The chief information security officer role has leapt from backroom to boardroom, just like the ever-evolving security threat, writes Wayne Olsen, managing executive: cybersecurity at BCX.
The role of the CISO has traditionally been behind the doors of the Security Operations Centre or within the dark depths of IT. There, they have managed security across both the physical and digital levels, leveraging technical expertise and an increasingly demanding skillset to ensure that every individual, touchpoint and technology is protected from the ongoing security threat.
Today, that role has been pushed out from behind closed doors by the sheer scale and volatility of the cybersecurity threat. The CISO has to keep up and updated to ensure that the business remains resilient and stable in spite of the onslaught.
And it is an onslaught. The 2022 SANS Survey report ‘Inside the Minds & Methods of Modern Adversaries’ surveyed more than 300 ethical hackers to find out how attackers think and to unpack their favourite targets, tricks and methodologies.
The findings were harrowing – 57% can finish an end-to-end attack in a day, 64% can exfiltrate organisational data in under five hours once they’ve accessed the business, and 36% can accelerate their attack in as little as three hours.
The analysis underscored some key findings that are not news to the CISO. If anything, these findings are the regular beat of the CISO drum – the path of least resistance will always garner attacker attention, vulnerabilities are open doorways, and awareness of the threat is essential to ensure resilient and robust security within the organisation.
Fortunately, the move from backroom to boardroom is a clear sign that finally the organisation understands the value of security and recognises how important it is that the CISO become an integral part of not just security, but business strategy.
Organisations that are successfully overcoming the security threat are not those that throw budget at defences, but those that are focusing on a holistic approach to security and that leverage the growing CISO skillset to create a security ecosystem. These are the organisations that no longer perceive cybersecurity as a grudge purchase and don’t only call in the CISO when there’s a problem, or, even worse, at the end of an implementation or development process.
Often, the CISO is dragged in at the final hour and informed that the company is about to launch a new product or service and asked to check if its secure or to quickly wrap some security bubble wrap around it so that it ticks the mandated security boxes. This doesn’t secure the product, it doesn’t secure the business and it definitely does not ensure the security of the customer. And this is one of the reasons why many solutions end up on the market with an unexpected vulnerability lying wide open and ready for attack.
However, this is not the only reason why the critical CISO shift has taken place. The huge global attacks on critical infrastructure and market-leading organisations have made every leader pause. No company wants to be the one on the headlines, nor does it want the heavy fiscal cost that now comes with a successful attack.
Alongside the cost of downtime, paying the ransom – 83% of ransomware victims pay up – and the cost of customer trust and company reputation, there is the price tag that comes with non-compliance with regulatory frameworks such as POPIA and GDPR. With more than 150 different regulations across the world, this is not the time for the organisation to keep the CISO behind closed doors and security on the back-burner.
Not only does the CISO offer immense strategic value across every layer of the business, but their expertise is the key to ensuring that the organisation is compliant, resilient and prepared.
While there is no fool proof cybersecurity solution and no absolute answer to the ongoing threat, the CISO is the person who ensures that the organisation is ahead of shifting security threats and trends, has the right technology embedded within the fabric of the business, and who understands how to mitigate the risks and protect the business from the security onslaught.
It is a role that’s fraught with stress, that’s constantly changing, and that’s definitively shaping the future of organisational security which is probably why the CISO never sleeps. They wait.