I recently had the opportunity to meet and speak with several luminaries of the global security ecosystem: Roger Hale – Chief Security Officer at Agora; Sounil Yu – CISO and Head of Research at JupiterOne; Debbie Taylor Moore – VP and Senior Partner Global Cybersecurity at IBM Consulting; and Jay Leek, Managing Partner and Co-founder of SYN Ventures. As the aftershocks of 2021 begin to clear, I was interested in getting CISOs’ take on ensuing challenges and upcoming hurdles that require the attention of all security and business stakeholders.
Resilience and recovery
As the market downturn becomes a real concern for the private sector, resilience and recovery are key for security practitioners. Demand for cutting edge security solutions hasn’t changed, rather the opposite, and the panel suggested avoiding knee-jerk reactions and panic in these volatile times.
“This is a negative spike, but it has nothing to do with the increasing value of what the security community is achieving,” said Jay Leek. “We’re in a real re-build cycle. This is an opportunity for CISOs and security practitioners to take their leadership role in the C-suite, and drive forward while showing their abilities.”
While it may be challenging to seek opportunities during economic instability and catastrophic geopolitical events, cybersecurity has always been resilient, in part due to its inherent role as a safety net. The job of the security industry is to help the public feel less scared. We have an opportunity to help people manage and mitigate their risks and resolve concerns that may be exacerbated by recent events. If we can leverage that responsibility with confidence, but not overweening arrogance, cybersecurity will see this through.
CISOs have a lot on their plate as it is, with cyberattacks growing in sophistication, and nation-state actors using cyber and recent global events to gain a strategic edge by stealing, leaking and exposing data and critical business and customer assets.
“CISOs still struggle with the basics. They were never easy to resolve and have only gotten more cumbersome over the past year,” said Sounil Yu. “Beyond just data-oriented and network-oriented attacks we’ve already seen, we’re going to have situations where we can’t recover our endpoints because our firmware is bricked. We’re going to have situations where applications can’t be recreated or redeployed because our code has been completely wiped out. We may reach a point where it becomes impossible to recover from these types of catastrophic, irreversible events.”
The current conflict in Ukraine brought ransomware attacks to the forefront, as reports indicate that Russia has used them to finance wartime operations. Roger Hale believes that this new development and its impact on security are indicative of the shift that has taken place in the CISO’s role over the past few years.
“Dealing with ransomware is not a security issue, it’s a business continuity issue. If we’ve learned anything from the pandemic and the shift to remote work, it’s that security has an ever-widening scope of influence on our ability to do business,” he said.
“During this conflict international companies realized that they have assets in Ukraine and had to alleviate customer concerns about their resources, as well as deal with demands to verify their compliance with international business sanctions. These questions are all addressed at CISOs and provide us with opportunities to up-level our positions and lead from the front.”
The CISO role is changing
Jay Leek emphasizes this approach to the changing role of the CISO, which is an acute shift that startup founders should pay attention to. “The CISO in most big organizations doesn’t make any decisions anymore about your product or your solution. They have delegated that to people in their team. You’re still trying to sell the CISO, yet the decision-maker is one or two levels down. The CISO can block it, is going to approve it, but they’re not going to recommend it to their team. As you’re marketing your solution for an organization’s security program, make sure that you’re targeting the right cohort, because it’s not the CISO anymore.”
Another recent attack, the Log4j exploit, uncovered an alarming blind spot which, despite the ubiquitous nature of the vulnerability, many organizations failed to prepare for.
“People are still overwhelmed by that attack,” said Debbie Taylor Moore. “It’s ongoing. There’s a real challenge with nested dependencies, and we’re realizing just how a 1990s flaw can come back from the past and haunt all of us for the next few years. It’s a supply ecosystem now. There are interdependencies everywhere, and if you want to work on dependency mapping and consolidating governance or compliance within shared vendors, that’s an opportunity.”
For CISOs, it is no longer sufficient to ensure that their vendors are secure in their own right. These dependencies run deep, with code dependencies often connecting through the supply chain to various others, introducing a significant amount of risk which must be managed.
“What Log4J has really highlighted for us and for the community at large is to approach this as a risk that we have to manage on our side, not expect fixes on the other side,” said Sounil Yu. “You should plan for Log4J to be continuously and perpetually compromised, and design your environment with that in mind; for example, design systems so that you have good egress filtering. If you manage the risk on your end, you won’t have to be as concerned about what goes on in your supply chain.”
Looking for the right security platform
A CISO’s security stack may well be prepared to mitigate these – and upcoming – threats, but as the cybersecurity community rebuilds and reshuffles, I was interested in my colleagues’ take on the buyer’s perspective on the organizational security posture – are numerous point solutions preferable to one, cohesive security platform?
“Everybody has a Noah’s Ark of solutions,” said Debbie Taylor Moore. “There’s value in both point and platform approaches. If you go with a platform but ignore emerging technologies, that’s a disadvantage. On the other hand, CISOs have grown tired of taking meetings with multiple vendors and are looking for ways to keep up with technology without burnout.”
Sounil Yu maintains that when CISOs choose between point or platform – and when entrepreneurs consider what type of product to build – they must consider timing. “If you have a new threat vector, point solutions are going to win every time. But as that threat vector matures, and as people figure out how to handle it, the well-integrated solution is going to become the natural winner. It’s a matter of timing. If you build a point solution that resolves an urgent, timely problem and there are no other solutions, get that point solution out there as quickly as possible. But if you’re late to the game, you’d better come with an integrated solution.”
These cyber risks have now translated into increasingly pervasive business risks, exacerbated by the looming economic downturn, and the CISO’s role must adapt accordingly. We should aim to become a pivotal part of the executive conversation pertaining to spending, budgetary allocations, prioritization of objectives and other c-suite concerns, in order that they are not diminishing in importance. If the CISOs do not have a seat at the table, with a comprehensive understanding of the business shifts and how the company maintains not only the crown jewels, but also its competitive edge, they will no longer be able to ensure resilience and recovery considering these shifts and threats.