I recently had the opportunity to moderate a panel for the Business Innovation Leaders Forum that brought five veteran security executives together to discuss contemporary CISO demands and challenges. On the five-person panel, I had two CISOs at major multi-billion firms, the former Deputy Director of the U.S. National Cybersecurity division, the godfather of Zero Trust, and the Executive Vice President for the cloud and security business at a major telecommunications company.
This blog summarizes five takeaways that stood out from our discussion.
- The COVID pandemic has been both a crisis and an opportunity
The pandemic has been an enterprise crisis. The pandemic compounded the rate of technology and threat change, which was already a source of discomfort for many enterprises. Two key examples are the shift to remote work and the acceleration of enterprise digitalization (the shift and embrace of public cloud for enterprise apps), each of which has thorny security problems to solve.
But the pandemic has also been an opportunity for enterprises. The massive disruption caused by the pandemic has provided the impetus for new ways of looking at security problems and has driven investment that in a non-pandemic environment would not have been possible.
- Enterprise users have and will continue to pose a complex security challenge
If a CISO’s job wasn’t already challenging enough, they need to contend with enterprise users being humans that flourish off three Cs: curiosity, convenience, and comfort. Curiosity will lead to users doing unexpected things that may open security holes. Likewise, users will defeat security measures they find inconvenient. Passwords on a post-it note, anyone? The pandemic-induced need to work remotely has caused many users to appreciate the comfort of working at home and no longer want to commute to the corporate office. Yet, remote work has enormous security implications compared to the traditional office environment.
Rather than fight the users and change behavior, a CISO needs to continually evolve and always look for new security controls that match the current user landscape and behaviors.
- The threat landscape is not only more brutal but innovating faster than enterprises can counter
Not only has the Internet threat landscape gone from being a tough neighborhood to open warfare, but the threat actors are moving at a blinding speed. Threat actors aren’t constrained by processes like enterprise change control, which is valuable in preventing unintended IT instability, but often leads to slow, glacial response during an active attack.
So what’s a CISO to do? While there’s no panacea, the panelists repeatedly remarked on the need to focus on the security fundamentals, like knowing what in the enterprise needs to be protected and developing a solid security plan focused on that needed protection.
- Security vendors are a double-edged sword: New products are distractions, yet relationships are key
The security vendor landscape is highly fragmented, with hundreds of products vying for CISOs’ attention. New products are a dangerous pitfall. Persuasive vendor marketing for new products may lull CISOs into thinking they need the product even though the reality could be the opposite. Unless a CISO is working off the knowledge of what needs to be protected in their enterprise and a robust security plan, a CISO can’t assign security value to any new product.
However, a CISO is not to shirk all vendors. The panel agreed that relationships play an essential role, particularly with those select vendors seen as trusted and willing to listen to the CISO. Bi-directional communication is vital to help vendors develop security controls and technologies that benefit the enterprise.
- Zero-trust is a strategy, not a product: The folly of mixing up strategy and tactics
Among hot industry buzzwords, “zero trust” has been white-hot recently. Vendors of all stripes have applied the buzzword to their products and looking to turn zero trust into a product sale. “Buy my product, and you will have zero trust,” say many security vendors. However, the clear consensus of the panel was that zero trust isn’t a product but a strategy–and a valuable strategy at that.
Putting the value of zero trust aside, this situation highlights how easy it is to mix strategy with tactics. A CISO that buys a “zero trust” product from a vendor may think they are covering all necessary security bases. But, the reality is that this CISO is stuck in the tactics that may or may not align with the strategy that the enterprise needs to follow. A CISO that doesn’t have a coherent strategy – anchored to knowing what needs to be protected and having a good plan – is at best wasting IT budget on products that minimally improve security posture. Still, at worst, creating a false sense of security that eventually will lead to an enterprise being compromised.
There are several more key takeaways from the discussion, and I highly recommend watching the playback. However, if there were a common thread among all, it’s that CISOs face a wide variety of challenges that can only begin to be addressed by a diligent focus on doing the fundamentals right.