How the role of CISO is evolving [Q&A]
The overall threat landscape facing organizations is expanding, yet many of the threats such as phishing remain the old favorites. What's more, AI is making them more effective by eliminating many of the old tell-tale signs.
With the evolving challenges and risks facing them, how can CISOs effectively network internally and externally to gather support of the broader team and build an appropriate security posture? We spoke to Robin Bell, CISO at Egress, to find out.
BN: What are the threats that organizations are vulnerable to today?
RB: Ultimately, it's people that are organizations' greatest risk. The vast majority of employees are not maliciously motivated -- but everyone makes mistakes, especially when we're stressed or tired, and people also take 'calculated risks' to get their jobs done, such as downloading new applications.
People are also most at risk when using email. Verizon's 2024 Data Breach Investigations Report revealed that, on average, it only takes 21 seconds for a recipient to click a phishing hyperlink in a malicious email and a further 29 seconds to enter their credentials into a phishing website.
Let that sink in. It can take less than a minute for a successful cybercriminal to breach an organization. Once inside, a cybercriminal may be able to move laterally to access different systems and data, as well as use a compromised email address to send further phishing attacks within the supply chain.
GenAI makes it far easier to create well-written and highly convincing phishing attacks, as well as visual and audio deepfakes. We're starting to see the signs of this: higher volume of increasingly sophisticated attacks, and this is only going to get worse. Additionally, AI can be used to gather information about potential targets -- a task that would have previously taken hours, maybe even days, can be accomplished in just a few minutes -- as well as automate entire email exchanges.
BN: How can CISOs manage third-party supply chain risks?
RB: Ideally, you only want to partner with organizations that prioritize security in the same way as you do. This means establishing a third-party vendor risk management program that has clear policies and processes to guide you, and that includes comprehensive vendor risk assessments that allow you to understand each supplier's security posture. Once you’ve mapped any risks, you can then make sure you're taking the appropriate steps to mitigate them. There are several international frameworks (such as ISO and NIST) that can help with this.
Beyond legal obligations, you need to decide which security standards you want to project onto your suppliers. For example, some outdated technologies might enable a supplier to tick a compliance box, but they might not be sufficient to face today’s threats.
You also need to make sure your organization can detect any incoming attacks should one of your suppliers be breached. The 2024 Email Security Risk Report showed that half (51 percent) of organizations have fallen victim to phishing attacks sent from compromised supply chain accounts, so you need to make sure you have technology in place that can detect attacks sent from legitimate accounts that can get through traditional authentication checks. In addition to technology, it's important to implement robust internal processes, such as for payments to suppliers, and regularly train employees to maintain awareness of the risks that can emerge from the supply chain.
BN: What are some of the best practices to adopt to fight these risks?
RB: The best advice I can give is to start with building partnerships throughout the business. If employees in your own organization understand why you need a robust process to onboard suppliers or the risk that could be associated with downloading new software, then they'll be willing to go on the journey with you. Security is everyone’s responsibility – but our colleagues also have other goals to hit, which we can enable them to do securely.
This can start from day one, with Security playing a role in inductions for new employees. Then use a mix of internal communication mechanisms to regularly update the organization, including All Hands meetings, chat, email, and your intranet.
As mentioned previously, you then need to ensure you have a program in place -- built using internal standards -- to assess suppliers, uncover and address risks, and ensure your security priorities are being upheld by those you partner with.
BN: Why is it important to integrate cybersecurity into the ethos of the enterprise?
RB: Cybersecurity is non-negotiable. You can't expect to operate successfully -- or for very long! -- if you don't have the appropriate measures in place.
That means cybersecurity is central to facilitating every organization’s mission and, as such, the security ethos must extend across every department and team. This goes back to partnering with the wider business, helping them to do their work effectively and securely. You need to take people on the journey with you: yes, you may be enforcing a certain policy, but you can engage colleagues to help them understand why.
Regular and transparent communication is key and it's incredibly important not to stray into fear mongering and blame. People need to understand that there are consequences for their actions, but your team also needs to be approachable and human. When something goes wrong, you want a colleague to reach out immediately so you can help to fix the issue as quickly as possible. Cultures built out of fear lead to subversive behaviors where people can be slow to report potential incidents.
BN: How do we tackle the risk of burnout among cybersecurity teams?
RB: First, recognize that burnout is a real and significant issue. Most cybersecurity teams are under-resourced, and this isn't a nine to five job to begin with! Obviously global organizations work around the clock but with employees working outside of core hours, including accessing email and other work applications on mobile devices, incidents will occur in 'non-business' hours.
While cybersecurity isn't a linear job -- incidents can and will crop up unexpectedly -- you need to be clear on your team's priorities to help them to focus. Your team need to know you’re there to support them and, to do this, you need to stay connected with them so you can regularly assess morale and stress levels. Outside of emergency incidents, promote a healthy work-life balance -- and lead by example in this!
Where possible, cross-train your team so you can rotate any high-stress roles, such as incident response, and build wider resilience so you’re not overly dependent on a single key player. It's important to support your team’s wider professional development and growth, including time away from the office at industry conferences and training.
Finally -- but one of the most important points -- make sure you actively recognize and reward their contributions to the team and the wider organization.
All of this will help to foster a positive team culture, which not only helps combat burn out but also makes it possible for people to openly ask for help if they need it.
Image credit: Kiosea39/Dreamstime.com