Edwin Doyle, Global Cyber Security Strategist, Check Point Software.
One of the greatest challenges for a CISO today is working with their colleagues. It is especially true when working in a business that creates digital products. The software developers in those corporations are incentivized through the KPIs to meet deadlines, produce products that work and impress the corporation’s customers. It seems nothing in their KPIs pertain to keeping the organization cyber secure.
Incentives drive behavior
Incentives set organizations against each other. If I make my year-end bonus by producing the software code for a new widget, my KPIs are likely to produce great quality work, within a specified frame of time typically influenced by sales expectations and customer demand. I am therefore incentivized to achieve my responsibilities in spite of any influence outside of my KPIs. What’s one of the most significant reasons to slow down my software development? Security of course!
Hiding from security
In a recent conversation with a Business Information Security Officer at a very well-known and established innovative healthcare company, I was told that his greatest challenge was communicating with the corporation’s software developers; in fact, he told me that they frankly avoided meeting with him; worse yet, the developers try to get their product development so far down the road of development that to slow it down for the sake of security would be positively financially detrimental for the company, thus achieving their objectives and the CISO’s concerns be damned!
Threats on all fronts
So, a CISO needs to combat external threat actors and these internal, misaligned incentives. Job satisfaction can become quite challenging when one must battle on both fronts and perhaps this is why we see the tenure of CISO being quite short-lived; according to Cybercrime Magazine, the average tenure for a CISO is between 18-26 months. However, the grass is not always greener and it seems evident that since CISOs continue to change roles frequently, executives at the new corporations are paying lip service to the same mantra of “we support the CISO,” while in fact prioritizing business.
The prioritization of business has never been in question. One could argue that a CEO prioritizes business and solid brand recognition by ensuring cyber security best practices, but again we have a problem of incentives, especially with publicly traded companies, where executives are given bonuses almost solely on hitting revenue targets that the Board of Directors dictates.
It seems obvious that HR departments need to restructure KPIs and incentives throughout these organizations, but what does the CISO do in the meantime? They cannot influence these HR problems and so need a solution in the interim.
We’ve started to see the emergence of cyber security products that are designed to wrap security around DevSecOps as they work; like a snake eating it’s own tail, the more the developers code, the more security is applied. This eliminates a lengthy review process at the end of product development, which is more secure since it avoids the overwhelming task of reviewing thousands of lines of code & also doesn’t jeopardize achieving KPI metrics from either team.
Scanning for secrets-as-you-go
These products scan for secrets and misconfigurations, which are among the highest causes of breaches today and predicted to escalate to 99% of cloud breaches by the year 2025.
In addition to these technologies, the people and the processes should receive an uplift in maturity from a strong CISO leader.
The CISO as an influencer
Influence is key. Organizational structure is key. Having the CISO report directly to the CEO helps and we are seeing this more and more in enterprise organizations.
Influence on the other hand comes more from business acumen than technical expertise.
CISOs would benefit from educating the organization with the following reasons for putting security on par with business development:
– According to a Ponemon study, a breach costs the average company $1.5 million & organizations that suffer breaches are unlikely to remain in business by the following financial year.
– For US based corporations, the SEC ruled in March of 2022, that not only do publicly traded companies need to disclose their cyber best-practices, but also audit their supply chain’s cyber security capabilities. This still affects private corporations, since their customers can very well be the public companies that will suffer financial penalties if they allow vendors to supply them with substandard cyber practices.
–Cyber threats affect everyone and it’s time for corporations to instill a culture of digital best-practices within all of their employees now. It’s either now or later, so get ahead of the threats now, while not under the duress of an attack.
With the right technology, processes and trained people, there is no reason security should delay business development in 2022.