Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

9/19/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

As Tech Drives the Business, So Do CISOs

Security leaders are evolving from technicians to business executives as tech drives enterprise projects, applications, and goals.

The tasks topping the CISO's to-do list are slowly shifting, as their core priorities transition from primarily technical expertise to securing business applications and processes.

It's the key takeaway from a new report, conducted by Enterprise Strategy Group (ESG) and commissioned by Spirent, on how CISO responsibilities are shifting as cybersecurity becomes more complex. Researchers polled 413 IT and security pros with knowledge of, or responsibility for, the planning, implementation, and/or operations of security policies and processes.

"There's a transition from a technology focus to a business focus," says Jon Oltsik, ESG senior principal analyst. "And that doesn't preclude the oversight of technology, but the technology is sort of guided by business initiatives, business applications, business goals, things like that."

About 80% of experts say security knowledge, skills, operations, and management are more difficult now compared with two years ago. They attribute the complexity to growth in the number and sophistication of malware, IT projects, targeted attacks, and connected devices.

Nearly all (96% of) respondents say the CISO's role has expanded, and the primary driver of their prominence is increasing difficulty of protecting enterprise data. Nearly 80% point to malware as the primary reason, and many claim between 80-90% of malware attacks target a single device, and 50-60% of malicious Web domains are active for one hour or less.

Organizations are increasingly digital and cyberattackers are taking precise aim to poke holes in their defenses. Oltsik calls it "death by a thousand cuts". CISOs have seen breaches and regulations increase as more people realize the business is driven by tech. "Regardless of what business you're in or process you're talking about, there's an IT underpinning," he notes.

CISOs are becoming part of more board-level discussions to prevent breaches.

"There's a real shift from reactivity to proactivity," says Oltsik. In the past, companies built their defenses and hoped nothing bad would happen. When something eventually did happen, their responses were poorly organized, inefficient, and took a long time to put into practice. What's more, responses were tech-oriented – not business oriented. The answer to compromise was "let's fix the system" and not, "how do we fix the business," he explains. Now, this has changed.

The CISO's Growing To-Do List

How the CISO's responsibilities change depends on the size of the organization, he continues. In a smaller organization they'll be more involved with technology; less so in a larger enterprise.

"They're being asked to participate in board-level meetings, business planning meetings," Oltsik says of CISOs who manage within larger organizations. Especially in larger companies, the CISO is moving more toward business skills and away from technical skills.

Business leaders used to ask the CISO what controls they needed; now they want security embedded in business planning and application development. "You want security expertise in the operations groups, you want that in development groups, you want that in each component of operations, including the cloud," he adds.

CISOs also have a responsibility to convey security data to business professionals, adds Amie Christianson, director of Operations Application Security at Spirent. High-level executive summaries help board members understand the threats affecting their business.

She uses a medical example. "When I get my lab results, I want to see at a high level what they are, and am I within a certain range," she explains. "And that gives me peace of mind." A doctor might see more details and act differently on the data, but a summary tells her everything she needs to know about her health. The same applies for CISOs and security summaries.

More Projects, More Problems

The increase in corporate IT projects is the second-biggest driver of complexity, researchers found, and projects related to IoT and cloud make security a greater challenge. Oltsik says he's seeing more digital transformation applications, more IoT apps, more social media use, and greater reliance on mobile devices and applications.

Business processes and initiatives "are happening at a faster pace than they did in the past; they're being done in an agile manner," he continues. Applications have gone from six-month release cycles to multiple releases per day, and all of that affects security. Security teams used to plan for risk assessments and controls every few months; now, it's every day.

When they face a new project, CISOs who have responsibility from the get-go can address security at the beginning and continuously test it throughout development. Most (86% of) respondents agree integrating security in project planning can lessen the likelihood of a breach, and 79% agree businesses should more frequently test security controls.

As security budgets continue to grow – and researchers found they will among 92% of respondents – businesses are shifting their spending from point tools to more integrated architectures. Professional and managed services are becoming popular as CISOs realize they lack the staff to handle the many security tasks they're assigned.

As for outsourcing, "pedestrian areas" like email security and Web security are the first to leave the business, says Oltsik. While these are the most frequently outsourced, he says he's beginning to explore the implications of using outside firms for threat detection and response.

Ultimately, he anticipates, we'll see the role of the CISO split in two: a chief business security officer, who focuses on the enterprise, and a chief technical security officer who focuses on the systems. Christianson agrees: as security becomes part of the risk conversation, the business-focused CISO will be required to communicate with risk and compliance officers.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.