From Cyber Czar to Risk Officer: The CISO’s Next Evolution

Over the last several years, the role of the chief information security officer (CISO) has undergone a critical transformation from technical guru to core member of anorganization’s senior leadership team. But in highly regulated, complex industries such as financial services and healthcare that harbor large amounts of personal information, the role is undergoing a further evolution as sensitive data takes on an increasingly central role in all parts of the business.

This more information-centric environment, which is still taking shape, calls for a different way of thinking about and managing risks within the organization (see Figure 1). This change in thinking includes:

  • A move away from the traditional cybersecurity focus on tactical elements like email hygiene and firewalls to a more strategic view centered on the data itself.
  • Less emphasis on responding to threats and more on instilling appropriate behaviors and managing perceptions of risk.
  • A shift from building higher walls and deeper moats that prevent intrusion to ensuring customized value-based risk management that protects each information asset.

A new profile for a more strategic role

The CISO thus will evolve from the unsustainable “cyber czar” position to become responsible for managing the organization’s information risks, supporting and sustaining the appropriate risk management culture and engaging with the C-suite regarding the use of new technologies and the information-risk implications of entering new businesses. Indeed, we can see the beginning of this shift as some sophisticated organizations (especially in financial services) adopt titles such as “Chief Information Risk Management Officer.” This is a welcome development, given that making cybersecurity everyone’s responsibility has been a longstanding goal of the information security community.

In the years ahead, the new breed of information security leaders will need to focus on:

  • Establishing uniform perspectives and behaviors that can crystallize into social norms regarding the use and handling of information at work – even when those norms are different than those governing how people handle personal information at home.
  • Managing the uncertainty and ambiguity that comes from the shift to a front-line, decentralized approach to information security
  • Having exceptional strategic orientation and the ability to communicate and influence outside of one’s chain of command.
  • Technical savviness and broader business understanding, as the role expands from just addressing cybersecurity threats to the broader mandate of managing information risk.

These changes will only take place, however, after the necessary perception and behavior regarding information risk and security becomes broadly ingrained throughout the organization. Until then, information security leaders will have their hands full creating that consensus and nudging us to a more secure future.

Source: https://www.securityroundtable.org/from-cyber-czar-to-risk-officer-the-cisos-next-evolution/

Traits of a Successful Threat Hunter

Threat hunting is all about being proactive and looking for signs of compromise that other systems may have missed. As defenders, we want to cut down the time it takes to detect attackers. To accomplish this, we assume the bad guys have penetrated our defenses, and then proceed to look for traces that their activities have left behind.

Putting aside the technical details, it is extremely important to consider the person, or perhaps the team, who is doing the hunting. I describe a good threat hunter as a person with a wide skill set who has “been there and done that” in multiples areas of IT and security. There are four main dimensions that help shape a good hunter:

Curiosity
A threat hunter needs to be patient, highly motivated, and driven by a desire to know more. The person needs to start asking questions such as why in order to understand whatever activity may be under analysis. In order to be able to answer the why, the drive to go deep into the rabbit hole is essential.

Critical thinking
Being able to analyze and solve problems also is important. The hunter must always keep an open mind and be able to consider alternative solutions to the problem. Thinking like an attacker usually helps frame an investigation from a different angle and could be the key to uncovering evil within your systems.

Technical expertise
A wide array of technical knowledge is essential. A person who is an expert in network and knows very little about other disciplines such as forensics, applications, databases, etc., may not be able to see the big picture. Ideally, the hunter has cross-discipline knowledge and knows who to reach out to when more in-depth analysis is required.

Ability to connect the dots
This is one of the most important aspects. Many analysts struggle when presented with multiple sets of information and therefore are unable to connect the dots and put together the puzzle. An efficient hunter should be able to understand the data and its business context, perform the appropriate correlations, and reach conclusions.

Professionals with this sort of talent and skill are scarce. Remember that in many cases it makes perfect sense to develop hunting talent in-house. An employee who has worked in a few IT or information security disciplines who knows your business brings great value to the table. Look around and see who is up to the challenge.

Editor’s note: Roger O’Farril will be presenting further insights on this topic at ISACA’s CSX North America conference, to take place 15-17 October in Las Vegas, Nevada, USA.

Roger O’Farril, Information Security Team Lead, Federal Reserve Bank of Chicago

[ISACA Now Blog]

Cloud Security Alliance Releases Malaysia Financial Sector Cloud 
Adoption Report

KUALA LUMPUR, MALAYSIA – August 20, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, and Malaysia Digital Economy Corporation (MDEC) today released the results of a joint survey, Cloud Adoption in the Malaysia FSI Sector, which surveyed IT and security professionals in Malaysia’s FSI about their cloud service adoption plans and priorities. The results were announced in Kuala Lumpur at the inaugural CSA Malaysia Summit, where Dato’ Ng Wan Peng, COO of MDEC; Jim Reavis, co-founder & CEO of CSA; and Ramesh Narayanaswamy, CIOO of CIMB Group Holdings were among the keynote speakers.

