When I caught up with TAG Cyber CEO and Founder Edward Amoroso at the RSA Conference earlier this month, we discussed the weight of the CISO’s job.
Amoroso said sitting at the interface between security staff curating cyber controls and senior management governing cyber risk, the CISO has had to learn a plethora of executive skills related to communication, interaction, negotiation, sales, budgeting, and people.
When I asked him “What keeps a CISO up at night?” Amoroso named numerous challenges he hears every day. As we narrowed our focus to technical issues, three main challenges rose to the top.
- Identity: It’s no secret that the root cause of nearly every major cyber breach we’ve seen over the past few years has been an insufficient set of controls related to identity. Amoroso said the traditional method of issuing user IDs and passwords has been shown to create environments rich in account takeover and fraud. Instead, CISOs who support on-line customer engagement have had to create programs that analyze user behaviors, employ fraud detection programs, and develop advanced verification methods for account recovery and to eliminate synthetic identity fraud, and do so consistent with regulatory and compliance objectives. There’s also the internal friction that slows business processes across the enterprise and adds complexity to routine employee tasks and responsibilities. For example, at a recent banking conference, several attendees shared how their organizations’ continuing reliance on physical authentication tokens for branch floor personnel creates ongoing headaches and daily delays. Replacement of lost tokens and trips home to retrieve forgotten ones are routine. Amoroso said he hears similar challenges within other sectors, especially ones using roaming and/or shared workstations and relying on physical tokens for enhanced security.
- Asset inventory: This one gives both CISOs and IT operations teams headaches. While most security pros might think that keeping an asset inventory of devices and endpoints would be a foundation for all security controls, it’s often neglected by enterprise teams. Amoroso said the most common issue that emerges with respect to inventory involves sprawl. An organization might have started one or more decades ago with a reasonably manageable inventory. But growth of data creation, minimal data removal, corporate actions (such as mergers), third-party data creation, explosion of app usage, and expansion to cloud and SaaS have all contributed to inventory sprawl. Amoroso said CISOs and their IT partners need to initiate a comprehensive program to tackle their inventory, including identities. Such a program should use the best available technology that can locate, classify, and secure all assets and resources. Without such action, it seems inconceivable that a security architecture can be viewed as standing on solid foundations.
- Complexity: By complexity, Amoroso means the difficulty any person or group has in understanding the IT infrastructure, security systems, and business processes of an organization. Every CISO knows that complexity in these areas always implies insecurity – and, in recent years, complexities have abounded. Amoroso said security teams need to ask the simple question of whether they have schematics for the network infrastructure, deployed systems and applications, and all stored data. If a CISO does not have diagrams of how the enterprise network has been arranged, then the environment has simply become too complicated. “Good technology from commercial vendors can be used to scan and graph the network,” Amoroso said. “Managers can also demand that engineers and operators focus on simplifying infrastructure in day-to-day decision-making. Here's a hint: If you are adding complexity to your security architecture, you might be doing things wrong. Removing complexity is always the best security action – and will help with CISO sleep patterns.”
More than ever before, CISOs are faced with complex challenges that demand the evolution of their enterprise. We’re seeing firsthand through our customers eyes how the adoption of AI and machine learning can offer a far better, more efficient and effective experience for employees and customers. But that comes with its own sets of challenges regarding bias, a topic for another day.
Baber Amin, COO/CPO of Veridium