Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/23/2020
10:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

From Zero to Hero: CISO Edition

It's time for organizations to realize that an empowered CISO can effectively manage enterprise risk and even grow the business along the way.

Traditionally, CISOs have borne the brunt of blame for cyber events that affect an organization. Because CISOs are the leaders in charge of data security, any breach has been seen as a mistake on their part and consequences doled out accordingly. However, as companies' understanding of cybersecurity has evolved, this is starting to change in fundamental ways; today's CISO faces an unprecedented opportunity to be hailed as a hero, rather than condemned as a villain, in the aftermath of a cyberattack.

Case in point: A few years ago, a security event erupted inside a security vendor's own internal network. The internal security team was using the company's own products, and the CISO had been granted access and permissions to modify the products' code locally along with other resources to adapt them to his own use. When the attack occurred, the modifications he and his team had made were the difference between a large-scale, publicly reportable event and a significantly smaller incident that was entirely manageable.

During the incident, the security teams responded alongside product development teams and explained to developers how the attack worked, along with the modifications they'd made that helped stop the attack. In tandem, the CISO was briefing the C-suite and board regularly, including how the depth and breadth of product modifications made by the security team made a difference. Specifically, he explained how the company's products were modified to block attacker communications and how the products were made to interface with security products from other companies to enhance the speed of the blocks.

Rather than blame, second-guess, or threaten the CISO with his job, development executives praised the security team's product innovations to those in the C-suite, who then pulled the CISO into a larger product development role that ultimately increased business.

What It Takes to Be a Modern CISO
While this template may not necessarily be repeatable across industry sectors, it helps illustrate some important shifts in how companies behave after a major security incident

With new attacks forming faster than the technologies to fight them, holding CISOs to an entirely unrealistic standard doesn’t actually serve anyone. The truth is that no matter how many technologies are deployed or how good the security posture is, 100% protection from cyberattacks is simply not possible. Perhaps senior leadership and boards of directors are finally starting to acknowledge this fact, or perhaps they're starting to realize that a successful response to an attack, along with actions by other parts of the organization, contribute to the ultimate scale and scope of the event.

CISOs are uniquely capable of gauging cyber-risk and how to reduce it. Experienced CISOs understand the threats their companies face and know how to deploy the optimal mix of people, processes, and technologies, weighed against threats, to provide the best possible level of protection. Organizations that understand this are leading the charge in shifting the perception of the CISO from technical manager to strategic risk leader.

Given this shift in industry and perception, it's only a matter of time before CISOs' skills and expertise — along with their well-managed team — will be needed to prevent disaster. When that moment occurs, however, the difference between success and failure lies in the degree to which they've been empowered by the organization to take the necessary steps — before, during, and after an attack.    

What Do Empowered CISOs Look Like?
First, they have strong social support within their organizations. They are involved in decision-making that affects overall security across the enterprise.

Second, they have authority over the cyber-risk management budget, including insurance, as well as overseeing response and recovery efforts. CISOs typically have to coordinate many parties when an attack hits, including outside counsel, insurance providers, incident response contractors, and infrastructure recovery contractors. Having responsibility without budget or authority is a recipe for failure at a critical time.

Finally, the board and senior leadership recognize that no solution for cyber threats is perfect, and an increase in attack frequency means that eventually one will succeed. They understand that blaming the CISO after a cyber incident is unfair and deprives the organization of an opportunity to learn from the experience, with a professional who is best positioned to make the company safer in the future.

As the tide of perception continues to shift in favor of today's CISO, it's important to remember that empowering the role with support, authority, and resources can make all the difference to your organization's unsung CISO hero.

Related Content:

 

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
justinebone
50%
50%
justinebone,
User Rank: Author
6/5/2020 | 4:57:00 PM
It is in the best interest of the CISO to address product security
Traditional CISO responsibilities and the role of the Product Security Officer are conflating, and this presents a tangible opportunity for CISO's wishing to get more involved with "the business". It doesn't necessarily take a security incident to trigger this either - inside the medical device manufacturing industry for example we have seen sophisticated Product Security Officers grow into the CISO role, taking product security teams along with them. The result is a shift in culture for a traditionally internally-oriented organization to now include (or even prioritize) protection of the product, and by extension, the customer. Overall this serves as another career springboard for the CISO: from strategic risk leader to business leader.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.