The Transformation of the CISO
In this blog, Chris Hodson, Global CISO at Tanium sat down with Geoff Fisher, Cybersecurity and Incident Response Executive at EY, to discuss the role of CISOs and how it transformed as a result of the COVID-19 pandemic.
Translating cybersecurity into business metrics
Chris Hodson: I’d like to start off with a question I have heard quite often since the start of the pandemic: Do CISOs truly understand their business? There are many that still see the security function as being very IT-centric and detached from business-as-usual operations. What’s your take on this?
Geoff Fisher: So I think that at the enterprise level, CISOs truly do understand their business but what they are lacking is the telemetry to explain why cybersecurity and incident response should be important to their executives. All CISOs ultimately understand what their business does and they’re trying to put it through that lens of security. They just don’t have the right data in many cases to explain to their senior leadership why they’re attempting to accomplish something. And they don’t have the visibility to quantify things. I think what they need is a way to explain their needs that is data-driven much in the same way that the business explains its needs for budget and growth.
Chris Hodson: That’s certainly the gap that I’ve seen. Security people understand security metrics, right? We understand why we need firewalls, why we need patching, why we need robust identity management — but translating that into a series of business-aligned metrics is another matter.
Maneuvering the new risk landscape
Chris Hodson: This leads me to my next question: Do you think the threat landscape has changed for CISOs during the pandemic?
Geoff Fisher: The people that have been doing the attacks will continue to thrive in this time because the pandemic didn’t change anything. It didn’t really change the TTPs of any of the attackers. So, as a result, for cybersecurity, it’s still about going through the same conversation: Do I know where all my assets are? Am I patching all of them? Am I monitoring them? Can I quickly investigate and quarantine my end user endpoints and then pivot into doing the right thing quickly? None of that changed.
What did change is where you want to spend your money. I might spend more on securing the human today than I may have in the past. I now know that this weakest link is going to expand from a risk perspective.
Chris Hodson: On your point about securing the human, we have to appreciate that from an end user perspective, everyone’s working at home. They’re more susceptible to phishing, they’re tired and stressed, and they’re trying to balance their home life, their children, and working in an unusual environment. So I think that makes you more susceptible to malicious activity.
The same goes for the defenders, the security operations teams. They’re generally used to operating within a SOC or NOC environment. They’re running cross functional stand-ups and collaborating to solve problems, and adapting to do all that remotely is a significant challenge.
The other key challenge is around internet and application access. The number of organizations who’ve had to allow split tunneling because of issues with bandwidth and network performance have to deploy their patch updates over a VPN. But now that VPN is absolutely saturated and is being used to deliver core business applications. It’s a tough time for the CISO.
Evolving the role of the CISO
Chris Hodson: Do you think the CISO’s role itself has changed?
Geoff Fisher: I would argue that the CISO in the not-so-distant past was kind of a role that was very governance-focused and rules-based. I think that they’re taking equal footing now from a CIO and CTO perspective and are making business decisions. CISOs ultimately have more of a seat at the table than they may have had in the past. They’re getting comfortable with managing some level of uncertainty and risk in their organization and knowing that they have some dynamic controls at their fingertips to be able to do that appropriately. They’re trying to balance risk with functionality with just the need to get it done. I think that’s really where the evolution over the past couple of months will actually be a good thing for the industry. The relationship that CISOs, CIOs and CTOs are ultimately building as a result of this is going to be really helpful.
Chris Hodson: Yeah, I think that the CISO’s roles are changing to one of consultative functions. In the pandemic the CISO is there to design controls or advise to a level of risk commensurate to the organization. CISO roles had to change but I think also to their credit, so did the CIO and CTO. They are having to get a lot more flexible, a lot more consultative.
Expanding the focus beyond detection
Chris Hodson: The last question I had today was around the importance of robust, security foundations and best practices. Have all these sensational news stories of state-sponsored cyber-threats made it harder for CISOs to prioritize?
Geoff Fisher: You know, I think this is where it’s tough. Those “sensational” threats have always been there but it’s been a little under the waves, and perhaps more related to critical infrastructure. I’m not sure that it’s really the same for the broader world. I truly believe getting the fundamentals right is where everybody should be focusing, and I just don’t think that blowing up all of these single point-in-time events for very specific organizations does anything to educate.
Should people be looking for fileless malware? One-hundred percent. Should you be worried about process hollowing? I think so. But if you don’t know where all your assets are, and you aren’t patching Java and PDF Reader, you’ve failed the basics. I’m a firm believer that the NIST CSF is really how you should be thinking about your security program. But if you’re missing the respond-and-recover aspects — which a lot of smaller organizations do — that’s going to cause problems for you.
Chris Hodson: I completely agree. I think many organizations get focused on detection. But detection without the means to remediate and respond is almost putting CISOs in a worse situation. A fire alarm goes off and they’re not empowered or in any way capable of remediating.
That’s something we passionately believe at Tanium. Protection is incredibly important, but so is the ability to quarantine a machine, deploy a patch or take something offline. Organizations have to have real-time visibility into what’s going on in their network – especially after moving almost the entire workforce to remote environments – and be able to respond to and remediate threats with speed and confidence before a threat becomes an enterprise-wide breach.
Thanks for your time today, Geoff. I look forward to continuing our discussion at our upcoming panel on July 23 with former hacker, Alissa Knight at Knight Ink and cybersecurity analyst Chris Wilder from Moor Insights & Strategy.
Interested in seeing Tanium in action? Schedule a one-to-one demo or talk to our Tanium experts at our upcoming events.