Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/23/2020
10:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

From Zero to Hero: CISO Edition

It's time for organizations to realize that an empowered CISO can effectively manage enterprise risk and even grow the business along the way.

Traditionally, CISOs have borne the brunt of blame for cyber events that affect an organization. Because CISOs are the leaders in charge of data security, any breach has been seen as a mistake on their part and consequences doled out accordingly. However, as companies' understanding of cybersecurity has evolved, this is starting to change in fundamental ways; today's CISO faces an unprecedented opportunity to be hailed as a hero, rather than condemned as a villain, in the aftermath of a cyberattack.

Case in point: A few years ago, a security event erupted inside a security vendor's own internal network. The internal security team was using the company's own products, and the CISO had been granted access and permissions to modify the products' code locally along with other resources to adapt them to his own use. When the attack occurred, the modifications he and his team had made were the difference between a large-scale, publicly reportable event and a significantly smaller incident that was entirely manageable.

During the incident, the security teams responded alongside product development teams and explained to developers how the attack worked, along with the modifications they'd made that helped stop the attack. In tandem, the CISO was briefing the C-suite and board regularly, including how the depth and breadth of product modifications made by the security team made a difference. Specifically, he explained how the company's products were modified to block attacker communications and how the products were made to interface with security products from other companies to enhance the speed of the blocks.

Rather than blame, second-guess, or threaten the CISO with his job, development executives praised the security team's product innovations to those in the C-suite, who then pulled the CISO into a larger product development role that ultimately increased business.

What It Takes to Be a Modern CISO
While this template may not necessarily be repeatable across industry sectors, it helps illustrate some important shifts in how companies behave after a major security incident

With new attacks forming faster than the technologies to fight them, holding CISOs to an entirely unrealistic standard doesn’t actually serve anyone. The truth is that no matter how many technologies are deployed or how good the security posture is, 100% protection from cyberattacks is simply not possible. Perhaps senior leadership and boards of directors are finally starting to acknowledge this fact, or perhaps they're starting to realize that a successful response to an attack, along with actions by other parts of the organization, contribute to the ultimate scale and scope of the event.

CISOs are uniquely capable of gauging cyber-risk and how to reduce it. Experienced CISOs understand the threats their companies face and know how to deploy the optimal mix of people, processes, and technologies, weighed against threats, to provide the best possible level of protection. Organizations that understand this are leading the charge in shifting the perception of the CISO from technical manager to strategic risk leader.

Given this shift in industry and perception, it's only a matter of time before CISOs' skills and expertise — along with their well-managed team — will be needed to prevent disaster. When that moment occurs, however, the difference between success and failure lies in the degree to which they've been empowered by the organization to take the necessary steps — before, during, and after an attack.    

What Do Empowered CISOs Look Like?
First, they have strong social support within their organizations. They are involved in decision-making that affects overall security across the enterprise.

Second, they have authority over the cyber-risk management budget, including insurance, as well as overseeing response and recovery efforts. CISOs typically have to coordinate many parties when an attack hits, including outside counsel, insurance providers, incident response contractors, and infrastructure recovery contractors. Having responsibility without budget or authority is a recipe for failure at a critical time.

Finally, the board and senior leadership recognize that no solution for cyber threats is perfect, and an increase in attack frequency means that eventually one will succeed. They understand that blaming the CISO after a cyber incident is unfair and deprives the organization of an opportunity to learn from the experience, with a professional who is best positioned to make the company safer in the future.

As the tide of perception continues to shift in favor of today's CISO, it's important to remember that empowering the role with support, authority, and resources can make all the difference to your organization's unsung CISO hero.

Related Content:

 

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.