RSA Conference: CISOs’ top 4 cybersecurity priorities

I’ve spent a good amount of time talking to CISOs over the past few months to learn about their current priorities and how their jobs are changing. Of course, many of these security executives will be attending the RSA Conference in a few weeks.

What security executives are looking for

Based upon my meetings with security executives, here’s a sample of what CISOs will be looking for in San Francisco:

1. Executive-level threat intelligence

As business executives gain a better understanding about cyber risk, CISOs have been tasked with learning more about cyber adversaries and reporting what they learned to the board. To be clear, CISOs are not looking for deep technical intelligence on IoCs, exploits, or malware variants. Rather, they want to know who is attacking their organizations, for what purposes, and gather a high-level view of their tactics, techniques, and procedures (TTPs).

This exercise also extends beyond basic cyber attacks. CISOs want a better understanding about dark web chatter, fraudulent websites, credentials theft, and third-party risk management as it impacts their organizations.

In pursuit of this knowledge, CISOs will likely seek out vendors such as BitSight, Digital Shadows, and Flashpoint at RSA. Others (CrowdStrike, FireEye, Webroot, etc.) with deep threat intelligence chops should also be prepared for these discussions.

2. Integrated security platforms

Every CISO I spoke with said their current security technology infrastructure is overwhelming, so they have ongoing projects to consolidate and integrate security technologies. That means CISOs won’t be looking for individual products, but rather integrated security platforms they can implement over time. For example, CISOs want to talk about integrated threat defense — not endpoint security, malware sandboxes, machine learning, etc. individually.

On the backend, CISOs are kicking the tires on security operations and analytics platform architectures (SOAPA) that brings together disparate operations tools like SIEM, UEBA, EDR, security automation and orchestration tools, etc. IBM, Splunk, and others have a story to tell here, but vendors should beware of proprietary agendas. The CISOs I spoke with want to hear a different story featuring heterogeneous architectures, APIs, and open-source software.

3. Business risk

CISOs are getting more involved with business planning and strategy so they can assess risks, implement controls, and manage risk over time. In my humble opinion, the RSA Conference tends to under-emphasize risk management, but there will be some chatter about peripheral subjects such as digital transformation, IoT security, and the NIST cybersecurity framework. RSA (the company, not the conference) will be especially focused on the intersection between business and IT risk.

4. Changing security perimeters

Just about every CISO talked about the fact that mobility and cloud have obliterated the old network perimeter. As a result, many organizations are looking at identity and data security as evolving perimeters. While CISOs are prioritizing identity and data security, these topics get little more than lip service at RSA (although they may be jammed into GDPR-specific sessions). Identity discussions will center around multi-factor authentication and the software-defined perimeter (SDP, Cyxtera, Google, Zscaler, etc.), while data security chatter will focus on DLP (Digital Guardian, Forcepoint, Symantec, etc.) and encryption. Not exactly what CISOs will be looking, for but somewhat of a start.

My discussions with CISOs also tended to concentrate on people and process rather than technology. This makes sense, since many organizations continue to rely on manual processes for cybersecurity, and 70 percent of organizations claim they’ve been impacted by the cybersecurity skills shortage. Unfortunately, these focus areas are diametrically opposed to the RSA Security Conference, which tends to be a “hurray for security technology” festival.

The cybersecurity industry is booming, and I expect the RSA Conference to be a whirlwind of meetings, sales pitches, cocktail parties, etc.  At some point, however, I hope we can all cut through the industry hyperbole and address these and other CISO priorities.

Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service.

Source: https://www.csoonline.com/article/3267965/security/rsa-conference-cisos-top-4-cybersecurity-priorities.html

It’s Time for CISOs to Become True C-Suite Business Leaders

When Equifax launched its search for a new chief information security officer (CISO) following its colossal data breach last year, the ability to operate as a capable C-level collaborator was at least as important as the candidate’s capacity for executing an effective information-security strategy.

The company’s new CISO, Jamil Farshchi—a business-aligned security leader who’s held the role at Home Depot, Time Warner, Visa, and Los Alamos National Laboratory—has been outspoken in describing the job as balancing the often-opposing demands of risk mitigation with business innovation. In order to do that well, CISOs must be able to manage not only their own information-security organizations, but also their relationships with their CEOs, boards of directors, and C-level peers.

