Paul Holland - Principal Research Analyst, Information Security Forum
With the world becoming increasingly driven by technology, CISOs are finding it challenging to keep up with – and understand – an ever-evolving technology framework and how it is being exploited for good and evil. The CISO also needs to keep these thoughts in line with their desired security posture and resilience so that their organization is well protected. Gone are the days when having an information security management system (ISMS) in place will adequately support the appropriate levels of understanding and requirements for ongoing protection.
The CISO needs to evolve, creating a team around them that can keep pace with a constantly changing environment. Finding the right hires – people who have a passion for cyber and an empathy with non-technical people – will provide a solid base. From there, the CISO needs to embed themselves into their organization’s culture, understanding all they can about how the business works and where it is heading. This will allow the team to understand how to communicate with staff and executives within the organization effectively. CISOs also need to become more business-focused, and this should allow them to start implementing changes to the organizational culture, helping instill shift-left security thinking. Shift left takes security concepts and moves them to the left of timelines, thus forcing security conversations early in any project or innovation work.
The CISO and their team can create this strong culture of shift-left security thinking to enable the whole business to understand where and when security is relevant. This enables security leaders to stay on top of the changes within the organization. With the right security team in place, they can leverage their knowledge of the best security tools and practices available.
"The CISO needs to evolve, creating a team around them that can keep pace with a constantly changing environment"
Shift left will result in a change of attitude, which, in turn, will have a considerable effect when combined with a forward-thinking CISO, who has built a team of driven, interested and inquisitive security professionals. This will enable the organization to understand change, when that change is needed and how to best approach implementing change while keeping security at the forefront. This attitude, albeit primarily focused on technology, will also be beneficial when looking to update policies, procedures and cultural change, helping the organization stay ahead of the curve.
This change will be driven by the CISO, who needs to make sure that they are also a people and organization expert, as well as a security expert. Without understanding all these elements correctly, they will struggle to evolve at the same pace as threats and technology. The successful next-generation CISO will be steeped in the experience of the past, but ready and able to deal with the business changes of the future.
Paul Holland is an information security specialist with over 23 years of experience across multiple industries and holds a BA in learning technology research and a CISSP.
Paul McKay, Principal Analyst, Forrester
Numerous technology changes are posing a challenge for security leaders. While the cloud and distributed workforces are nothing new, we still see a lot of issues from security teams not being fully involved in securing these changes to how technology services are hosted, and then consumed, by the user population. This has led to a new wave of consolidation and running of critical business and security services from the cloud, increasing dependency on service providers for resilience. While, in many cases, this is a good thing, it does require additional attention.
Hybrid work patterns mean that security leaders must evolve towards a cloud-first approach and apply zero trust principles to secure a distributed workforce. Additionally, we expect to see more examples of AI being used actively in attacks. An example would be deepfake attacks such as the fraud compromise reported earlier this year. This involved a CEO in a UK energy company being tricked into wiring money to a fake supplier, believing he was talking to his German boss.
I expect to see more breaches with a broader societal impact or severing links in critical supply chains, causing disruption and resilience challenges across a more comprehensive set of organizations than just a single firm. The Colonial Pipeline attack earlier this year was a good example of this, and I expect we will see more of these in the coming year. Targeting companies that generally people have never heard of, but play a crucial role in areas like energy and the food supply chain, will become events CISOs should expect to see more often.
"Hybrid work patterns mean that security leaders must evolve towards a cloud-first approach and apply zero trust principles to secure a distributed workforce"
On the other hand, while we may have heard much talk and hype around quantum computing in the past year, I think CISOs need to exercise some caution as to the timeframe within which the ‘doomsday scenario’ of the obsolescence of current cryptographic techniques will occur. It is likely to be a somewhat more extended timeframe than some of the hype would have you believe.
So, how can security leaders ensure their business is prepared early for these advances from a security point of view?
For the technical changes to the broader IT landscape that have security implications, I would advise CISOs to get involved in the process as far as possible and emphasize the positive benefits security can bring. Make it about realizing the productivity and agility benefits that these changes are making, rather than being seen as the ‘prophet of doom’. Sadly, too many security professionals are playing catch up long after the changes have been made. I have seen some successes, but not enough yet.
For broader attack trends – AI deepfakes, business email compromise and so on – I advise making these simulations and targeted training exercises part of cyber exercise simulations. These are more specific than a general phishing test. Define targets of interest (such as executives or the finance team) and run targeted training exercises to spread awareness of employees in key roles to these newer attack variants. Use these as more sophisticated examples in red teaming exercises, cyber simulations and other plans to validate preparedness for a cyber incident.
Paul is a principal analyst on the security and risk team. He works with organizations to help them shape and deliver their cybersecurity strategies to support the delivery of their core business vision.
ISACA board director and 2019-2020 board chair, and VP & CISO for customer services, Oracle Corporation
When enterprise leaders consider how to advance their security programs, they often think about it through a regulatory and compliance prism. Unfortunately, that regulatory-focused mindset reduces the potential for security teams to integrate with broader enterprise risk management processes and become the business enabler they should be. This point is particularly true in an era where adapting to technological change and supporting digital transformation have become business imperatives. To rise to these challenges, organizations need to prioritize building their cyber-maturity, pinpointing the risks most relevant to their business. This calls for evolving beyond the point-in-time assessments and checklists of the past, to an always-on approach allowing security teams to assess and react to events in real-time.
ISACA asked organizations about the top goals for their cybersecurity programs. Interestingly, continuous improvement in achieving cyber-maturity was considered the top need. When organizations are on a path toward building cyber-maturity, security teams become an enabler for the business rather than being ‘the department of no.’ Security functions should not only be mitigating risks but helping to advance digital transformation and technology implementation.
With a compliance-centric focus, some useful controls will be put in place. Yet, the result will only be compliance with a specific set of regulations. Conversely, an emphasis on building cyber-maturity will go well beyond that to develop organizational cyber-resilience and allow the security team to evolve alongside its business partners.
"Organizations need to prioritize building their cyber maturity"
How can organizations begin down this path? First, security organizations must align with the company’s corporate enterprise risk management processes to address cyber-risks in a broader context, using standard processes and taxonomy to describe these types of risks. This offers exposure that results in risks being managed at the enterprise level and subsequently upleveling cyber-maturity. Identifying standardized, scalable assessment tools and risk-based, quantifiable assessments, drives a roadmap for improving maturity and are used to provide that visibility.
Additionally, there are steps that security teams can take now to immediately up their game. These include implementing DevSecOps processes to embed security into development and engineering processes in real-time. Another example is expanding a traditional third-party assessment process, based on paper assessments, to address supply chain security risks through ongoing automated technical assessments.
While a robust approach for building cyber-maturity offers an excellent foundation for an improved security posture, organizations should also recalibrate how they approach employee security training. Traditional security training is focused on awareness, which consists of employee policy requirements to take training periodically (usually based on a compliance requirement). That training is often dull, not as timely as it should be and largely ineffective. Therefore, an opportunity exists to explore ways to embed continuous learning – including foundational security training and offering relevant new certificate programs – into employees’ ongoing training and professional development. Together, a commitment to growing organizational cyber-maturity and providing staff with more meaningful continuous learning opportunities can equip companies for success in this era of rapid technological disruption.
Brennan has more than 25 years of experience in IT security, governance, risk, audit and consulting and has worked in various industries designing, implementing and operating enterprise-wide programs to address global security risks.