CSOs may be more visible at the top, but that doesn’t make the job easy

In a field as rapidly-changing as information security, it is trite to say that the role of the chief security officer is changing too. For CSOs working hard to stay on top of the security threats their companies face, the question is no longer whether their position is changing – but how they are going to manage that change and maintain their primacy as gatekeepers within increasingly security-aware businesses.

Michael Sutton, CISO with cloud-security firm ZScaler, likens the job to being the skating coach of an ice hockey team: everyone already knows how to skate, so the job lies not in teaching but in reminding them that they can always do better. And this, in recent years, has extended to boards that are becoming increasingly interested in the security of their internal systems.

“Even 2 to 3 years ago it was fairly rare for a board to be overly focused on security,” Sutton told CSO Australia – a position reinforced by a 2014 Ponemon Institute survey that found that fully one-third of Australian CISOs never met with their company’s executive team and a further 22 percent met only once a year to discuss security.

“It was pretty common that the CISO never made his way into the board room, and was never asked to go in there,” Sutton continues. “But now it is the norm that the CISO is expected to come in and report on a fairly regular basis. That’s because it’s not the CISO alone that has to be held accountable: it’s the company, and the entire executive staff.”

Changes in the threat surface – particularly with what Sutton calls the “watershed moment” of the Mirai Internet of Things (IoT) compromise raising the spectre of business interruption – have been compounded by looming changes such as the introduction of breach notification laws, and the Australian Signals Directorate’s overhaul of security best-practice recommendations.

Such changes are likely to further elevate the CISO’s visibility within the company – and their accountability as well. A recent Trustwave-Osterman Research study of security practitioners, Money, Minds and the Masses, noted that two-thirds of organisations consider it to be a “fireable” offense if the company suffers a large fine or penalty due to failure to meet regulatory compliance requirements.

Yet managing security by compliance is not the answer either, warns SecureWorks in its latest Cybersecurity Threat Insights Report for Leaders. The company’s security consultants have spoken with security teams at financial institutions, for example, where staff are spending as much as 40 percent of security staff time on compliance initiatives instead of focusing on security initiatives.

“Organisations believe that the choice is between compliance and security, with compliance often winning out because revenue could be at risk,” the report’s authors note. “The irony is that a strong emphasis on security will consequently address most compliance aspects, while taking a compliance-first approach often leads to gaps and vulnerabilities as security teams are distracted from managing genuine threats and risks.”

Conveying this duality to the company executive will be one of many challenges facing CSOs this year. With CSOs’ heads on the chopping block, thriving in the emerging threat landscape therefore depends on building and maintaining open channels of communication with boards and employees alike.

“I personally invest a ton of time in making sure that we’re worthy of trust and can continue to build and earn trust,” Geoff Belknap, CSO with enterprise-messaging provider Slack told CSO Australia.

“We have focused on taking away the fear and making sure people understand that it’s not Security’s job to get them fired, and it’s not compliance’s job to get them in trouble with the boss. It’s our job to be a resource for the rest of the organisation to enable them to do what they do in a secure way.”

Just what it takes to be ‘secure’ remains highly subjective, however: particularly as rapidly changing populations of endpoint devices challenge conventional access-control methods, some companies are shifting their focus to protecting data rather than trying to stop every possible breach of the endpoint.

Creation of that culture has seen some significant changes at CSR, where security and architecture manager Dave Edge has been working to revisit security architecture and culture as the company looks towards a greater commitment to cloud services.

“It’s quite a challenge to enforce [access controls] consistently across every device type,” Edge says, noting the company’s efforts for policy controls to manage a growing number of mobile and tablet devices across the workforce. “We basically decided to abandon efforts to try to police traffic on all devices. Our strategic direction is around transformation and bimodal IT – and you’ve got to be open to new ways of working.”

This presents a significant imperative for CSOs, who may find themselves working as closely with business units – who can guide the classification of data by importance and relevance – as they do with technological teams responsible for day-to-day device management.

In maintaining these relationships, Belknap says, it’s important not to get “bogged down” in discussions about theoretical threats – and, instead, to focus on the organisation’s particular risk exposure.

“Sometimes the message is lost for all the noise,” he explains, “and we miss out on the bigger picture. We can miss out on training things like security awareness training, building stronger diligence, vendor monitoring programs, or turning on 2-factor authentication. The key is doing simple things to derisk themselves, and being aggressive with building a strong security culture.”

That part of the job can be difficult for CSOs, who are by necessity both operationally and strategically focused. They’ll often need to enlist the help of security advocates within business units, who can support the broader vision – and help compensate for ongoing challenges in recruiting additional security-skilled people.

Indeed, even as reporting and compliance requirements continue to escalate, CSOs this year face the continuous accumulation of challenges due to limitations on cybersecurity resources.

This was reflected in the Trustwave-Osterman study, in which over 60 percent of respondents said half or fewer of their security staff had the specialised skills needed to address complex security issues. This deficiency was particularly felt in dealing with emerging and evolving threats, in which 40 percent of respondents said their in-house skills were inadequate.

Respondents rated finding skilled staff for these and other functions was much harder than retaining them or training them – and, the report warned, “the talent shortage could render organizations substantially more vulnerable to threats, particularly new and innovative ones, unless the status quo changes”.

Changing the status quo may prove harder than it sounds, despite the growing engagement of CSOs with the board and senior executives. Fewer than 30 percent of security practitioners felt “fully supported” by the senior managers in their company, often due to challenges around budget – particularly around chronically low funding for crucial areas requiring high security capability, such as security testing and incident response.

In many ways, then, the challenges facing CSOs today are the same as those they’ve been dealing with for years. But with added pressure from outside bodies and cybercriminals nipping at their heels, successfully navigating myriad competing pressures will remain a key trait of successful CSOs long into the future.