As a part of the Summit, CSA also organized a Roundtable on “Banking 4.0 – Digital Transformation, Opportunities & Challenges” aimed to work on the next level study of the survey conducted. This Roundtable was sponsored by Microsoft.

Although heavily regulated internationally, today’s financial services institutions (FSI) face similar pressures experienced by their compatriots in lesser-regulated sectors. There is an urgent need to embrace digital transformation to leapfrog competitors, enhance agility, and increase efficiency to better serve the modern digital consumer in this fast-paced economy. Significantly higher confidence levels in cloud security today have rendered the cloud a key enabler in overcoming these challenges. Seeing this trend, CSA and MDEC jointly conducted the “Cloud Adoption in the Malaysia FSI Sector” survey to gain a deeper understanding of the current and future state of cloud adoption in the region.

“Besides raising awareness of cloud adoption in the FSI sector, the survey also aimed to uncover obstacles that may have impeded cloud adoption by the banking sector within Malaysia,” said Dr. Lee Hing-Yan, Executive Vice President, CSA Asia Pacific. “Although separate studies have shown that the Malaysian government has done well in putting strong e-government plans in place, the government can further accelerate cloud adoption by introducing progressive guidelines. The increased clarity will help FSIs to continue reaping the benefits of cloud, while maintaining adherence to regulations.”

MDEC’s Director/Enabling Ecosystem Wan Murdani Wan Mohamad, Ir, commented:

“Malaysia’s shift towards becoming a developed, sustainable digital economy requires the transformative use of a secure and robust cloud ecosystem. As indicated by the study, a vital aspect of Malaysia’s transformation encompasses successful cloud adoption, which means that we must prioritise the future-proofing of our cybersecurity sector as an important aspect of our drive to build on the growth of cloud adoption by the FSI and, indeed, all sectors of our economy.”

The report published key findings in the areas of cloud adoption, IT security budgets, cloud computing, and cyber security skills, as well as cloud service compliance and regulations. Among the main findings:

  • Sixty five percent (64.7 %) of the FSI in Malaysia said they are developing a cloud strategy, while 17.6 percent have already developed a cloud strategy. The remaining 17.6 percent have a strict no-cloud policy.
  • Twenty four percent (23.5 %) of respondents mentioned that no cloud service data security and compliance regulations are predetermined in their organization, while 11.7 percent mentioned that their organizations have some form of cloud service data security and compliance management.
  • The majority of the survey respondents pay considerable attention to international standards when selecting a cloud service provider (CSP). This suggests that certification should be an important benchmark for CSPs as a measure and demonstration of their compliance with industry standards.
  • Fifty three percent (52.9%) of the respondents said that the top cloud threat in their organization is the lack of security assessments on cloud services provided by CSPs. In other words, there is a lack of necessary knowledge to properly address the challenges, with some being unaware even when these threats occur.
  • Due to the lack of commitment at the senior level, 58.8 percent of all cloud computing and cybersecurity professionals indicated they have never participated in nor organized any cloud application development or cloud-security-related training.

“We would like to thank MDEC for their ongoing support and contributions to this survey and to our broader efforts to understand and educate the market on cloud adoption in APAC,” added Dr. Lee.

CSA has conducted similar adoption studies in China (https://www.csaapac.org/fsisurvey.html) and India (https://www.csaapac.org/2016-cloud-adoption-and-security-in-india-survey-report.html). Cloud Adoption in the Malaysia FSI Sector paper is a free resource. Download the full survey report now.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

What To Expect and Consider When Hiring A CISO

The market for top-tier CISOs is now highly competitive. Information cybersecurity has become a high-profile corporate concern, and the bar has been raised on the pool of qualified candidates. By one estimate there were 2,700 CISO job openings in the United States in June 2015. So even if organizations are able to effectively evaluate candidates against current and future requirements, they must also be prepared from the start to actively sell the opportunity to an audience that is naturally skeptical.

In our experience, every CISO candidate asks four overarching questions when evaluating an opportunity:

1. “Who is my sponsor and how much influence does he or she have?”

This is likely to be the first question on the CISO candidate’s mind, and he or she is thinking about this issue in at least two specific ways. First, although the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information security function to which the CISO will not be privy. As a result, the CISO will have to rely his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization’s information security profile, he or she has to know there will be support in high places.

2. “How deep is the organization’s commitment to information security?”

This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information security function and the need for making everyone in the organization, top to bottom, responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises who reflexively cycle through security teams.

3.”What key performance indicators will I be measured against?”

Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not “if” but “when.” Therefore, it is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as the ones about resources, reporting lines, and compensation.

4. “Where will I be in five years?”

Those who lead the information security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader role in organizational leadership. It is important to understand each candidate’s desires against what the organization can offer. Remember that the CISO’s reporting relationship will be one factor that frames this issue in his or her mind.

For more information on what to expect and consider while hiring a CISO, download your copy of Navigating the Digital AgeGet the book here.

Source: https://www.securityroundtable.org/what-to-expect-and-consider-when-hiring-a-ciso/

English
Exit mobile version