James Thew - Fotolia
As more companies fill the CISO position, this executive-level role appears to be getting closer to the rest of the C-suite in terms of business responsibilities. But some CISOs meet the challenge of working with their C-level counterparts, while others remain stuck trying to bridge that communication gap between technology and the business.
In both cases, the role continues to evolve and executives are faced with numerous CISO challenges; the biggest one where the details of what matters from a cybersecurity perspective can't get mapped to the details behind what's actually happening behind the scenes. During a panel discussion at RSA Conference 2016, Pavel Slavin, technical director of Medical Device Cybersecurity at Baxter International, said enterprises often prioritize the wrong things and struggle to identify the true cybersecurity challenges facing them.
"We often concentrate on things that create a false sense of security -- shiny reports, graphs and lists of things we successfully blocked. Yet, 63% of people have lost their private health information, and we've had two infusion pump hacks in the last year," Slavin said. "It seems we overemphasize our efforts on protection."
John Pescatore, director of emerging security trends at the SANS Institute and the moderator of the panel, said CISOs need to identify the specific cybersecurity challenges their organizations face and be able to address them. "The challenge for the CISO is to balance the importance of security based on the business as well as the vertical they are in, the value of their company's data and other factors," Pescatore said. "Why are some companies not in the news? It's because they have a quality and mature security team and an ability to cause change within the organization. They are also led by a strong CISO and are prepared to deal with the real challenges across the business, the technology and the people making it run."
So what are the common CISO challenges? Here's what some cybersecurity experts had to say about issues ranging from basic password policies to byzantine compliance matters.
Sometimes, it's the simple stuff infosec teams are missing or messing up, according to experts. "Passwords, patching, detection and response time are some of the top areas where companies continue to fail," said Robert Herjavec, CEO and Founder of Herjavec Group and co-host of the popular reality TV show Shark Tank. "Password resets are probably one of the easiest things to look for that most companies miss."
Another panel member at the RSA Conference, Don Smyczynski, CISO for Rich Products, manages technology for 36 production plants and 5,000 knowledge workers around the world using a federated IT business model (120 people). He provided his list of top concerns:
- Theft of intellectual property: "People think the data is theirs and that they can do anything they want with it; we've had good wins protecting the processes, but data and recipes can be recreated; it's the process that really matters," Smyczynski said.
Pavel SlavinBaxter International
- Internet of things: "Industrial engineers think they know everything and aren't waiting for IT security to be defined and baked in before they move ahead; they need to move quickly but safely."
- Third-party vendor management: "Our production and manufacturing plants employ loads of people who have access to each location; it's an enormous task to see how many people have access to systems -- some don't even work for the company any longer," Smyczynski said. "Taking into account that vendors' networks are an extension to the company's own network, they need to be considered as part of this equation. Your vendors' security practices can end up being the lowest common denominator for your own."
Other challenges faced by CISOs involve regulatory compliance. Just one new device or system added to a corporate network can necessitate several lengthy and complex steps for CISOs to take to ensure the enterprise is still compliant with numerous regulations. "Most CISOs, including myself, build their budgets around mandatory compliance, linking projects with the investments," said Demetrios "Laz" Lazarikos, CISO for vArmour and former CISO for Sears online.
"For example, if a device or machine was going to be placed on a regulatory network, the investment for the device should have security costs baked in to address the following items," he added, listing the criteria:
- I must perform a vendor review.
- How is the device patched?
- Who has access to the device/system?
- What type of security monitoring will the device require?
- Who is monitoring the device for security issues -- the vendor or the end user?
- If your device is compromised, who will notify the end user, and how?
Whether it's compliance, IoT security or basic password management, the CISO challenges facing today's cybersecurity leadership are numerous. And what's more, the threats and technology landscapes are constantly changing, forcing CISOs and enterprise leadership teams to constantly evolve and adapt their security programs.
A CISO's responsibility is to protect what is under her purview, but that may sound easier than it actually is. But what about issues that aren't in the CISO's purview? What about cybersecurity blind spots -- the stuff they can't see, forget about or simply don't know about? The next part of this series will look at some of those common blind spots and how they can be cleared up.
Stay tuned for part two in this series on CISO challenges.
Find out how cyberinsurance fits into enterprise security programs
Learn more about CISO training programs and what they offer
Read more on the challenges facing external CISO hires