The CSO's new seat at the executive table and how to use it [Q&A]
With the changes to working patterns brought about by the pandemic and increasing levels of cyberattacks, the role of the Chief Security Officer (CSO) in businesses has become more challenging.
These things have also led to a boost in the status of CSOs within their organizations. We spoke to Chaim Mazal, CISO and SVP of engineering for Apple device management platform Kandji to find out more about how things have changed and how CSOs can make the most of their new influence to drive security strategy.
BN: How has the pandemic and the hybrid workforce influenced security, both from the standpoint of attackers and from a company’s leadership perspective?
CM: This past year has been record-breaking in terms of the number of data compromises, data breaches, and fraud -- and 2022 is continuing on this same trajectory. Phishing attacks have soared 220 percent and the Federal Trade Commission reports that fraud has increased 83 percent since remote work became the norm. Internet traffic has literally doubled, and new phishing, spoofing, hacking, and fraud attempts emerged. US businesses suffered a 17 percent increase in data breaches since 2020.
The result? The chief security officer (CSO) has become more influential at the C-level table within modern day organizations. As the top security executive within an organization, the CSO is responsible for IT and corporate security as well as the safety and security of company data and assets. He or she also works to prevent data breaches, phishing, and malware by implementing robust safety protocols. The CSO is also tasked with communicating a company's security status, needs, and challenges to management. CSO input is critical for communicating security risks to leadership -- and even presenting to the board. If risks and vulnerabilities are not properly demonstrated to the board, these risks can't be prioritized at an organizational level -- and that puts the entire organization in danger.
Our current environment of heightened risk, ever-increasing fraud, and constant alerts underscore the importance of security teams. CSOs are taking their rightful place at the executive table to help organizations navigate potential security threats with clarity, understanding, and perspective.
BN: Now that CSOs have a seat at the executive table, how should they drive their security strategy?
CM: In the past, the security professional has been viewed as someone slowing the product delivery process, even a hindrance to productivity. The CSO needs to change this perspective by communicating that their overall mission is to enable business success. They should be viewed as any other C-level executive within the organization. They can also bring balance to the conversations being had and decisions being made. Securing the organization is crucial, but security protocols can come into direct conflict with another department’s deliverable or project.
The CSO can provide the right security-related guidance and background to help leaders make more strategic business decisions. The CSO should be willing to say, "We all know how important this product rollout is but we're going to need to pause the release of this piece of software. It poses too much risk to the organization." Just as the success of the business is everyone's responsibility, so is security. All employees should be invested in supporting, maintaining, and respecting security practices.
BN: How can the CSO work more closely with the C-suite to boost overall security within the organization?
CM: Identifying, prioritizing, and communicating threats are only part of the CSO's role. They must mitigate and address risks in real time while helping the business achieve larger goals. They should work toward tangible, positive outcomes despite the risk that's been identified. After identifying the threat, the CSO should find a clear roadmap past the risk while ensuring that potentially affected business units are secure.
This ability to see security issues through an additional 'business' lens can help the CSO be viewed as a business enabler rather than a barrier to progress. Over time, the CSO will be better understood and appreciated by C-level peers as someone who does his job while also speaking 'the language of the business'. This is the key to long-term success for the CSO -- at the executive table and beyond.
BN: What is some of the guidance a CSO can, and should, offer an organization?
CM: The CSO should be able to actively communicate the technical specifics of security risks in a language that a business leader can receive. This can be done with the help of a standardized framework, which can help illustrate security vulnerabilities and how they could potentially impact the organization. A risk register identifies a threat, outlines the probability it will affect the organization, and also presents the overall potential impact. The CSO should maintain and socialize this risk register at the executive level -- and at the board level. They should be able to prioritize identified risks and participate in discussions about the budget needed to resolve high-priority issues in a timely manner.
The risk register should be broken down into specific sections that align with various business units and different stakeholders -- infrastructure, web applications, internal systems, physical security, etc. When you outline the direct consequences of a particular risk and which business units are affected, they open the dialogue with different stakeholders. You also convey how security touches every part of the business.
BN: How can an organization better align IT with security goals and initiatives and what role does the CSO play?
CM: As enterprises evolve and grow CSOs are now charged with aligning security concerns to mirror that growth. It's not enough for a CSO to be a technical expert–now leaders in this role must have the necessary business acumen and experience to have higher-level conversations with their boards and executive teams and be seen as trusted core executives of the business. These business-focused conversations correlate to the ongoing shift from cybersecurity as a back-office function to cybersecurity as a strategic leader. The key task for the CSO role is aligning their structured, tried and true foundational controls that are policy driven, measured and audited and align them to higher level business strategy, goals and objectives.
And communication is critical. IT and security teams need to understand what they are both trying to accomplish, and why it’s important to the organization. It's important for them to build relationships with each other and the CSO is an important conduit between the two teams. CSOs are taking their rightful place at the executive table to help organizations as a whole as well as separate IT and security teams, navigate potential threats with clarity, understanding, and perspective.