Being able to communicate and collaborate both up and across the chain of command is a skill set that too few CISOs possess today, said Kal Bittianda, head of executive recruiter Egon Zehnder’s North America technology practice group, who worked on the Equifax CISO search. “CISOs in the past were ‘racks and stacks’ kinds of people. They managed the servers and manned the security dashboards behind a desk,” Bittianda explained. “They emailed updates, but they never spoke to anyone outside of their organizations. No one knew who they were—and no one cared.”

‘Out from the shadows’

Not so today, when every major corporation’s board and C-level leaders are on the hook for cybersecurity risk mitigation. They are holding half-day sessions to get a better grasp of what’s going on, and they don’t want to hear about it from the CEO or the CIO. They want to talk to the person in charge.

“Overnight, the CISO must come out from the shadows to stand in front of the board, and it’s a fairly daunting task,” said Bittianda. “Only some CISOs are capable of doing that well—and those people are in high demand.” Information-security leaders might be doing stellar work, but because they have not been trained in how to present a compelling case to board members, they risk being seen as incompetent.

The CISO’s peers have run this gauntlet in the past, thrust from executive obscurity into the spotlight. During the era of the Sarbanes-Oxley Act, board members wanted to hear from their company’s financial leaders to better understand the impact of financial statements and how to build robust internal controls. As technology became more central to corporate competitiveness, the board called on CIOs to help connect the dots between IT and business strategy. In many cases, it was trial by fire, an those who failed to rise to the challenge were often ushered out the door. In the past five or so years, the chief marketing officer (CMO) has come to the fore, with the advent of digital marketing and transformation.

Like the CFOs, CIOs, and CMOs who came before them, CISOs will now have to learn how to work with a variety of alien—that is, non-infosec—constituencies in a short period of time, each of which has their own specific interests in cybersecurity.

Business catalysts

“The pervasive use of technology means that legal, HR, marketing, ethics, compliance, and the board must understand these [cybersecurity] technologies, along with their risks and implications,” said Avani Desai, executive vice president and principal privacy leader and EVP at independent IT audit and certification firm Schellman & Company. “CISOs and CSOs need to learn how to move from being team leaders or group leaders to collaborators. We should see a paradigm shift, where CISOs and CSOs [evolve from] being assessors, technical champions, and compliance keepers to being business catalysts.”

This means not only presenting before the board, but providing more frequent updates to the executive team, fostering more open dialogue among business leaders, and spearheading the effort to mold the corporate culture to realize the value of information security.

That will require significant effort on the part of CISOs themselves. “They need to be able to talk to their business peers,” said Bittianda, “and if it’s something they’ve never done before, people might not make it easy for them.”

A good place to start is with the CEO and CIO. “I’m sure the CEO is already asking for updates on cyber,” Bittianda noted. “CISOs can look at what they need to do differently to be more effective in those conversations, seeking and accepting feedback on what works and what doesn’t.” CIOs—particularly the 70 percent who have CISOs reporting to them—have a vested interest in helping their information-security reports sharpen their skills by managing vertically and horizontally within the organization. “There’ a lot of incentive for them to help,” Bittianda said. “And they have lived through this journey themselves.”

Value of information security

CISOs should capitalize on every chance they have to speak to non-tech audiences to increase their capacity for explaining the value of information security in plain English. There also might be opportunities to get training internally or externally.

Just as important to CISO success as learning how to speak to business leaders is taking the time to understand their needs. The information-security organization has long been viewed as the department of “no,” with the CISO being a barrier to business success. “If someone in the business saw them coming, they’d avoid them,” joked Bittianda. It’s critical to change that perception, because the earlier information security is built in to business strategy, the more likely that the CISO will be able to put effective practices in place.  CISOs should be seen as more than “overseeing just technology or security,” said Desai. “They are business leaders who are helping to ensure and safeguard confidentiality, integrity, and availability of a company’s processes.”

