The changing role of the CISO [Q&A]
Digital transformation, a shift to hybrid and remote working, and increasing regulatory pressure have seen major changes to the enterprise IT landscape in recent years.
CISOs have been at the heart of this, facing new challenges and taking on additional responsibilities. We spoke to Ben Smith, field CTO of NetWitness, to discuss these changes and find out what makes a good, or bad, CISO.
BN: Do you consider the Chief Information Security Officer (CISO) role to be fully mature today?
BS: No, I do not. The first CISO arrived on the scene more than twenty-five years ago, so it would be an easy assumption that the role has had plenty of time to marinate and mature! But no, I don't believe that the way we define CISOs, how we leverage those CISOs within our organizations, is fully mature yet.
We see this immaturity present as unanswered questions in many organizations. Should the CISO report into the CIO, or the CEO, or perhaps even directly to the board? Is the CISO getting any airtime during regularly scheduled board meetings, and not just when there is an internal incident being remediated? Who owns the cybersecurity risk within the organization, the CISO or the business?
My favorite starter question to pose to a new CISO is, "As an executive leader, what is your primary responsibility here?" At that executive level, while there are many possible technical and non-technical answers to this question, an especially promising answer is one that sounds like, "Ensure that my organization hits its financial goals or other key objectives" -- this is someone who is taking the bigger picture approach. Every C-level executive, not just the CISO, should be focused first on how to keep the organization moving forward as a sustainable entity, and only from there start mapping specific roles and responsibilities towards that overriding goal.
Lots of room for improvement, but there has already been great progress over that quarter-century. And I believe that a typical day for a CISO just five years from now may look different in new ways.
BN: What are some major new challenges CISOs are facing?
BS: It's become clear that adversaries love to exploit third-party relationships to get in the back door, whether the target is your company, or (perhaps even more seriously) your own downstream customers. Organizations chronically struggle with getting the right amount of visibility into their operating environments, one of the many tasks on the plate of most CISOs. Do you think it's easier or harder to get that same visibility into your organization's third parties? It can be almost impossible, but that doesn't absolve the CISO from innovating to find some sort of compromise on this third-party visibility point. It might be technical, it might be contractual, or both.
And those adversaries sometimes dwarf the size of any CISO's security operations center (SOC), even those found within the best-funded world-class organizations. When nation-states attack companies, it is never a fair fight. Cyberwarfare will increasingly spill over into the corporate world -- recall that the NotPetya attack was initially targeted at a single country, but very quickly spun out of control and inflicted what was almost certainly unintended collateral damage through subsequent infections of many organizations across the globe. Today's CISO will continue to be challenged to prepare their organizations for this kind of cyberwarfare spillover -- trying to 'protect' or 'prevent' these types of attacks is largely fruitless. A more productive way to think about the path forward on this point is 'resilience'.
The privacy-centric regulatory wave which most recently ignited with GDPR will continue to spread. While the CISO may not be responsible as a data processor, data custodian or data owner -- tracking and monitoring these key roles at the company may be the job of a company’s risk management function -- the CISO will still be intimately involved in how best to implement data privacy architectures which meet both the letter and the spirit of today’s and tomorrow’s privacy regulations. This one will only get harder over time.
BN: Some people have questioned the need for a CISO. Why is this role still relevant?
BS: I would very much like to meet this surveyed group who don't believe the CISO role is relevant today! Perhaps they are in organizations that don't yet have a single designated executive responsible for information security and risk management?
Or -- let me be more charitable here -- perhaps they acknowledge the need, but they disagree on exactly how to structure a dedicated role in support of this goal. One way to get there is to outsource some of this responsibility. Fractional or virtual CISOs have been around for some time, and this can be a cost-effective way to augment your extended team with an expert, even one only dedicated to your organization on a part-time basis, someone who is focused on improving your security and risk management posture. If you're comfortable with (and/or limited to) this outsourcing model, consider combining that with an MSSP who can help you triage alerts and help you direct your team to put out the right fires in the right amount of time.
Whether taking the route of a full-time or part-time CISO, consolidating these security functions into a single individual or a small team is useful from both an architectural and a procurement perspective. You don't want to be at the mercy of the vendor community whose revenue-generating priorities may attempt to steamroll your own internal architectural plans -- if you have a model architecture in place, something that enables your business for both today and tomorrow, this will make it much easier to manage your vendors, and to easily turn away those who simply don’t have a place in your model. And as a bonus, this will make the lives of your own procurement team easier as well, by focusing their time and attention on those vendors (and more accurately, the technologies they bring to your environment) whom you have already vetted.
BN: Is it necessary for today's CISO to be a technology specialist?
BS: It's a nice-to-have, but no, it's not required. The fastest way to fail as a CISO is to put all of your eggs into the, "I am the most technically-focused security expert here" basket. Good managers at any level realize that the best way to push the organization forward is to hire people who are smarter than they are, people who bring different and diverse skills and backgrounds to the team. This isn’t advice just for the CISO, it’s good advice for anyone in any C-level role.
That's not to say that a business-minded CISO won't be an even stronger performer if they also happen to bring a solid technical foundation. You need both, but one is far more important than the other at the executive level. If I have two CISO candidates who otherwise are very similar to one another, and one candidate is 100 percent technically-focused and the other candidate is 100 percent business-focused, I will always lean towards the latter candidate.
This wraps us all the way back to where we started this conversation -- it's a great example of how the CISO role is still being defined. We still can't decide as an industry if we want the CISO to be technically- or business-focused. Organizations who realize that hiring a CISO is ultimately about bringing an executive on-board, versus a hands-on technology manager or director, will succeed in the long-term.