is a good offense...Vince Lombardi
First of all, thanks Richard! Great to hear that you like the article.

I entirely agree with you as far as the your second statement goes. However, whether a CISO is regarded as a strategic leader has - in my opinion - more to do with attitude and behavior than a corporate title. That's also what I wanted to stress in my article concerning the need for CISOs to hone their problem solving skills and become more forward-looking.
RichardM23501
50%
50%
RichardM23501,
User Rank: Apprentice
9/1/2020 | 1:03:39 PM
The best defense is a good offense...Vince Lombardi
Good article Marc,

This statement says it all: "CISOs who aren't frequently interacting with senior company leaders will likely be overshadowed...

- IF a CISO is not regarded as a strategic leader, the struggle to add value to the company bottom line will be an uphill battle.

It is certainly incumbent on the CISO to continuously educate the board and senior leadership that Infosec is a facet of Risk Managment. When CISO activities are quantified in terms of risk avoidance and potential loss, the board will begin to understand. Regulation and compliance is driving companies to participate in cybersecurity more and more, some REQUIRING named senior cybersecurity leadership roles.

CISOs have got to be in the game to win.

 
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.