Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

// // //
01:00 PM
Connect Directly
E-Mail vvv

3 Things Every CISO Wishes You Understood

Ensuring the CISO's voice is heard by the board will make security top of mind for the business, its employees, and their customers.

CISOs in the security industry hold a unique position: as security leaders, they have the influence and access to purchase products and make decisions that can drastically affect the security posture of an organization. They are also expected to fall on their sword in the event of a security incident going public. 

Related Content:

With Cloud, CDO and CISO Concerns Are Equally Important

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

But the role of the CISO is as diverse as it is dynamic, varying massively depending on the organization, and is a role that's constantly in flux. Here are three things that every CISO wishes you knew.

The CISO's Role Is Changing Before Our Eyes
When the need for a security leader first appeared, as computing and the use of the Internet became widespread, they represented something of an isolated figure. The role was viewed by other members of the business as a subject matter expert, there to put out fires and deal with security concerns in a self-contained manner. The less that other areas of the business heard from the CISO, the better. 

In the 18 years I have been working in security, this relationship has changed drastically, in line with how security has evolved. Now it is common to see data breaches making headlines, affecting share prices, and causing high-profile board member resignations. 

As such, we're starting to see a trend where CISOs report directly to the CEO in order to keep them informed of security concerns. This position moves security leaders out of the realms of a trusted subject-matter expert into a much more complex role within the business ecosystem: a risk adviser. This role can often make the CISO's job much more politically sensitive. For example, a CISO might have to report weaknesses or vulnerabilities, which would fall under the CIO's remit, and therefore have the potential to create friction at an executive level. This is why I think it's so important that the CISO has a direct and unfiltered line of communication to the CEO so that politics are left out of decisions that need to be made purely with risk prevention in mind.

In addition, by elevating the visibility and importance of a company's cybersecurity program, security practitioners are empowered to take responsibility not just for technology decisions (what's the best way to address a specific requirement) but also to problem solve to reduce risk and increase long-term performance and growth. Business controls, user policies, supplier assessments, all contribute to creating a best practices cybersecurity program that supports the entire business ecosystem.

CISOs Are Capable of Helping Other Areas of Business Function
The increasing importance of security to wider business concerns has provided CISOs with ample opportunity to help in other areas of the business. For example, the CISO can provide insight relative to best practices toassist customers with configuring their own security systems. This is especially important if the customer in question has not reached a level of maturity where they have a CISO of their own. This advisory role can be crucial in fostering, maintaining, and developing good working relationships with customers, and can even help to generate fresh streams of revenue for the business. 

This is of particular importance to CISOs working at security companies: Being able to impart the technical knowledge of the product as both a practitioner and a salesperson can be invaluable. CISOs can also be extremely useful in the "soft power" they can offer their company, as company spokespeople, public spokespeople, and influencers. 

Questions of Ethics and Technology Are More Important Than Ever
Although the role of the CISO has undertaken significant diversification in recent years, one facet of their role remains: CISOs are security practitioners, directly involved on the front lines of defending organizations from threat actors. 

Considering this purist view of what a CISO does, it's of paramount importance that questions of ethics remain at the forefront of conversations around new and emerging technology. As the pace of technology development grows exponentially, we are provided with a plethora of new technologies to protect our corporate environments. 

However, every new tool, defensive method, or technique developed by defensive security teams is also accessible to threat actors: Creating an artificial intelligence or a machine learning product to defend from threats will conversely provide black hats with the same technological opportunities for attack that we are provided for defense, elevating and escalating the battle even further. This is of particular concern when considering the extremely well-funded criminal and nation-state organizations, for whom cybercrime has become a key operational priority. 

This possibility of reverse engineering needs to be considered during the development of these technologies, with industry and expert consultation, as well as regulatory frameworks in place. Technology does not have any morals, or allegiances, and can be deployed by anyone, regardless of their motives.

When I first started in security, only the smartest hackers would be able to get access to tools that would allow them to take advantage of systems or people. Now there's a whole underground economy and anyone can go buy a botnet or get some ransomware and leverage it. It's so accessible, and that's a really big issue. For security practitioners, this means that any decision to deploy innovative new technology, even if it appears to be the best tool for their needs, must also consider how hardened, or secure, this new solution is from reverse engineering by external attackers.  

The issues of cybercrime are not going away and will become increasingly more important in the coming years. This means that the role of the CISO, or other technology leaders, needs to be elevated in accordance with the importance of the role. While the role of the CISO is one that is subject to almost constant change, ensuring that they have a voice within the business and the security community more widely will help ensure the position remains relevant. The CISO is still the person in the best position to protect enterprises and individuals alike from the ever-expanding threat landscape.

Vanessa Pegueros is the Chief Trust & Security Officer at OneLogin, an IDaaS (Identity as a Service) provider, where her responsibilities include enterprise security, compliance, privacy and IT.  Vanessa also serves on the Audit Committee of the Boeing Employee Credit ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/6/2021 | 8:53:41 PM
CISOs have way more responsability than many might think. This article really shows that!
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file