theDocumentId => 1341379 3 Things Every CISO Wishes You Understood

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

6/30/2021
01:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Things Every CISO Wishes You Understood

Ensuring the CISO's voice is heard by the board will make security top of mind for the business, its employees, and their customers.

CISOs in the security industry hold a unique position: as security leaders, they have the influence and access to purchase products and make decisions that can drastically affect the security posture of an organization. They are also expected to fall on their sword in the event of a security incident going public. 

Related Content:

With Cloud, CDO and CISO Concerns Are Equally Important

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

But the role of the CISO is as diverse as it is dynamic, varying massively depending on the organization, and is a role that's constantly in flux. Here are three things that every CISO wishes you knew.

The CISO's Role Is Changing Before Our Eyes
When the need for a security leader first appeared, as computing and the use of the Internet became widespread, they represented something of an isolated figure. The role was viewed by other members of the business as a subject matter expert, there to put out fires and deal with security concerns in a self-contained manner. The less that other areas of the business heard from the CISO, the better. 

In the 18 years I have been working in security, this relationship has changed drastically, in line with how security has evolved. Now it is common to see data breaches making headlines, affecting share prices, and causing high-profile board member resignations. 

As such, we're starting to see a trend where CISOs report directly to the CEO in order to keep them informed of security concerns. This position moves security leaders out of the realms of a trusted subject-matter expert into a much more complex role within the business ecosystem: a risk adviser. This role can often make the CISO's job much more politically sensitive. For example, a CISO might have to report weaknesses or vulnerabilities, which would fall under the CIO's remit, and therefore have the potential to create friction at an executive level. This is why I think it's so important that the CISO has a direct and unfiltered line of communication to the CEO so that politics are left out of decisions that need to be made purely with risk prevention in mind.

In addition, by elevating the visibility and importance of a company's cybersecurity program, security practitioners are empowered to take responsibility not just for technology decisions (what's the best way to address a specific requirement) but also to problem solve to reduce risk and increase long-term performance and growth. Business controls, user policies, supplier assessments, all contribute to creating a best practices cybersecurity program that supports the entire business ecosystem.

CISOs Are Capable of Helping Other Areas of Business Function
The increasing importance of security to wider business concerns has provided CISOs with ample opportunity to help in other areas of the business. For example, the CISO can provide insight relative to best practices toassist customers with configuring their own security systems. This is especially important if the customer in question has not reached a level of maturity where they have a CISO of their own. This advisory role can be crucial in fostering, maintaining, and developing good working relationships with customers, and can even help to generate fresh streams of revenue for the business. 

This is of particular importance to CISOs working at security companies: Being able to impart the technical knowledge of the product as both a practitioner and a salesperson can be invaluable. CISOs can also be extremely useful in the "soft power" they can offer their company, as company spokespeople, public spokespeople, and influencers. 

Questions of Ethics and Technology Are More Important Than Ever
Although the role of the CISO has undertaken significant diversification in recent years, one facet of their role remains: CISOs are security practitioners, directly involved on the front lines of defending organizations from threat actors. 

Considering this purist view of what a CISO does, it's of paramount importance that questions of ethics remain at the forefront of conversations around new and emerging technology. As the pace of technology development grows exponentially, we are provided with a plethora of new technologies to protect our corporate environments. 

However, every new tool, defensive method, or technique developed by defensive security teams is also accessible to threat actors: Creating an artificial intelligence or a machine learning product to defend from threats will conversely provide black hats with the same technological opportunities for attack that we are provided for defense, elevating and escalating the battle even further. This is of particular concern when considering the extremely well-funded criminal and nation-state organizations, for whom cybercrime has become a key operational priority. 

This possibility of reverse engineering needs to be considered during the development of these technologies, with industry and expert consultation, as well as regulatory frameworks in place. Technology does not have any morals, or allegiances, and can be deployed by anyone, regardless of their motives.

When I first started in security, only the smartest hackers would be able to get access to tools that would allow them to take advantage of systems or people. Now there's a whole underground economy and anyone can go buy a botnet or get some ransomware and leverage it. It's so accessible, and that's a really big issue. For security practitioners, this means that any decision to deploy innovative new technology, even if it appears to be the best tool for their needs, must also consider how hardened, or secure, this new solution is from reverse engineering by external attackers.  

The issues of cybercrime are not going away and will become increasingly more important in the coming years. This means that the role of the CISO, or other technology leaders, needs to be elevated in accordance with the importance of the role. While the role of the CISO is one that is subject to almost constant change, ensuring that they have a voice within the business and the security community more widely will help ensure the position remains relevant. The CISO is still the person in the best position to protect enterprises and individuals alike from the ever-expanding threat landscape.

Vanessa Pegueros is the Chief Trust & Security Officer at OneLogin, an IDaaS (Identity as a Service) provider, where her responsibilities include enterprise security, compliance, privacy and IT.  Vanessa also serves on the Audit Committee of the Boeing Employee Credit ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EmmyR
50%
50%
EmmyR,
User Rank: Apprentice
7/6/2021 | 8:53:41 PM
CISOs
CISOs have way more responsability than many might think. This article really shows that!
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...
CVE-2021-25808
PUBLISHED: 2021-07-23
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.