The Ever-Changing Role of the Chief Information Security Officer

In recent years, the responsibility of the Chief Information Security Officer (CISO) became much more complicated and important than ever before.

Let’s face it. No matter what location, company or industry the CISO works in or for, the company and information they protect are going to be a target for attackers either for financial fraud or espionage.

The CISO role has been one of the most difficult positions for organizations to fill and comes with huge responsibilities. The past year has been especially busy for cyber criminals. Public reports indicate more than 500 data breaches and more than 500+ million records exposed in 2015. This includes the disclosure of 21 million U.S. Office of Personnel Management records, 70 million medical records at Anthem and 37 million user details at Ashley Madison. If the CISO works in the entertainment, financial, healthcare, information, public or retail industry, they are more likely to have the toughest job.

With greater connectivity, the emergence of the Internet of Things (IoT), the disappearing perimeter, ever-growing malware and disruptive ransomware as well as more employees using social media, it was not unexpected to see these as the biggest increase in threats that the CISO has to deal with. As time goes on, the problem is getting bigger each year.

The CISO must also deal with the ever-growing number of devices in the workplace. Recent reports indicating that the target for attackers has shifted from perimeter servers/services to end user devices and the end user identities. This is why the perimeter is no longer a clear line as devices and people move in and out of the perimeter so does the attacker who has compromised the end users device or identity.

Once the end user device and/or identity have been compromised, it literally takes minutes for the target company to be breached. In the underground hacking community, news travel fast. Before the CISO knows it, rather than dealing with one breach, things can cascade very quickly with multiple attackers concurrently.

Unfortunately, the bad news for the CISO does not end here the time to compromise and discover just got worse with it taking days or less for 84% of breaches and the dwell time getting much worse with it already being an average of 205 day before you detect the breach which in almost every breach it is already too late and the damage has been done, the question is how bad is it. So the CISO better have a very good disaster recovery plan or backup process in place.

It is more likely that the CEO is going to hear about the breach from law enforcement, fraud detection in transaction processing companies, 3^rd party companies or Ethical Hackers before they find it out for themselves. Obviously, this is not a great situation for the CISO to be in.

Another major challenge for the CISO is the ever-growing “Apps”, the number of end user devices has exploded and with app stores everywhere and apps for almost anything and everything it was not unexpected to see CVE’s growing each year so where does the CISO start with patch management and software updates?

More bad news is that the employees this year have not learned from last year, the CISO now has to deal with more employees clicking on phishing email attachments and opening phishing emails, according to the Verizon Data Breach Incident report (DBIR), this is up from 11% in 2014 to 13% in 2015 for clicking, and up from 23% in 2014 to 30% in 2015 for opening.

Another major concern for the CISO is how to protect employee’s credentials and privileged accounts. According to the Verizon DBIR 63% of the breaches was a result from weak or stolen credentials, which allow an attacker to use those credentials and act as a trusted user to perform malicious activity or financial crime.

As we can see, the CISO has one tough job and responsibility to deal with. Yes, the board is aware of the cyber security discussion, and once in a while they bring it up in the board room, but now is the time to move from discussions to actions. We need to give the CISO the ability to protect the organization from these ever-growing threats.

How Can the CISO Contribute to the Business?

The problem and challenge in the past is that it is difficult to measure cyber security risk for many organizations. This has put the CISO in a tough situation as to how they can show business value when it is not easy to measure. In the past, the metrics where not clear and it was about keeping the existing security controls working, making continuous improvements where possible and helping put security on technologies which the business already adopted and are using. But, at the same time, security has always been an afterthought and sometimes it was simply not possible to keep the same high level when security and privacy was not implemented by design. This means increased risk, making the CISO’s already tough job even more challenging.

This has to change, and it is going to change. Especially with new regulations that come with harsh financial penalties if adequate security is not in place and forces many organizations to adopt cyber insurance to offset the risk of those hefty penalties. Those cyber insurance policies will mean you will need to measure the risk.

Key metrics are going to be vital for the CISO to help company’s identity the ever-dynamic risk measure. When we can clearly measure risk, where risk is being reduced and where it increases will help the CISO provide hugely valuable metrics back to the business to determine what mitigation controls should or should not be put in place. This will help companies adopt new technologies much quicker and more efficient than ever before as when it can be measured the risk decision can be made.

What Can the CISO do the Make a Major Difference?

It’s clear that the challenge is huge and the responsibility on the CISO shoulders is a massive weight. However, there is a way forward.

If we step back from all of these and we accept that the perimeter is evolving, data is flowing more frequently and growing at rates never expected. One thing in all of this is common and that is the Identities and Privileges, which enables employees to get their work done and enables attackers to use those identities and credentials to perform malicious or financial crime as a trusted user. The new security perimeter is with the Identities and Privileges to which as we have discussed is used in many of the breaches, it the target for attackers, enables malware and ransomware to perform disruptive actions and data poisoning. If these are well protected then this makes the CISO’s job much easier and makes the attacker’s job more difficult.

Good Identity and Access Management with a strong Privilege Account Management can help the CISO put a new perimeter in place that helps the business continue to be secure and enable organizations to grow without network boundaries. It will also enable more adoption of cloud technologies and services as well as the embracing of IoT knowing that the security controls on the Identities and Access makes it more difficult for an attacker to breach a company.

About the Author

Joe Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Head of Global Strategic Alliances at Thycotic. He is an active member of the cyber security community and a Certified Information Systems Security Professional (CISSP).