Ask anyone who has been around the cybersecurity world long enough and they’ll tell you just how much evolution the industry has undergone in the past few decades—particularly from the perspective and position of the Chief Information Security officer (CISO).
The modern CISO
The role of CISO first emerged as organizations embraced digital revolutions and began relying on new data streams to help inform business decisions. As technology continued to advance and became more complex, so too did threat actors who saw new opportunities to disrupt businesses, by stealing or holding that data hostage for ransom.
As the years have gone by and cyberattacks have become more sophisticated, the role of the CISO has had to advance. The CISO has evolved from being the steward of data to also being a guardian for availability with the emergence of more destructive and disruptive attacks. The CISO also must be highly adaptable and serve as the connective tissue between security, privacy and ultimately, consumer trust.
The changing threat landscape
Some of the latest and most consequential cyberattacks, such as the SolarWinds hack and those against the European medical agencies, Facebook and most recently the Colonial Pipeline have presented a critical question to many leaders that is yet to be answered – “What does it take to be a CISO in today’s threat-riddled economic landscape?”
Answering this question is a lot more complex than it was even just a year ago. While it’s true that cybercriminals were modernizing their strategies before 2020, the pandemic opened numerous new pathways to spread malware. As work-from-home mandates forced millions around the globe to remain remote, nearly overnight, IT departments were stretched thin trying to ensure connectivity to networks. In parallel, this proved to be a gleaming opportunity for cybercriminals to pounce on nearly every industry, flooding them with cyberattacks.
Given the fluid complexities brought on by COVID-19—including remote work and rapidly-accelerated digital transformation plans—the attack surface for cybercriminals nearly doubled as employees began conducting work from home on potentially unsecured home Wi-Fi networks and personal devices. In fact, nearly 50% of people working from home have fallen for phishing scams since the pandemic began.
As threat levels continue to rise, we’ve seen a plethora of new attack styles unfold. From double extortion in ransomware and complex supply chain attacks, to a greater willingness among threat actors to collaborate and conduct more damaging and aggressive attacks.
For CISOs, this vast attack surface means their jurisdiction is no longer confined to company offices, and they now must think about cybersecurity in much broader strokes. The focus of the CISO in 2021 and beyond must consider securing cloud, IoT, WFH, BYOD, and so much more as technology continues to shift and grow.
Adaptability is key
With remote work primed to remain a mainstay in societal patterns, and growing interest in a “work from anywhere” mentality continues, the onus to be adaptable has never been higher for CISOs.
For CISOs, there’s a fine balance between continuing to make progress on strategic initiatives that will reduce risk and improve security maturity, while also being adaptable enough to stop and pivot as needed.
Further, as businesses adapt to meet the growing needs of the customer, the business needs to do so with CISOs in mind in order to stop and ask the right questions to enable secure-from-the-start—such as, “Will this new technology we’re onboarding potentially open up new security gaps?” or “Does branching into new sectors open our business up to new areas of attack?” and “Could we expose our customer base to threats by switching CRM platforms?”
To be able to answer these questions, CISOs need to be able to adapt across three major areas that are constantly shifting and inherently intertwined: the needs of the business and customer, the current threat landscape, and risk calculation and prioritization. For example, many CISOs are certainly taking heed from the SolarWinds attacks to ensure proper risk prioritization around product security.
Where we go from here
For today’s CISOs, the key is to continue leading with the same level of diligence as they are right now, never letting their foot off the gas—because those looming in the shadows of the dark web certainly aren’t slowing down. There is no going “back to normal” for cybercriminals who have gotten a taste of how much damage and chaos they’re able to create.
As CISOs look ahead, they must begin planning their identity-defined security strategy now – as the traditional perimeter security approach is no longer sufficient to defend against the threat landscape. As a result, emerging best practices have developed, such as zero trust and other strategies recently released by NSA.
Businesses must consider their approach to cybersecurity and take actionable steps toward implementing a “cyber resilience” framework. From there, executive leadership, business continuity, crisis management, disaster recovery, cybersecurity, legal and communications, should be prepared from a worst-case scenarios perspective, ensuringproactive preparedness around the coordination and communications required for a business to successfully respond to a cyber attack. CISOs also need to embrace information sharing and collaboration in order to take their organizations from being one step behind cybercriminals to being two steps ahead at all times.