By Deryck Mitchelson, Field CISO EMEA, Check Point Software.
The Chief Information Security Officer (CISO) position has evolved. Today’s CISO role diverges substantially from the that of the past. The position has transformed from an in-the-shadows, mid-level technical role into a multi-dimensional, high-visibility senior-level position centered around business leadership, corporate risk governance and driving security decisions.
The contemporary CISO is responsible for risk identification, for developing a culture of shared risk ownership, and for active risk management. This person also bears responsibility for building trust among stakeholders. The latter responsibility is a newer one on the list and if not executed well, can lead to negative outcomes.
Building trust and retaining accountability
As part of the trust-building process, at scheduled intervals throughout the year, CISOs provide updates, offering stakeholders assurances concerning implementation of the best cyber security practices, and strong cyber hygiene programs. They discuss how programs function to support security needs. They provide brief, non-technical overviews while touting the measures that they have implemented and standing by their legitimacy.
But when the rubber meets the road, and stakeholders demand accountability rather than assurances, CISOs often seem to wish that they had taken even greater initiative around cyber security. CISOs commonly regret not having more sophisticated ways to point to specific cyber security actions and architecture.
Upon investigative inquiry or in legal cases, the ability to highlight specific cyber security investments and their efficacy can prove invaluable. For example, when the CISO of SolarWinds publicly expressed a focus on “heavy duty [cybersecurity] hygiene”, those words were taken as truth. In the wake of the devastating SolarWinds breach, a court will evaluate his word against actual cyber hygiene practices.
In the corresponding litigation, shareholders allege recklessness on the part of the SolarWinds CISO, but evidence pointing to cyber security solutions and their effectiveness could potentially scuttle the plaintiffs’ contentions. As visible here, it pays to have a means of truly securing your organization and a means of generating substantial evidence pertaining to security development initiatives.
Increasing accountability and trust
In my experience, CISOs who have experienced a breach often wish that they had done more in terms of prevention. More preventative measures can limit ‘blame’ attributed to a CISO’s actions or inactions, and can quickly revive trust in a CISO’s competence.
After a breach, the narrative often changes from working to adjust cyber hygiene across the organization to needing more capabilities, more resources with which to plug security gaps, and above all, more fiscal investments in cyber security architecture. This approach can also work to restore trust, increase accountability, preserve acceptance of security risk, and optimize owned cyber security technologies.
It’s not enough to simply maintain good cyber hygiene and to then tout strong security. Too much is at risk and CISOs can be held to serious account. In turn, CISOs can’t afford to under-invest in security architecture. It pays to spend. CISOs and teams need to tackle security with best-in-class solutions offered by mature vendor partners. Please see information about next generation cyber security solutions here.
Please find further cyber security insights from CISO Deryck Mitchelson here. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.