Cybersecurity and the art of persuasion [Q&A]
Despite the introduction of systems based on AI and other technologies, cybersecurity remains an ultimately human problem.
It's not just a problem for IT teams either, to keep the enterprise safe security needs to be taken seriously throughout the organisation. It's the role of the CISO to ensure this but it can be a challenge to implement.
So, what does a CISO's role involve in the modern world? And how can they have influence across the business? We spoke to James Nelson, VP of InfoSec at Illumio, to find out.
BN: What does it take to be a CISO, is it about skills or personality?
JN: The initial perception of the CISO is that they stop breaches using technology, and although that’s part of the job, there's a lot more to the position. A CISO’s role can cover a huge number of areas, differing from company to company depending on specific needs. Their scope might include governance and compliance, privacy, product security, and even physical security.
This means being a CISO does require a certain depth and breadth of knowledge across many areas of security. However, because CISOs are also responsible for bridging the gap between technology and people, they need to be expert communicators too. Helping a non-technical business leader understand why the organization needs to make a complex, technical decision enables that leader to be a security advocate on behalf of the CISO. This is about striking the right balance between technical skills and inter-personal skills to expertly collaborate with others and adapt to change. I like to say a good CISO helps the business make expert security decisions without themselves being security experts.
BN: Are the 'soft skills' harder to master?
JN: Earlier, I noted that CISOs are expected to stop breaches and, while this is undeniably their goal, they can’t do that singlehandedly, everyone at the company must play their part. This can mean changing deeply ingrained behaviors, especially if they present a strong security risk to the organization. Implementing any change to achieve shared business and security goals takes patience and empathy, as well as willingness to collaborate.
For the CISO, cultivating a security mindset within an organization that enables agility and growth is often a difficult skill to master, as no matter how much expert knowledge a person has, if they cannot communicate in a compelling way the needed change and the reason behind the change to employees, their security program simply will not work.
BN: Why are humans still the weakest link in the security chain?
JN: Phishing, BEC scams, and other social engineering attacks work because humans have, and will continue to have, both access and agency. People need access to data to do their jobs, and making decisions is often part of someone’s role. Security tools can be a huge help in thwarting attacks, but no amount of technology can help if a bad actor can trick someone into using that access for their own purposes. That's why CISOs should build programs that foster secure behaviors, but that are also resilient in the face of successful attacks.
BN: How important is it to educate and support staff across the organization when it comes to cybersecurity?
JN: A strong security awareness, training, and education program is just as crucial as great technical solutions in securing an organization. And although providing guidance and instructions on, say, how to spot a phish is an important step, what you're really after is informed decision-making, not just the application of rote knowledge. For example, having employees roleplay the part of an attacker in workshops can help them spot tactics that work well against themselves and across the organization.
It's difficult to obtain meaningful measurements of the impact of a security awareness program. One common technique is to run phishing simulations across the enterprise. There are two potential issues with this approach: The tests can be viewed negatively by employees, and they are not good indicators of how successful a multi-stage phishing attack might be, for example, through a CEO scam. Thoughtful interviews with employees can give a much better picture of the program’s impact, while generating goodwill for the security team.
BN: What is the value of persuasion in getting across the importance of cybersecurity?
JN: No security program is successful in isolation from the business, and a CISO musters stakeholders at all levels -- the board, executive leadership, and all employees -- to help strike the right balance of business speed and security. We have established that people are fundamental to the success of a security program, so leveraging their influence and relationships must be a primary focus of any CISO.
The CISO has the challenging task of convincing every stakeholder in the company to invest – financially and personally – in a united approach to cybersecurity. Sometimes though, what the business wants isn't always what will keep it secure, so it is crucial that the CISO can communicate their priorities in a way that simultaneously shows support for the business.
CISOs must also take the time to educate their stakeholders about the organization’s security priorities and demystify the buzzwords we like to use. Zero Trust is a good example of this, because while it sounds new and innovative, the concept has been around for decades. It's common sense, not magic, but in some cases can be misunderstood. Our research found that nearly a third of UK security leaders surveyed fear that their employees will think their company doesn't trust them if they implement a Zero Trust strategy. Making security concepts relatable can help build trust and persuade stakeholders to buy-in to a CISO’s vision.
BN: How do you see the CISO role evolving in the next few years?
JN: We've come a long way from making the CISO a scapegoat for every incident, but there still can be an expectation that the CISO can prevent all breaches, and they can be blamed when things go wrong. I hope we can make more progress on this front. Part of that will be educating the hiring managers for CISOs on what the role means and how success should be measured, which can produce better outcomes for organizations and CISOs alike. We might also see a push for a better professional definition across the industry of the CISO's role and scope. However, in the end there is no substitute for an organization recognizing that an effective security leader is a critical part of their success.
Image credit: fizkes/depositphotos.com