For CISOs who want to build reputations as problem solvers rather than road blockers, “listening is huge—trying to understand the problems versus being perceived as the person who is adding more problems to their plate,” Bittianda said. “It’s important to build those relationships so they believe you’ve got their back and are willing to help them get things done.”

While the impetus is on the CISO to sharpen his or her business-communication and collaboration skills, corporate leaders concerns that their security leaders aren’t up to the task should take an interest in helping them improve. After all, concluded Bittianda, those business-seasoned CISOs are still hard to come by, and companies may be better off growing their own than taking their chances on the open market.

Source: https://www.securityroundtable.org/time-cisos-become-true-c-suite-business-leaders/

How CISOs Can Successfully Talk Security to CEOs

It would be funny, if it were not so frustrating, that two individuals so intent on managing risk don’t understand one another. But that is the fundamental problem between business and security leaders. The gap is so huge that bridging it may seem nearly impossible. Yet, it can be done.

Here’s some much-needed illumination on why previous attempts to close the gap have resulted in bridges to nowhere—and how to fix that.

Understanding the C-level Perspective

“The fact that cybersecurity is a board issue is yesterday’s news,” said Nik Whitfield, CEO of Panaseer, a cybersecurity data analytics company. “While there is lots of data available, the puzzle that CISOs are trying to solve is how to bring this information together to show the board the picture they need to see.”

It’s like both sides are speaking a different language. The first step in effectively communicating with the CEO and board is to understand their risk language.

“As a CEO, my key concerns are growing the business and increasing shareholder value. As it relates to cybersecurity, I want a holistic picture, not a discussion of the latest technologies,” said Scott Kannry, CEO of cyber risk management company Axio.

Kannry noted his most valuable framework for understanding CISOs is to ask them to answer these four questions:

  1. Do we know our risk and fully understand the dollars and cents involved? Have we taken a sampling of scenarios, put various operational and functional staff around a table and used their collective knowledge to estimate what each of a variety of events could cost?
  2. Do we use a maturity-based cyber evaluation framework and align it with the scenarios quantified in the previous step?
  3. Do we maintain the resources and financial ability to recover from a meaningful event? Do we have the right balance of financial reserves and insurance to pay for as much (or all) of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets and others? How do we understand how much insurance to buy? See Step 1.
  4. Do we benchmark our organization against others, possibly a peer group?

In short, CEOs and board members are looking for the bigger picture in risk calculations.

According to The Cyber Balance Sheet survey of more than 80 board members, CISOs and subject matter experts, “Board members were five times as likely to cite ‘risk posture’ as a key security metric compared to CISOs. They are also 13 times as likely to say the same about ‘peer benchmarking’ – showing boardrooms’ greater concern for the big picture.”

That same report found that board members are inundated with security data and often just assume CISOs have things under control. Hence, they tend to “tune out” and simply expect the CISO to keep everything secured. So when something does go wrong, all fingers point to the CISO—an untenable situation, to say the least.

Speaking in Business Tongues

“When discussing cybersecurity risks with the CEO, or the C-suite in general, it’s critical to bridge the gap from purely technical to business terms,” said Brad Arkin, CSO at Adobe. “Remember that top executives have to prioritize many aspects of the business, including investor expectations, revenue and profit, brand equity, employees, etc., so it’s your job as the CISO/security expert to illuminate the business case for security in a broader business risk management context.”

Specifically, this means dumping technical metrics and scare tactics from the conversation. Instead, focus on calculating risks in terms of business impact.

“As far as how risk is determined, the key is not to think primarily in terms of technical metrics, such as unpatched OS vulnerabilities or average password strength, but in terms of business impact,” advised Nir Gaist, founder and CTO of Nyotron, a security products and services provider. “What is the probability that bad thing X could happen to us? What is the business consequence of X? What is a possible way to calculate the financial impact of that business consequence?”

