[BreachExchange] 3 Ways CISOs Can Boost Their Credibility Within the Enterprise
Destry Winant
destry at riskbasedsecurity.com
Mon Dec 10 02:16:29 EST 2018
https://securityboulevard.com/2018/12/3-ways-cisos-can-boost-their-credibility-within-the-enterprise/
One of the biggest challenges CISOs and CSOs face today is that
they’re tasked with ensuring the very important outcome of protecting
business assets without being handed the authority or organizational
ownership to fully assure that outcome.
“This challenge can be frustrating,” said Guy Bejerano, a security
veteran with tons of past practitioner experience.
Bejerano started his security career leading information security and
red team operations in the Israeli Air Force and then moved over to
the private sector as CISO of Ness Technologies and later CSO of
LivePerson.
“I had an opportunity to build security teams and security
organizations from the ground up for about three and four companies,”
he explained. “Different verticals, different areas.”
Nowadays he’s the CEO of SafeBreach, a breach and attack simulation
platform company that he co-founded in 2014 to help enterprises
validate their security controls.
Since moving into the vendor space, he said his opinions on security
haven’t changed drastically, but they have been reemphasized and
enhanced by viewing problems from a different angle.
Since he moved out of the CISO role he’s increasingly been convinced
that these security leaders must do a couple of key things to become
more effective at reducing risks, gain more credibility within their
organizations and really take the reins to control their destiny as
security executives.
Cutting Through Vendor FUD is Crucial
The fear, uncertainty, and doubt (FUD) that security vendors peddle
has been a longtime thorn in the side of CISOs, but Bejerano thinks
it’s grown worse than ever.
“Vendors throw FUD at CISOs all the time trying to promote their
products through the fear of the worst that will happen,” he said.
“You hear lots of talk about zero-days, APTs and the unknown—but it’s
more confusing than helping.”
Cutting through the FUD is crucial to CISO success for two major
reasons. First, because when FUD drives security strategy, it often
distracts the CISO from objectives that should be set by business
priorities instead. That’s a big mistake as the profile of the CISO
grows in the enterprise. Bejerano said that in the four years since he
left the job, CISOs are getting more exposure to the board.
“There’s a lot more expectation from them to drive the entire risk
equation in the organization and the budget around security is going
up, so there’s an opportunity to change things,” he said. “You have
that on one hand and on the other hand there’s a lot of vendor fatigue
from CISOs.”
When CISOs let vendor FUD drive their strategy, it hurts their
credibility within the business.
That leads us to the second reason why CISOs need a good BS meter when
it comes to FUD: In a lot of cases the hysteria is masking some
inadequacy of the product being marketed.
“We see it over and over again that there’s a huge difference between
how these vendors position their products and what’s going on in
reality,” he said.
This leads to poor-performing products and no accountability—another
credibility killer for CISOs and their security teams.
As he explained, the CISOs he works with who he admires the most and
who are most successful in their organizations are the ones who find
meaningful ways to cut through the hype and make sure the vendors they
pick fulfill their promises. This is step one to ensure these leaders
have credibility when they step up in front of CEOs and boards to ask
for money, support and so on.
Data-Driven Discussions Get Things Done at the Board Level
Which leads us to Bejerano’s next important lesson. To gain the kind
of authority within an organization necessary to effect meaningful
security change, CISOs have got to find better ways to gain influence
at higher levels of the business, he said.
With perspective away from the job, he believes one of the key ways to
do that is to let metrics, KPIs and other important data drive the
discussions that CISOs have with business executives.
“Being more data-driven, more predictable and building KPIs that are
business-centric is super critical,” he said. “CISOs need to be much
more like a CFO. They need to show ROI from all the investments they
make in technology, they need to fully understand the risk exposure of
the organization, and be able to show security efficiency over time.”
This means finding ways to answer questions such as how well security
investments are doing over time, measuring the reduction or increase
of risk as a result of the introduction of new technologies or
processes, and so on.
It’s Important to Take an Adversary’s Point of View
Bejerano admitted that, like a lot of CISOs today, he used to view
cybersecurity world “from a very defensive position.”
As he explained, it’s hard to flip that lens around and view an
enterprise’s position from the adversary’s perspective. But he
increasingly believes it is important to do so.
“It’s not easy to look at the offensive side of the fence because
hiring people today with a red team skill set or hacking skill set is
not easy—it’s not easy to hire or to retain,” he said.
However, he believes the best CISOs focus on ensuring that they’re
probing their technology the way attackers do and that they’re
challenging defensive assumptions they may have made in the past to
ensure that it fits into today’s threat realities.
“The first time a lot of CISOs find out whether their assumptions are
right or not are when an attacker comes at them,” he said. “My first
advice is don’t wait—challenge yourself, challenge your assumptions on
a daily and continuous basis.”
More information about the BreachExchange
mailing list