The Ever-Changing Role of the Chief Information Security Officer

Joe Carson, Head of Global Strategic Alliances, Thycotic

In recent years, the responsibility of the Chief Information Security Officer (CISO) became much more complicated and important than ever before.

Let’s face it. No matter what location, company or industry the CISO works in or for, the company and information they protect are going to be a target for attackers either for financial fraud or espionage.

The CISO role has been one of the most difficult positions for organizations to fill and comes with huge responsibilities. The past year has been especially busy for cyber criminals. Public reports indicate more than 500 data breaches and more than 500+ million records exposed in 2015. This includes the disclosure of 21 million U.S. Office of Personnel Management records, 70 million medical records at Anthem and 37 million user details at Ashley Madison. If the CISO works in the entertainment, financial, healthcare, information, public or retail industry, they are more likely to have the toughest job.

With greater connectivity, the emergence of the Internet of Things (IoT), the disappearing perimeter, ever-growing malware and disruptive ransomware as well as more employees using social media, it was not unexpected to see these as the biggest increase in threats that the CISO has to deal with. As time goes on, the problem is getting bigger each year.

The CISO must also deal with the ever-growing number of devices in the workplace. Recent reports indicating that the target for attackers has shifted from perimeter servers/services to end user devices and the end user identities. This is why the perimeter is no longer a clear line as devices and people move in and out of the perimeter so does the attacker who has compromised the end users device or identity.

Once the end user device and/or identity have been compromised, it literally takes minutes for the target company to be breached. In the underground hacking community, news travel fast. Before the CISO knows it, rather than dealing with one breach, things can cascade very quickly with multiple attackers concurrently.

Unfortunately, the bad news for the CISO does not end here the time to compromise and discover just got worse with it taking days or less for 84% of breaches and the dwell time getting much worse with it already being an average of 205 day before you detect the breach which in almost every breach it is already too late and the damage has been done, the question is how bad is it. So the CISO better have a very good disaster recovery plan or backup process in place.

It is more likely that the CEO is going to hear about the breach from law enforcement, fraud detection in transaction processing companies, 3rd party companies or Ethical Hackers before they find it out for themselves. Obviously, this is not a great situation for the CISO to be in.

Another major challenge for the CISO is the ever-growing “Apps”, the number of end user devices has exploded and with app stores everywhere and apps for almost anything and everything it was not unexpected to see CVE’s growing each year so where does the CISO start with patch management and software updates?

More bad news is that the employees this year have not learned from last year, the CISO now has to deal with more employees clicking on phishing email attachments and opening phishing emails, according to the Verizon Data Breach Incident report (DBIR), this is up from 11% in 2014 to 13% in 2015 for clicking, and up from 23% in 2014 to 30% in 2015 for opening.

Another major concern for the CISO is how to protect employee’s credentials and privileged accounts. According to the Verizon DBIR 63% of the breaches was a result from weak or stolen credentials, which allow an attacker to use those credentials and act as a trusted user to perform malicious activity or financial crime.

As we can see, the CISO has one tough job and responsibility to deal with. Yes, the board is aware of the cyber security discussion, and once in a while they bring it up in the board room, but now is the time to move from discussions to actions. We need to give the CISO the ability to protect the organization from these ever-growing threats.

How Can the CISO Contribute to the Business?

The problem and challenge in the past is that it is difficult to measure cyber security risk for many organizations. This has put the CISO in a tough situation as to how they can show business value when it is not easy to measure. In the past, the metrics where not clear and it was about keeping the existing security controls working, making continuous improvements where possible and helping put security on technologies which the business already adopted and are using. But, at the same time, security has always been an afterthought and sometimes it was simply not possible to keep the same high level when security and privacy was not implemented by design. This means increased risk, making the CISO’s already tough job even more challenging.

This has to change, and it is going to change. Especially with new regulations that come with harsh financial penalties if adequate security is not in place and forces many organizations to adopt cyber insurance to offset the risk of those hefty penalties. Those cyber insurance policies will mean you will need to measure the risk.

Key metrics are going to be vital for the CISO to help company’s identity the ever-dynamic risk measure. When we can clearly measure risk, where risk is being reduced and where it increases will help the CISO provide hugely valuable metrics back to the business to determine what mitigation controls should or should not be put in place. This will help companies adopt new technologies much quicker and more efficient than ever before as when it can be measured the risk decision can be made.

What Can the CISO do the Make a Major Difference?

It’s clear that the challenge is huge and the responsibility on the CISO shoulders is a massive weight. However, there is a way forward.

If we step back from all of these and we accept that the perimeter is evolving, data is flowing more frequently and growing at rates never expected. One thing in all of this is common and that is the Identities and Privileges, which enables employees to get their work done and enables attackers to use those identities and credentials to perform malicious or financial crime as a trusted user. The new security perimeter is with the Identities and Privileges to which as we have discussed is used in many of the breaches, it the target for attackers, enables malware and ransomware to perform disruptive actions and data poisoning. If these are well protected then this makes the CISO’s job much easier and makes the attacker’s job more difficult.

Good Identity and Access Management with a strong Privilege Account Management can help the CISO put a new perimeter in place that helps the business continue to be secure and enable organizations to grow without network boundaries. It will also enable more adoption of cloud technologies and services as well as the embracing of IoT knowing that the security controls on the Identities and Access makes it more difficult for an attacker to breach a company.

About the Author

Joe Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Head of Global Strategic Alliances at Thycotic. He is an active member of the cyber security community and a Certified Information Systems Security Professional (CISSP).

Join the CSO newsletter!

Error: Please check your email address.

Tags ThycoticbreachThe Internet of Things (IoT)CEOcyber criminalsapplication securityCISOGlobal Strategic Alliance

More about ThycoticVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joe Carson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts