Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/23/2020
10:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

From Zero to Hero: CISO Edition

It's time for organizations to realize that an empowered CISO can effectively manage enterprise risk and even grow the business along the way.

Traditionally, CISOs have borne the brunt of blame for cyber events that affect an organization. Because CISOs are the leaders in charge of data security, any breach has been seen as a mistake on their part and consequences doled out accordingly. However, as companies' understanding of cybersecurity has evolved, this is starting to change in fundamental ways; today's CISO faces an unprecedented opportunity to be hailed as a hero, rather than condemned as a villain, in the aftermath of a cyberattack.

Case in point: A few years ago, a security event erupted inside a security vendor's own internal network. The internal security team was using the company's own products, and the CISO had been granted access and permissions to modify the products' code locally along with other resources to adapt them to his own use. When the attack occurred, the modifications he and his team had made were the difference between a large-scale, publicly reportable event and a significantly smaller incident that was entirely manageable.

During the incident, the security teams responded alongside product development teams and explained to developers how the attack worked, along with the modifications they'd made that helped stop the attack. In tandem, the CISO was briefing the C-suite and board regularly, including how the depth and breadth of product modifications made by the security team made a difference. Specifically, he explained how the company's products were modified to block attacker communications and how the products were made to interface with security products from other companies to enhance the speed of the blocks.

Rather than blame, second-guess, or threaten the CISO with his job, development executives praised the security team's product innovations to those in the C-suite, who then pulled the CISO into a larger product development role that ultimately increased business.

What It Takes to Be a Modern CISO
While this template may not necessarily be repeatable across industry sectors, it helps illustrate some important shifts in how companies behave after a major security incident

With new attacks forming faster than the technologies to fight them, holding CISOs to an entirely unrealistic standard doesn’t actually serve anyone. The truth is that no matter how many technologies are deployed or how good the security posture is, 100% protection from cyberattacks is simply not possible. Perhaps senior leadership and boards of directors are finally starting to acknowledge this fact, or perhaps they're starting to realize that a successful response to an attack, along with actions by other parts of the organization, contribute to the ultimate scale and scope of the event.

CISOs are uniquely capable of gauging cyber-risk and how to reduce it. Experienced CISOs understand the threats their companies face and know how to deploy the optimal mix of people, processes, and technologies, weighed against threats, to provide the best possible level of protection. Organizations that understand this are leading the charge in shifting the perception of the CISO from technical manager to strategic risk leader.

Given this shift in industry and perception, it's only a matter of time before CISOs' skills and expertise — along with their well-managed team — will be needed to prevent disaster. When that moment occurs, however, the difference between success and failure lies in the degree to which they've been empowered by the organization to take the necessary steps — before, during, and after an attack.    

What Do Empowered CISOs Look Like?
First, they have strong social support within their organizations. They are involved in decision-making that affects overall security across the enterprise.

Second, they have authority over the cyber-risk management budget, including insurance, as well as overseeing response and recovery efforts. CISOs typically have to coordinate many parties when an attack hits, including outside counsel, insurance providers, incident response contractors, and infrastructure recovery contractors. Having responsibility without budget or authority is a recipe for failure at a critical time.

Finally, the board and senior leadership recognize that no solution for cyber threats is perfect, and an increase in attack frequency means that eventually one will succeed. They understand that blaming the CISO after a cyber incident is unfair and deprives the organization of an opportunity to learn from the experience, with a professional who is best positioned to make the company safer in the future.

As the tide of perception continues to shift in favor of today's CISO, it's important to remember that empowering the role with support, authority, and resources can make all the difference to your organization's unsung CISO hero.

Related Content:

 

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11509
PUBLISHED: 2020-04-07
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37_wpl_import_template admin-post action (which will execute in an administrator's browser if the template is used to create a page).
CVE-2020-6647
PUBLISHED: 2020-04-07
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.
CVE-2020-9286
PUBLISHED: 2020-04-07
An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system.
CVE-2020-11508
PUBLISHED: 2020-04-07
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows logged-in users with minimal permissions to create or replace existing pages with a malicious page containing arbitrary JavaScript via the wp_ajax_core37_lp_save_page (aka core37_lp_save_page) AJAX action.
CVE-2013-7488
PUBLISHED: 2020-04-07
perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.