[BreachExchange] 3 security and ethics considerations for modern-day CISOs

[Destry Winant]

https://searchsecurity.techtarget.com/tip/3-security-and-ethics-considerations-for-modern-day-CISOs

Today's CISO has many demands placed on her: reduce risk, defend
budget, dejargonize tech language for the board and the executive
team, and separate noise from signal when it comes to vendor claims.
All these tasks focus on enterprise assets that need to be protected,
from laptops and servers to databases and cloud shares to rapidly
expanding IoT environments, data lakes and so forth.

However, this is only one dimension of a CISO's responsibilities.
There are two equally important dimensions any forward-looking CISO
should embrace, recognize and protect. First is being an active
stakeholder in the product or service the CISO's organization is
building. Second is embracing the role of a personalized advocate for
her customers -- especially the smaller ones that don't have a CISO of
their own -- based on data that may already be harnessed by her
organization's offering.

All this needs to be done with an increasingly important cultural
awakening that can expose or elevate enterprises -- one that CISOs are
in an all-too-important position to ignore: ethics.

How can security and ethics be achieved and coexist while a CISO
simultaneously conducts enterprise protection, takes part in product
development and acts as an advocate for her customers?

Ethics and traditional enterprise protection

One of the biggest goals for any CISO is risk reduction, which largely
involves one of the biggest challenges in enterprises today: insider
threats. From malicious or disgruntled workers to overwhelmed
employees simply making poor choices, insider threats are a major
enterprise security risk. A CISO must adopt new methods to control
insider risks, whether it's a cloud access security broker watching
over an employee's SaaS interactions or a mobile device management
system that has access to an employee's contacts, phone logs and other
personal information. However, many employees are not aware that they
are being watched.

Traditional new hire disclosure statements or annual compliance
quizzes don't cut it when it comes to empathetic security and privacy
awareness training. Some forward-looking CISOs have embraced
gamification, while others have consultant psychologists to understand
how different demographics consume and retain to constantly adapt
corporate training methods.

Bottom line: CISO thinking needs to evolve to engage in transparent
and empathetic employee education, while simultaneously implementing
programs to reduce risk.

Security and ethics in product engineering

A typical enterprise CISO does not involve herself with product
definition or development. However, a forward-looking CISO must. For
example, consider providing customized recommendations and suggestions
to a customer using your company's SaaS product -- a great idea. But
does the customer know his use of your product is being
microinstrumented and analyzed all the time by default? Is there an
opt-out? Or an incentive to opt in? Who owns this instrumented data?
And who owns the predictions that come out of the machine learning
tool?

Some product teams have the smarts to consider such questions, but a
CISO and her team think about them all the time. As CISOs have this
expertise and constant mindset, they should be willing and able to
have such input during product engineering.

Bottom line: A CISO can become a trusted business partner if she
ingrains herself as a security and privacy advocate during product
development.

Ethics, security and customer advocacy

Let's continue with the SaaS product example. Using analytics to
upsell a premium subscription is the typical freemium model that most
companies use, so why not use these analytics to suggest better
privacy and security protections?

A B2B company always has data on the size of the company it is
serving, and it is quite logical to assume that the smaller a company,
the less likelihood that it has a dedicated CISO or a chief privacy
officer. It may be prudent for the CISO of the B2B company to assume
the role of a virtual CISO for her smaller customers. Using analytics
on how the product is being consumed, the virtual CISO could provide
customized and personalized security and privacy recommendations for
better product usage. Even more impactful, with the constantly
changing regulatory landscape -- GDPR and the California Consumer
Privacy Act, for example -- a virtual CISO could help smaller
customers understand how these new regulations could impact them and
incorporate that into that feedback as well. Wouldn't that make your
customers truly grateful and secure?

Bottom line: A CISO who extends herself as a virtual CISO to the
smaller customers her company serves and turns the data already being
harvested by her company into valuable security recommendations would
stand out among her peers.