The changing role of the CISO [Q&A]
The IT infrastructure of a modern enterprise is made up of a complex architecture of dynamic networks, cloud deployments, software applications, and endpoint devices.
Each of these has its own set of security controls, which form a critical part of the technology ecosystem, but managing these systems can hinder efficient threat detection and response, which in turn compromises visibility, allowing vulnerabilities and gaps to flourish.
This means CISOs constantly have to adapt in order to stay on top of things. We spoke to Guy Bejerano, co-founder and CEO of breach and attack simulation company SafeBreach, to find out how the CISO role is changing.
BN: How has the ever-expanding threat landscape changed the CISO role?
GB: The ever-expanding threat landscape has placed immense challenges and demands on security leaders like CISOs to provide necessary levels of security without stifling business growth. In response, many have been given the budget to invest in layers upon layers of protection, while facing the stark reality that simply buying more and more security tools over time doesn't equate to greater security -- it just creates greater complexity. They end up with siloed solutions that lack reliable, accessible data that helps them understand their security posture and drive a proactive security program, strategy, and budget. As a result, they are only able to respond reactively to the high security demands of their organizations. And even worse, they are unable to correlate that security spend to actual reduced risk.
This environment calls on CISOs to understand their organization's key business drivers and become more aligned with the business strategy than ever before. CISOs need access to empirical data they can use to present in the boardroom, inform decisions, and drive strategy. This was one of my greatest frustrations as a CISO and the driving force behind the creation of SafeBreach. I partnered with Itzik Kotler, a fellow red-teamer and seasoned hacker, and we began work on our own breach and attack simulation (BAS) solution that would better enable security leaders to understand risk, drive informed strategies, and make smarter technology and operational decisions.
BN: With a recession likely and budgets stretched thin, how can an organization optimize its security posture without investing in more security controls?
GB: This period of economic uncertainty is forcing organizations, big and small, to carefully reexamine their investments, including technology expenditures like cybersecurity. Organizations need to make sure they are making the right investments, aren’t overspending, and are making the most of what they have.
That being said, it's a common misconception that if an organization has the latest and the greatest technology stack, they can withstand the latest and most advanced attacks. While that may be true theoretically, most companies struggle to fully use the basic features of their security controls, let alone take full advantage of the advanced capabilities these controls purport to have. So, during these times, it's important for organizations to ask themselves a few questions before investing in new security controls:
- Are we using our current controls to their full potential?
- Do we have any overlaps or redundant controls?
- Are there any gaps that our existing controls can't address?
- Can we prove we really have those gaps?
- Are we defending against the right threats to the business?
- Will our security operations center (SOC) detect and respond to the right threats in a timely manner?
- Have we gotten a real ROI from our past security investments?
Organizations can get clear answers to these questions by using breach and attack simulation (BAS) technology. BAS platforms safely execute breach scenarios across the entire cyber kill chain to test the effectiveness of all layers of an organization's security stack independently and provide visibility into how their ecosystem responds at each stage of the defense process.
From a tactical perspective, this allows organizations to discover critical gaps, prioritize remediation activities, and fine-tune security control configurations so they are performing as expected. From a strategic perspective, it allows organizations to inform resourcing decisions, justify or secure additional budgets, and formulate long-term security plans that ensure strategic alignment.
BN: Many defensive security practitioners feel they are playing 'catch up' with the threat actors. How can they harness an offensive mindset?
GB: The reality is that 99 percent of attacks are known and have been for years. An enormous amount of information exists about the attack methods and vulnerabilities attackers have exploited in the past that can be used not only to ensure protection against known threats, but also to make educated predictions about future threats. While some details about the attacks may change (e.g. the payload), the majority of the TTPs will remain the same.
A key way for organizations to adopt an offensive mindset is to leverage this known information to proactively test their defenses and overall security posture. Breach and attack simulation (BAS) tools are designed to help organizations do that in a safe and systematic way. They provide a 'hacker’s view' of an organization's security posture by employing the IOCs and TTPs of known threat actors to simulate attacks that provide contextualized results that can be used to proactively optimize security controls, prioritize remediation efforts, and mitigate critical gaps.
It's also important to offensively control the controllables. While we want to stop attackers from gaining access, it's not always a realistic goal. Instead, we must also focus on ensuring the right protections are in place so that -- in the event attackers do manage to find an exploit to infiltrate a system -- there’s nowhere else for them to go. Attacks -- no matter how sophisticated -- aren't a single action, but rather a sequence of logical steps. Every organization has the opportunity to limit these steps by controlling choke points, so that even if some steps are successful, a hacker still isn't able to achieve their desired outcome. BAS also provides that insight, identifying how an attacker might move laterally or exfiltrate data after they have gained access to a network. This kind of visibility gives organizations the opportunity to take offensive steps to significantly minimize the possible damage of an attack. This is a competitive advantage that many organizations are not fully leveraging today.
BN: The CISO is a huge part of a business in 2022. How important is it that they have direct access to other departments and members of the C-suite?
GB: The current role of the CISO goes far beyond simply beefing up security measures -- successful CISOs must also strive to drive business growth and reduce obstacles that could disrupt that growth. To do this, the modern CISO must first become closely aligned with their organization's strategic goals, which comes from consistent and thoughtful interactions with other departments and members of the C-suite. Empowered with that strategic vision, CISOs are better able to identify the risk scenarios that would be most damaging to their business goals, reverse engineer those into the tactics an attacker would leverage, and identify critical gaps.
By engaging with the C-suite, CISOs also have the opportunity to create strategic alignment around an organization's security practice from the top down. This is accomplished by setting the language and process around what is being measured every day, month, and quarter, by finding clear ways to demonstrate progress in a way that the C-suite understands, and by communicating the value that a CISO brings beyond just adding peace of mind.
BN: What will the role of the CISO look like in another 10 years?
GB: The CISO is arguably the C-suite role that has changed the most over the last few decades -- and that rate of change shows no sign of slowing. Over the next 10 years, the attack surface will continue to increase as organizations become more connected and more cloud-based. That will drive security and CISOs to become an integral part of the business strategy, rather than an afterthought. It will also require CISOs to become more agile, business-oriented, and data-driven tech leaders. That may feel, at times, like mission impossible.