So what does the CISO really do?
By Benjamin Cher August 29, 2016
- Needs to be the bridge between the boardroom and the server room
- With shadow IT, the bigger challenge is dealing with senior leadership
THE last organisation you would expect to find a chief cybersecurity officer is a cybersecurity company – after all, you would expect just about every employee there to already be cybersecurity-savvy.
The reality is far different, but also plays into the role of the security chief. All organisations need someone to not only stand between the bad guys and the organisation, but to also bridge the boardroom and the server room.
“Every organisation needs a chief information security officer (CISO) or chief security officer,” says Trend Micro Inc chief cybersecurity officer Eduardo Cabrera.
“You need a role or position that is responsible for not only defending the systems and networks while running the cybersecurity programmes for your organisation, but also someone able to speak to the boardroom as well as the server room.
“Trend Micro is no different – we need to be able to walk the walk, not just talk the talk,” he says, speaking to Digital News Asia (DNA) in Singapore recently.
Being the bridge between the boardroom and the server room is an important role, as the boardroom needs to understand issues and cyberthreats such as ransomware that the server room faces on a daily basis.
Threats are getting more frequent and sophisticated. According to Trend Micro findings, ransomware-as-a-service attacks grew by 172% globally in the first half of 2016, compared with the previous year.
“These criminal enterprises are really investing into their infrastructure – there has to be a huge return, for cybercrime-as-a-service is really pushing a lot and scaling these kinds of attacks,” says Cabrera.
The days of targeting individual consumers may not be over, but attack strategies are being specifically developed against enterprises.
“Ransomware is really shifting from consumer- to enterprise-based attacks,” says Cabrera.
Cybercriminals are not only developing capabilities to evade detection – such as self-deleting files – they are also honing their social engineering techniques, such as emails that seem to have come from the human resource department, with résumés attached to fool unsuspecting users.
Innovation vs security
The need to innovate – which means exploring and experimenting – often clashes with security, despite both being critical elements. This problem is often exacerbated by teams working in silos and coming to a head only after production is complete.
Cabrera (pic), who spent 20 years as the CISO of the US Secret Service, says there is a need to embed security early in the development process, a step he took during his time at that federal agency.
“What I did was to embed security personnel in DevOps, so there would be conversations much earlier in the development phase,” he says.
DevOps is the idea of making sure the IT development staff – where innovation is crucial – work closely with the IT maintenance staff, for whom innovation and the risk it entails may seem like anathema.
It is the difference between just saying ‘no,’ and instead asking ‘how?’
“I always had that motto when I was in the Secret Service, because you also have to balance compliance, security and innovation – you have to find that blend,” says Cabrera.
“It is an evolution – you have to bring down walls, increase communications, and embed security folk within the business units,” he says.
Shadow IT gets darker
Another role for CISOs and IT departments these days involves shedding light on ‘shadow IT,’ or the use unauthorised services or devices that are connected to the enterprise network.
“Shadow IT is just going to get worse not better,” says Cabrera. “You need to have visibility and control – these are basic tenets of cybersecurity – but if you can’t see it, you can’t protect it.”
“And you can’t rely on people in the different business units to follow all the rules all the time,” he adds.
This is even more pertinent as the BYOD (bring your own device) trend gets more popular, and the network perimeter starts to disappear.
However, Cabrera reckons the bigger challenge is in dealing with senior leadership, “because as soon as the CxO gets a new gadget and wants to use it, then complains that he or she can’t connect to the company infrastructure, it is up to the CISO to be able to explain why,” says Cabrera.
In this case, it is about having the right discussion.
“Don’t talk in terms of product, talk in terms of capabilities – for example, if they want tablets, go into their requirements and needs.
“Often, you have individuals saying they want to bring their iPad to work because of certain requirements – it is better to ask them what their requirements and needs are, then say you will find them a secure tablet.
“It is critical to offer solutions based on their needs and requirements, and not just give ‘no’ for an answer,” he adds.
21st Century Risk Management Part 3: From the server room to the boardroom
C-suite still largely clueless about cybersecurity: IBM study
Cybersecurity: You can’t stop the bad guys, so …
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.