CISOs face mounting technology and organizational challenges
During this time of industry change and transition, the role of a CISO takes on added importance for any enterprise organization. The fact that cybersecurity is now a boardroom priority and the expansion of the network footprint encompasses an exploding IoT universe and an evolving network-centric approach to physical security, a CISO must become operationally resilient in his or her approach to security and risk assessment, while understanding that the perimeter of their turf is a constant moving target.
No one understands this better than Eitan Bremler, VP of Products for Safe-T Data, a provider of solutions designed to mitigate attacks on business-critical services and data, who says that the role of CISO presents myriad challenges ranging from maintaining a technology fluency to staying relevant with the organization’s board-level decision makers.
The Game is Changing
“The role has changed a lot. In the past you would have a CIO that would manage the network and the security aspects, but now you are looking at more of a split of duties approach with a CSO and a CISO or CIO handling day-to-day operations and applications. We see organizations where the CIO handles networking and applications and the CISO or the CSO is responsible for managing the physical aspect of security whether that is IT or asset related. In many cases they are peers or you may have the CISO reporting to the CSO or CIO. The roles have become more focused over the last few years whether it is related to cyber or physical security,” says Bremler, who also served as a technical officer in the Israeli Intelligence Corps of the Israeli Defense Force.
He says organizations are now looking at an entirely new definition of access control as it relates to physical biometrics or card access for the door to managing the active directory and all other password solutions for the network. He contends that while the approach may look to be more centric, in essence it is really a more widely dispersed solution with a shifting perimeter.
“In the past, everything was essentially an island. Departments within the organization had their own systems, their own data that they seldom shared with anyone else or let anyone else access, so security was easier. I just had to make sure my data never left my silo so there was a built-in trust. I trusted my employees so security was pretty much a trust-based approach,” Bremler adds. “Now, with the fact that almost every organization has gone digital with their data and opened their information to the outside world, whether its customers, business partners or other companies, I’m now much more exposed to the outside world which by definition is untrusted. So we are moving from an un-trust to a no-trust model.”
He explains that the perimeter continues to grow and the role of security executives continue to change as well. In addition to CSO, CIO and CISO titles at most enterprise-level organizations there is the recent emergence of the CRO – a chief risk officer.
“This executive can certainly be a parallel colleague of the other C-level security titles but usually won’t have security responsibilities beyond helping to assign and weigh risk levels, handling security and risk audits then sharing those with his counterparts and helping form a strategy to mitigate or lessen that particular threat,” says Bremler. “Looking at the big picture, there are a lot of people in play when it comes to an organization’s security roadmap. To that end, a successful CISO will need the skills to manage all the various sources of risk information ranging from compliance audits to moving data to the Cloud. Both the CISO and CSO have much more to absorb and learn now than ever before. They must understand how to analyze new solutions and technologies so they can make informed decisions so they can select solutions that are relevant to their organizations. It is a much more proactive approach to mitigating threats.”
Zero Trust Network
The concept of trust versus no trust has been a part of the CISO lexicon for years. The Zero Trust approach, however, is a relatively new model created in 2010 by a research firm analyst that has quickly gained support from mainstream CISOs looking to deter the growing sophistication of network attacks. The basic concept of Zero Trust is pretty simple – trust nothing or no one. And Bremler is certainly an advocate.
“The classic Zero Trust model has us moving from a world of trust by definition to no trust by definition which, in my opinion, is really a much better approach and realistically is usually the approach used in physical security. In the physical security world, I don’t trust anyone, so show me your identification badge and I will tell you if you can enter the building or not. So while the physical world embraced the no-trust concept, the digital world was all about trust. I publish to the outside world the services I have; this is my SAP portal, this is my SharePoint – everybody knows it. When someone tries to access my SAP we go through the whole authentication process to see if I do or don’t trust this person. Unfortunately now everyone is hitting my services, even the hackers,” says Bremler.
He stresses that with the Zero Trust model, you trust no one.
“We don’t share our services, we don’t share our SAP, we don’t tell anyone there is SharePoint that can be accessed, but instead will direct you to a hub where we can authenticate that person and once trust is established we tell you okay customer or business partner, now you can access our services,” he says.
The Shifting Security Landscape
Bremer asserts that the paradigm must change for the embattled CISO. The facts bear him out. A recent industry survey from Cybersecurity Ventures paints a frightening picture. Cyber crime is expected to impact global business to the tune of $6 trillion annually by 2021, more than a 50 percent increase from just 2015. And this hit comes despite IT departments spending seven percent more on security the last two years.
So how do the CISO and his corporate peers defend against the onslaught of advanced technology and more sophisticated hackers? Bremler says that is the $64,000 question.
“This is a perplexing question. At the end of the day we probably have more IoT devices than people. If you use that Zero Trust concept where in order to even access my network you need to be authenticated first, that is a good first step. And even if you have a malware on your device, you’ll never make it through my perimeter to get to the network. So applying that to the changing role of the CSO or CISO, I think there is an entirely new vertical segment of professionals out there where these guys don’t even know what they don’t know, especially in the industrial segments of manufacturing and healthcare,” says Bremler, referring to the evolving dependence of robotic assembly lines in places like automotive manufacturing and healthcare facilities that employ more and more network-centric medical devices.
“In an environment like an automotive plant where physical security is extremely strong, nobody is allowed anywhere close to the assembly line if you aren’t a credentialed employee. However that same robotic assembly line could have vulnerabilities over the network,” Bremler adds.
Keep It Real
Bremler is also adamant that in today risk environment it is important that the CSO or CISO be totally transparent when it comes to operations, especially in verticals that are heavily regulated and require that executive to understand the compliance implications associated with their organizational risk. Even if that organization is not driven by regulatory compliance, being transparent when it comes to reporting threats and managing risk options will keep the CSO/CISO in good standing with the C-level suite.
“It is better to share your vulnerabilities or ultimately any network hack while you can still control the message. You can’t hide an incident because everything ultimately leaks out. Being honest, candid and open about a situation is relevant and required so everyone knows the state of the security breach, how it can be resolved and how much it will cost the organization.
“Another key element for today’s CSO/CISO is to be open to feedback from others in management in your organization along with your peers. Business ultimately drives the organization, but the CISO has to be tuned into the business objectives enough that he or she can put the brakes to a project if it doesn’t meet requirements A, B or C in order to limit risk and liability. Being a CISO in today’s business environment is certainly a balancing act,” Bremler concludes.
About the Author:
Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s most trafficked security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 27-year member of ASIS.