Interview: Greg Day, Palo Alto Networks on the Changing Role of CISOs

It has been widely acknowledged that cybersecurity has become a more important issue for businesses since the start of the COVID-19 pandemic. The shift to home working and need to embrace greater digitization to continue functioning amid lockdown restrictions has increased opportunities for cyber-criminals to launch attacks.

With rapid digital transformation set to continue beyond the crisis, ensuring these projects are properly underpinned by security is going to be vital to many businesses’ post-pandemic recovery. As such, CISOs must play an increasingly crucial strategic role within organizations, ensuring cybersecurity is front and center of the roll out of new technologies, which requires gaining buy-in and adequate funding from executives. To discuss this issue in depth, Infosecurity recently caught up with Greg Day, VP and chief security officer for Europe, Middle East, Africa at Palo Alto Networks.

Has the role of CISOs within organizations changed since the start of the COVID-19 pandemic?

Fundamentally the role of the CISO is ever evolving as businesses become more digitally dependent. But, as COVID has typically accelerated digitization, it has accelerated a shift in the role of the CISO too. The scope of what to secure expanded, from business premises into employees' homes, where cybersecurity levels are typically much lower. For CISOs, this has created the challenge of balancing employees’ personal privacy versus the business’ security needs.

The acceleration into the cloud has also shifted the CISO role. The move to shared ownership models, whether they're with cloud infrastructure or SaaS providers has left many CISOs feeling like they are contract managers and having to learn a lot more about legislation, which is both inherent when data is stored in a third party space and also the increasing global focus on where that cloud is in the world. Data privacy is changing where and how data can be put in the cloud. Within the C-suite, you are seeing a swing in the balance of power from those who are broad capability owners such as CISOs/CIOs to chief digital officers (CDOs), who are more aligned to key digital processes. A CDO may own one or multiple key digital-driven processes for the business. This is a growing new carve out that sits sometimes alongside the CISO or CIO in many instances but others can replace one or both roles.

Analysis by Palo Alto Networks’ threat intelligence team, Unit 42, uncovered that 98% of all IoT network traffic is unencrypted, whilst 57% of IoT devices are vulnerable to medium- or high-severity attacks. In a connected world where sensors that cost pennies are connected to business networks that support multi-million-pound businesses, it is clear how their increasing prevalence poses a serious security issue for organizations and headaches for CISOs.

To what extent has rapid digital transformations in the past year led to tensions between CISOs and business leaders? And what issues do rapid digital transformations tend to raise to security teams?

We call this the cyber-time paradox. It’s a growing tension between the CISO and the business. Consider that the volume of connected things in any business is growing. COVID-19 expanded this further at a furious pace, and worse still, added a whole new collection of things like collaboration tools, new cloud tools and home devices, when at the same time the volume of threats continues to grow both in volume and complexity. These are force multipliers on the workload of any business’ Security Operations Centre (SOC).

"We call this the cyber-time paradox. It’s a growing tension between the CISO and the business"

On the flip side the business has been quickly shifting more processes to be both digital and, in most instances, cloud-based. With this, as the business becomes more dependent, the acceptable down time has been shrinking over the last decade and again this has shrunk even more. This creates the paradox of less time to act, yet more work for any SOC team to get done. Add to which most SOC teams have also had to adapt to working from home. The path forward has to be to better automate the SOC to empower scale, but the challenge for many organizations is both having the time to shift processes and capabilities whilst still dealing with the current workload. In short, it is like juggling and sprinting at the same time. 

There is a second tension that is also only starting to appear. Ask most CIOs about their shift to the cloud and one aspect they will flag is that they don’t want to repeat the vendor lock-in issues they have previously had with outsourcing over the last decade. The good news is that containers and other DevOps methodologies enable portability. The challenge is that the CISO has had to adapt their security at pace in the shifts to the cloud. Too often the quickest answer to this is the simplest; use the native security provided by the cloud, be it infrastructure or SaaS. This is effectively creating lock-in, the very thing that the CIO is looking to avoid. Worse, this decision causes longer-term challenges for the CISO as following this path creates inconsistent security because each cloud or SaaS solution has its own different take on what security they provide and how it’s delivered. The key requirement to have a broad view across the entire space means knitting these solutions together. This goes against how most CISOs have been trying to shift to the best of integrated solutions to have a coherent cybersecurity ecosystem. The result is securing their data and applications in the cloud leads to long-term friction for themselves and others in the business.

How do you advise CISOs go about trying to balance business and security needs during these transformations?

Good CISOs always have a long-term strategy in place that means when business plans are accelerated they are ready with their own strategies to support. I think the aspect that may have caught some off guard is working from home, and the associated growth in shadow IT. This has required businesses to rethink how they understand their attack surface and more and more are starting to leverage dedicated skills to monitor their external attack surface. Traditionally security was looking from the inside out, now they must do both: look inside out but also outside in.

Coming back to the longer-term strategy to meet the cyber-time paradox problem and the increasingly distributed shift left cloud world, most CISOs are having to look at how they drive three imperatives:

  1. How do they simplify cybersecurity? The simplest example of this is how I hear multiple CISOs uttering the mantra ‘for every one new solution, remove two legacy solutions’. Consolidation is king in terms of costs and scale.
  2. Integration is now more critical than capability. The simple honest truth for most is that they already get more alerts than they can process in a timely fashion, as such being able to correlate, consolidate and, more importantly, convert alerts turn into actionable outcomes is critical. Otherwise, how can you extend your capabilities? 
  3. If you do the first two imperatives well then you can automate. This requires having real fidelity about the problem to help drive next steps of actions. But, please don’t misunderstand what’s involved here. Any incident typically has many steps. Automation is not just a big singular STOP/GO button, rather the augmentation of human skills. You need to identify the highly repetitive steps in every process that can be automated to augment the human element of the work and shorten the process timeline.

Q: In general, what are the most effective ways CISOs should communicate with executives at their organization to ensure security needs are being properly met?

Every part of any business has their own language. Key for a CISO is understanding the languages of their stakeholders to have a meaningful conversation. An executive doesn’t care how ransomware works, they care about its commercial impact on their business and want to make balanced investments to manage the risks. What’s key at the minute is many organizations are making technology and infrastructure shifts quicker and on a larger scale than normal. That means they require more frequent updates on how this impacts their risks, and those risks are often amplified by the interoperability in these shifts. Digital trust is a great example. Whilst many had strong control of IDAM and DLP tools in their traditional infrastructure, the move to the cloud has left many with multiple tools from each SaaS or cloud provider, which don’t interoperate, leading to gaps. We have already seen in the last 24 months an increase in breaches due to simple cloud credential management mistakes.

What’s Hot on Infosecurity Magazine?