Tips and Pitfalls

Here is a quick list of dos and don’ts from your peers to help you build a conversation framework that will truly connect your message with the powers-that-be:

  • Speak to risk/reward appetites, not in absolutes. Businesses cannot survive, let alone prosper, if all risk is eradicated. “CISOs can fall into the trap of an engineering mindset that seeks technical perfection. This can undermine credibility and set up unfulfillable expectations. And it misses the central reality of business, which is that risk is essential to reward,” said Gaist.
  • Understand how your company makes money, and speak to that. “Effectively translating technical risk into business risk terms means you have to understand how your company makes money. A web-based company selling to consumers is going to be far more sensitive to web-server vulnerabilities than will a B2B logistics firm,” said Kip Boyle, founder and CEO of Cyber Risk Opportunities, a risk management consultancy and service.
  • Expect disbelief of your numbers, present them strategically. “Remember that no one believes the numbers on your deck right out of the box, and you’ll wind up in a debate over how good those numbers are. Instead, use numbers sparingly. If someone wants more numbers from you, let them ask for them,” said Gaist.
  • Set up a business report rather than a security report. “CEOs and other C-levels all follow clear forecasting, tracking and reporting. The closer the CISO can align to this methodology, the more impactful they will be,” said Tom Pageler, chief risk officer and chief security officer at Neustar and  formerly chief risk officer at Docusign and deputy CISO/executive of global security and investigations director at JPMorgan Chase.
  • Make the impact more personal. Whatever you are describing or pitching, bring the point closer to the audience’s personal domain. “For example, if the discussion is with the VP of Sales, describe sales forecast impact. If the discussion is with the CFO, discuss the exposure to lawsuits and other activities that will stem from a breach and cause additional monetary damages,” said Jason Sinchak, CTO of mobile security company Sentegrity and CISO of Emerging Defense, a cyber-security penetration testing and breach investigation consulting firm.

Now you’re all set. Go forth with confidence, speaking in business terms and with the understanding that there is no “us versus them”—there is only “we.”

Pam Baker

Source: https://securityboulevard.com/2017/12/cisos-can-successfully-talk-security-ceos/

Dear CEO, Are You Enabling Your CISO?

Managing risk is at the forefront of responsibilities that C-level executives deal with on a daily basis. Yet, many executive committees are still ignorant of security risk due to a lack of understanding or an unwillingness to take the time to learn the risks. What are the key questions executives, board members and audit committee members should ask themselves regarding how security risk is managed within their organization?

What do we see?

Over the past 10 years there has been a dramatic increase in the number of security incidents. To give just one example; in just 10 years (2006-2015), the US government saw a 1300% increase of cyber security incidents. 2016 and 2017 have only confirmed this trend with a staggering number of data breaches, ransomware attacks, phishing incidents, etc. Not surprisingly, security risk has claimed a top spot in the top business risks in many, if not all, industries. Company boards and executive committees can no longer ignore the fact that just one serious security incident could significantly impact the bottom line and future growth of their company, and potentially even cost them their jobs.

The good news is that managing risk is at the forefront of responsibilities that C-level executives deal with on a daily basis. Managing business risk, and even firefighting, is part of the job description, and planning to prevent the fires is what successful companies do. Hence, CEOs and other members of the C-suite should be well versed in dealing with risks, including security risks.

Yet, both the security incidents as research seem to indicate that many executives are not ready, nor set up to manage security risks:

  • A recent report by F5 Networks found that although 65% CISOs say they report to senior executives, most often that reporting is limited to incident and crisis reporting. It also indicates that 35% is not even reporting on that.
  • A 2016 reportfrom Nasdaq and Tanium states more than 90% of corporate executives say they can’t read a cyber security report and aren’t prepared to handle a major attack.
  • Severe data breaches already cost the jobs of CEOs (e.g. Equifax and Target). However, it is more likely (though less reported) that the CISO takes the fall. After all, isn’t the CISO responsible and accountable for security? While this may seem a logical reasoning, it negates the fact that security is a shared responsibility across the company and that there are many times that the security requirements and the CISO are ignored. Additionally, I would like to quote a question of Wim Remes, Chairman of the Board of the International Information System Security Certification Consortium, or (ISC)²: “You don’t fire your general counsel when you get sued, so why would you fire your CISO when you get breached?” So, without looking into the individual cases, but just at the trend, blaming and even firing the CISO seems to be one other indication that there is still a major disconnect between the CISO and the CEO.

