The role of the CISO is being elevated. Ten years ago, security leaders were being asked to just ‘stop the bad stuff happening’, but now they are actively contributing to business growth. We explored this change, and more, on a recent virtual round table
- The role of the CISO is changing. They are being asked to secure the organisation, but also contribute to business growth in a fast-changing world.
- The emergence of Secure Access Service Edge (SASE) offers the chance to bring together network and security controls in one place, and save money
- Security leaders are keen to point out that their ability to bring people with them across the business is a top priority. The technology is almost a given.
Setting the scene
Chief information security officers (CISOs) have been influencers at board level for several years, but their role is evolving, according to Roland Carandang, managing director at Protiviti. In a world where cloud services are growing exponentially, alongside the democratisation of technology, their skills are in high demand.
They face the perfect storm: rapid technology change, people working remotely on their own devices, and the increased sophistication of cyber-attacks. While these trends have been evolving, they have accelerated in the past six months. Businesses are going through profound change and their leaders are scrambling to protect and create value.
“Most of us would agree security incidents are now inevitable,” Roland told a group of 40 industry professionals at the event. “As a result, the pursuit of 100 per cent security is not healthy anymore; we are aiming for a defensible security posture.”
Roland explained that being able to tell a defensible story – one that explains to the board how breaches are being dealt with proactively – is now the aim of most CISOs. While 100 per cent security is impossible in an evolving threat landscape, a defensible story is the next best thing.
This can be developed by discovering what assets exist in an organisation; establishing the capability to provide security; and implementing the necessary controls to take care of them. “We are really hoping for a defensible story using these elements,” he said. “At a high level, this is about protecting value.”
There is a lot of technology available to CISOs and it’s very easy to implement projects poorly, he added, so security leaders can be seen as blockers to progress. But ultimately, they want to be the people who introduce technology effectively and secure it in service of the wider business goals. They can also take steps towards creating value by working across teams and explaining what they do. Their role has the potential to become more collaborative and open.
Roland’s colleague Andy Paw explained how the team at Protiviti is using Microsoft Power Apps to develop a business information and workflow tool to help security leaders. Projects can be integrated, assessed, and managed with the buy-in of other people in the business. The aim is to help understanding and engagement. Roland also demonstrated how chat bots could be used to achieve the same thing.
“For too long, security leaders have published policies and standards and we have asked teams to go along with them; but we haven’t necessarily made that easy,” he said. “By doing this we can be comfortable that we are dealing with others in the right way, and consistently, about their project.”
Getting to grips with the cloud
Neil Thacker, CISO for EMEA at NetSkope, has spoken to more than 1,200 CISOs in the past 12 months. He talked to the group about his findings. People understand that if they aren’t moving forward, he said, they are moving backwards. This is especially true during the past few months when everyone has been involved with digital transformation.
“Every time we introduce a new control, there is a risk of slowing the business down, especially as the business model changes,” he explained. “Of course, conditions will change, and they will change at a moment’s notice in today’s world. Organisations will be going through restructuring and there is going to be a lot of M&A activity. Unfortunately, a lot of organisations won’t survive the economic fallout.”
These conditions mean he is focused on making sure companies can ride out what is coming. He also wants security leaders to do this without getting in the way of the business. In a world where applications have moved out of data centres, employees are not always on corporate networks, and everyone wants access from anywhere, on any device, there is a new model of security emerging.
Secure Access Service Edge (SASE) – pronounced ‘Sassy’ – is a termed coined by Gartner in 2019. It represents the convergence of security-as-a-service and network-as-a-service. It is a natural evolution of what has been happening across the software industry for the past decade. Instead of having multiple paths for data traffic, including firewalls and wide area networks, for example, this model is about providing all of that security in one place.
As data passes from devices to the cloud or the data centre, security protocols can assess policies, access control, threat, and data protection, in real time. The model should also accelerate the speed of data transfer. Over the next five years, the market for SASE is expected to grow at 42 per cent a year. Neil explained that it will give CISOs and their organisations the upper hand, especially as more of them move into the digital landscape.
“It’s going to be a big market,” he said. “Lots of organisations see this will be their next three- to five-year plan.”
Neil encouraged CISOs to think about these three questions as they explore what SASE could do for them: Do you have visibility and control of cloud services? Can you inspect and apply policy without ‘hair pinning’ back to the data centre? Can you provide risk-based conditional access to sensitive information inside your environment?
He acknowledged there were companies with ‘many offices, many data centres and many branches’, but suggested there were large-scale cost savings to be made using this model. In the context of the expected economic fallout of 2020, there are many CISOs looking at their budgets, he explained. One organisation he cited has saved $600,000 in the first year alone, by bringing their network and security together in one place.
What are your priorities?
Following the introduction and presentations, the discussion was opened up to the group. People were asked to rank what was important to them as they look to elevate their role in a fast-changing environment. Roland asked if discovering assets was something that they would do first, in a long list of other priorities they had responsibility for.
“Understanding the assets is key, but so is board engagement,” said security consultant Howard Pritchard, who has worked closely with the UK government. “You can talk all day long about the technologies in place, but if you don’t have that engagement from the board you are just being unrealistic; business architecture is also key.”
Haroon Malik, the former head of cyber security at Fujitsu, believed that security awareness was also important. “I do a lot of board-level training and you can’t have engagement unless they are aware of the problem they are trying to solve,” he said. “You can have the best architecture in place, but if your staff don’t know the difference between a genuine email and a phishing email, the technology isn’t going to be effective.”
CISO Michael Mitchell agreed that board engagement was fast becoming an area of focus. “All of the devices we are using now have still got people at the other end of them,” he said. “Board engagement and security awareness are at the fulcrum of what a CISO must do.”
“Being able to explain what you are doing and what you are not doing, in a way that the board understands, is critically important,” added Roland from Protiviti. “I think sometimes because they sign off on big budgets, they expect it to be done. But if we don’t tell them what we are doing and not doing, then we aren’t effectively engaging with them.”
Simon Wincott, programme cyber security director at Refinitiv, said he would broaden that engagement across the business. “Obviously, the board are the decision makers, and they will support your initiatives, but you need to take people along with you,” he said. “Business architecture, business unit leads; these are all people you need alongside, who have influence over the board as well.”
Ultimately, what boards are looking for is a CISO who can look after the technology and communicate to the board where they need to invest. They are now businesspeople at board level, engaging leaders across the business, while remaining technology savvy underneath; they are also storytellers, too.
“Everyone from the secretary, the assistants, the marketers; they all have responsibility for security,” said Haroon Malik. “How you tell that story to them needs to be tailored and make it relevant for their journey.”
That is the emerging role of the CISO in 2020.