Cybersecurity garnered far more attention in executive boardrooms and among regulators and insurance underwriters during the last couple years, thanks to both an increasing volume of attacks and growing demand for digital transformation. With that, evidence shows, comes a far brighter spotlight on the role of the chief information security officer.
While technically part of the c-suite, CISOs historically received less attention within a company than your average CEO or chief financial officer. Their work tends be invisible when successful, they’re less likely to speak up in all-hands meetings, and less than half of employees can even name their top security executive.
But that may be changing – somewhat. According to new research, including a survey of more than 700 business executives, 2,700 employees 4,000 consumers around the world conducted by BT Security and Davis Hickman Partners, CISOs are increasingly expected to manage an evolving threat landscape, protect the business brand from a wide variety of risks and support and guide other business units as they attempt to innovate or enter new, unfamiliar market spaces.
“Our profile is certainly getting higher. [CISOs] are in more conversations, they’re asked for input," said Leo Taddeo, chief security officer for Cyxtera.
He adds: "That’s different from having real influence.”
Failure to communicate
Many companies still have work to do when it comes to elevating their CISOs within their organizational hierarchy and connecting good security with good business practices. Among the survey’s findings: less than half of employees could even name their own CISO at the same time that basic fundamentals of digital security remain the most likely vector of compromise for the vast majority of successful cyber attacks.
In an interview, Bryan Fite, global accounts CISO at BT Security, said sentiments are changing as part of a larger shift in business culture where security teams are increasingly viewed by leadership as partners in a innovation endeavors, rather than obstacles.
“Historically, I think security professionals or the CISO in that role has been viewed as the Bureau of No, and now we have to be the Facilitators of Yes,” said Fite.
The traditional low-profile has left plenty of room for security executives to build their brand as facilitators within other business units and tackle what is often for many organizations the number one security threat: phishing, password reuse and other low level cyber hygiene practices that can allow criminal or state-backed hackers to bypass many security protocols.
Most smaller companies have small security teams and even smaller budgets: in a survey of 200 small business CISOs conducted by Cynet and Global Surveyz, 70% reported having a security budget of less than $1 million. With money and resources lacking, that often leaves soft skills like clear communication and culture building as the only remaining tools these companies have for reducing their attack surface.
While many security issues are technical, Fite said companies still get routinely compromised through a handful of common, fundamental security mistakes. Since humans “like to think in terms of stories,” hearing more from their top security executive can help open up the lines of communication around security breakdowns and better strengthen a company’s “human firewall.”
“Maybe visibility into how a CISO made a mistake and clicked on the wrong [link], possibly telling those stories now creates this culture that it’s okay to be a human,” he said.
Peter Romano, CISO for eSentire and a 20-year security professional, said that while it was always a component of the job, communicating risk and engaging with other colleagues has become far more important to his role in recent years. Much of that outreach tends to be focused on engaging with the rank and file and middle management, where many behavioral risks crop up and aggregate into major security threats. Romano described part of his role today as “psychologically preparing your workforce to ensure they are not the thing that’s attacked.”
“My job is to be in the kitchen – back when we were in an office – bumping into people and having conversations about what’s going on and making people aware of the issues that we’re facing,” he told SC Media.
Several CISOs interviewed spoke of a higher levels of awareness in the board room about how security intersects with business operations, but others questioned whether those developments are more superficial than substantive in nature.
Security executives having a seat at the table during boardroom discussions is nice, but it doesn’t mean other parts of the organization have to listen to your viewpoint or take it seriously, Taddeo said. A CEO publicly empowering their CISO by endorsing certain initiatives to staff and operationalizing security practices down the chain can send a powerful signal to employees that it’s is an important part of their job.
Those signals can have a real impact on employee behavior. Taddeo said he once traveled to Israel while working for the FBI to learn why the small country was such a powerhouse in cybersecurity. He came away with the conclusion that culture was their most important driver of best practices.
“They are no smarter, they don’t have better engineers, they don’t have better equipment or access to tools. What they have is a better security culture that is part of Israeli culture to begin with, because they are a security-conscious nation,” he said.
Beyond culture, the ability to tie security to tangible business process like budgets, IT investments and employee performance can serve as useful indicators of a CISO’s role within a company. Fite said much of the same work conducting outreach and engaging with other stakeholders in an organization can translate to more visibility over security and IT purchases. The rapid changes brought on by COVID-19 demonstrate that many companies can move quickly and decisively on security if there is sufficient motivation.
Still, Taddeo believes that it goes beyond dollars and investment. Until other business units – and especially the executives who lead them – are also judged in part by how they enforce security practices, many CISOs will continue to have a limited impact on the broader organization.
“Real influence comes in the form of setting policies and metrics that tie back to other divisions’ performance evaluations,” he said.
Risky business (partnerships)
Long term trends around digital transformation and increasing rates of attack are driving increased emphasis on cybersecurity, said Romano, highlighting two recent developments that he believes have upped the paranoia levels: the coronavirus pandemic and emerging risks from the software supply chain.
He can recall joking with other colleagues in past years while reviewing language in contracts and business continuity plans around pandemics, viewing them as exceedingly unlikely to ever be relevant. Nobody is joking now, and the widespread business effects from COVID-19 and the way it caught many businesses flat-footed over the past year has given many executives pause to consider what other risks they may be underplaying.
And while security experts recognize software supply chains as notoriously messy, with most solutions stitched together using different pieces of open source and proprietary code of unknown provenance, and often dozens of different software products produced and controlled by third parties, SolarWinds provided a reality check to the masses. And though that sort of upstream supply compromise is generally viewed as exceedingly sophisticated, rare and difficult for other parties to detect, it’s nevertheless a high-profile example of how much companies depend on other parties for their own security.
That kind of risk is increasingly being baked into contracts, insurance underwriting and other third-party business interactions that has put outside pressure on many companies to demonstrate that they will not only to keep their own systems and data safe, but also those of customers and partners. In the past, many clients might be satisfied with boilerplate language around security. Now, it’s far more common to get detailed queries about internal security practices, some of which end up in legally binding contracts.
“Even over the past few years, it’s almost like we have a due diligence questionnaire arms race,” said Romano. “I think all security practitioners are starting to now get inundated with massive Excel spreadsheets of questions that need to be answered to ensure that you have the right security posture so that these [third parties] can do business with you.”