Basically, it comes down to this: when the CEO (and by extension the executive committee and the board) is ignorant of security risk due to a lack of understanding or an unwillingness to take the time to learn the risks, then:

  • Important decisions about security do not get made
  • The CISO is not enabled, nor empowered to successfully help protect the company
  • The company is not prepared for the many and ever increasing security risks it is facing

6 key questions executives should ask themselves

As C-level executive, board member or audit committee member there are a number of key questions you should ask yourself about the manner in which security risk is managed is in your company.

1. Does your CISO have both the organizational and positional power to escalate issues that they feel strongly about to the appropriate C-level or even board position?

Your CISO will not be successful unless he or she has the buy-in and engagement of the executives. Without this, your CISO will simply be perceived as a business blocker and his or her efforts circumvented. Your CISO needs to have the organizational power and position to effectively challenge business risk decisions that are not good for the company.

2. Are you a passive listener to what your CISO has to say or do you actively engage in the conversation? Are you demanding the latter also from the other execs?

An involved CEO meets regularly with the CISO, reviews reports, asks questions, and provides encouragement and support in front of the other executives and board.

3.  Do you know what your security policies are about, what their objectives are, and do you understand that they help to define the level of risk you are willing to take as a company.

As executive you must actively endorse and support the security policies, and not just passively agree to them as a mere formality. If you don’t bother or don’t believe in enforcing the security policies that were put in place to protect your company’s information (systems), if you don’t help to enforce the policies that you let down your company, your employees, your suppliers, your customers, …, then you probably deserve the security incidents that will inevitably occur.

4. Are you considering security as a responsibility and accountability that is shared across the company or are you attributing it completely to your CISO and his or her security team?

Controlling security can’t be relegated to one person or one team. It’s an enterprise risk and business problem, not just a CISO problem to resolve. It should not be the CISO making all the decision as to how much investment and what the right thing to do is. That actually needs to be in the hands of the Executive Committee. The CISO obviously plays a facilitating role and you can make a CISO responsible for particular security tasks, but a CISO can never be held accountable for security tasks and responsibilities of others. You should therefore –    with the help of your CISO – institute a security program that engages all different stakeholders in the company. Clear assignment of responsibilities is vital. Groups who are responsible for protecting crucial data, like IT, HR, procurement, and marketing, must become cyber-conscious and accountable too.

5.  Are your discussions on executive and board level driven by front page news and incidents?

As information security breaches continue to make the front pages, organizations need to ensure that headlines don’t drive the information security program. Ensure your CISO has regular interactions with executive leadership to create clear visibility into all areas of security risk, i.e. a structured form of risk reporting allowing you to manage security risks in a forward looking and business strategy-aligned manner.

6.Do you believe security problems can be solved by simply investing in the right security tools and solutions?

Incident driven security risk discussions tend to result in throwing money at the issue and investing in new security solutions.  However, and to quote Tim Holman, past president of the Information Systems Security Association in the UK (ISSA-UK): “The cyber threat cannot be solved by buying products. A common-sense approach of reducing the amount of sensitive data stored, booting out insecure suppliers, restricting access to information and getting cyber liability cover will often be ten times as effective and ten times cheaper than the next generation security appliance with flashing lights sold to you by expert salesmen. All these require support from the lines of business and the executives.”

Not sure where your company currently stands?

Did the previous questions make you realize it is time to talk to your CISO? Good, then here are some questions that you should ask him or her to trigger a critical discussion about the state of security risk within your company:

  1. Do you understand our wider business strategy?
  2. (How) have you aligned our security approach to our organizational strategy?
  3. What are the biggest risks?
  4. What are the gaps?
  5. How are you evolving our security approach to match the changing risk landscape?
  6. Are sufficient resources available, and are they being used wisely?
  7. Are you being heard? If not where and why are people ignoring you?

Based on the answers you are getting, you will be able to see where the lines of communication between CISO and executives are obscured, where the CISO may not have been given the tools and resources in line with his or her responsibilities, and – most importantly – if and where you need to improve your understanding of security risk to the same degree as any other business risk.

Tim Wulgaert is a consultant, advisor, presenter and author in the field of information security and privacy. He has over 15 years of experience in developing, reviewing and improving information security strategies, policies, awareness campaigns, organizational design and other related security management topics. Currently, Tim is working on securitythisway.com; an initiative to build a security management content platform that aims to provide security and privacy professionals with hands on security policy, process, awareness and other related security management content.

Source: https://www.csoonline.com/article/3241466/governance/dear-ceo-are-you-enabling-your-ciso.html

First US Federal CISO Shares Security Lessons Learned

Greg Touhill’s advice for security leaders includes knowing the value of information, hardening their workforce, and prioritizing security by design.

INSECURITY CONFERENCE – Washington, DC – Greg Touhill encouraged his audience of security leaders, whom he dubbed “the cyber neighborhood watch,” to swap war stories and lessons learned during his keynote at Dark Reading’s inaugural INSecurity conference, held this week in Washington, DC.

As the first CISO of the US federal government, and with an extensive background in government cybersecurity and the military, Touhill has several stories of his own. Drawing from years of experience, the Cyxtera president shared his own lessons learned to kick off an event created to bring cyber defenders together so they can discuss problems and challenges.

One of the biggest problems is explaining to the business how cybersecurity is a risk management issue. Most security pros struggle to communicate with business leaders, who “speak a different language than we do,” he explained.

“I keep on hearing executives talk about cybersecurity being a technology problem, and they keep pouring money into buying new stuff,” said Touhill as an example. The enterprise instinct to buy new protective tools often distracts them from the core problem of managing risk.

One of Touhill’s lessons was to avoid chasing fads. Sometimes new doesn’t mean improved, he noted. Security leaders need to keep tech current, not buy every new tool. They should do their homework and base their product decisions on both risk potential and business value.

Knowing the value of corporate information is a key part of evaluating and managing risk. Business leaders know their data exists but can’t explain what it means or how much it’s worth. It’s tough to know where to prioritize security if you don’t know which data is most valuable.

“Information is one of the most valuable assets any business, any operation has,” Touhill emphasized. “Look at your infrastructure, look at how you architect. Know the value of your information and don’t try to defend everything. Defend what you need to defend.”

Security leaders must also prioritize security by design, he continued, using the transition to the cloud as an example. “A lot of folks jumped into the cloud without knowing about the tall, craggy mountains on the other side of that cloud,” he pointed out.

Touhill’s lessons extended to security employees. “Humans fail all the time,” he said, but you can bring down the risk of catastrophic events by training people and making sure they’re appropriately resourced. Hardening the workforce is “critically important.”

“People are your weakest link but also your greatest assets,” Touhill continued. It’s up to security leaders to make the business case for additional training, which is necessary but expensive. The need for education will never go away. Team members, and colleagues across the enterprise, should be taught to “think like a hacker” and “be very suspicious.”

The sentiment extended to another lesson: have a zero-trust model. Most security pros haven’t taken a full inventory of all the trust relationships they have, he argued, encouraging the audience to look at where their trust lies and “be skeptical.” Knowing and remembering the value of information will be critical as a new wave of professionals enters the workforce.

“We’re raising a generation of folks who are freely surrendering their privacy – your privacy – by giving up information and not recognizing the value of it,” Touhill said.

Other lessons touched on security fundamentals. He urged the audience to identify where they aren’t mastering basics or being consistent. “How many times has someone gotten breached and left the backdoor open?” he asked, relating his advice back to thinking like a hacker.

Attackers will go for the underbelly, Touhill continued. They will check every door and window to make sure they are locked. And if they’re not, they will take advantage of it.

Ultimately, along with protective measures and strategies, leaders must also “be prepared for a really bad day,” he concluded. Security teams identify risk and threats, protect against them, and often build response plans but rarely exercise them to practice for a real incident. Those who need to practice the most often don’t.

In the best organizations, everyone participates in cyber exercises and drills – even the boards and the CISOs. “A bad day is going to come for each and every one of us,” Touhill emphasized.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Source: https://www.darkreading.com/attacks-breaches/first-us-federal-ciso-shares-security-lessons-learned/d/d-id/1330519

English
Exit mobile version