CISO priorities have quickly adapted in this new work-from home era; we have seen a drastic shift in direction amongst security professionals. Long gone are the days of antiquated ideals where companies deemed matters of security and visibility unimportant. CISOs are now tasked with the challenge of adapting their organizations. For most, the fear of suffering a data breach in the cloud is crippling. For any other, they choose to circumvent security with hopes of gaining access to the agility and speed offered by the cloud. Too often, enterprises are making a false choice: embrace cloud rapidly and carelessly rely on reactiveness and post mortem analysis to survive in this new era. Proper investments into a modern infrastructure are no longer optional; times are changing rapidly. While most agree that taking advantage of this technology is good for business, it’s clear from the onslaught of news headlines about data breaches caused by misconfigurations that companies are struggling to embrace the cloud in a secure, controlled manner. Our hope is that this blog provides guidance to leaders and practitioners on how other CISO are approaching their concerns in the second half of 2020.
One of the most drastic shifts we have seen in 2020 is the shift to a remote workforce. Almost every CISO has been fighting the battle for “end-to-end visibility” into this new remote user group. Executives pushing for quick shifts to get employees up and running have failed to realize the security implications of this rapid shift. The huge discrepancy between the rate of cloud adoption and implementation of proper security to meet this new workforce is the reason data breaches caused by cloud misconfigurations continue to be rampant. The old days of breaching a network's perimeter technologies and slowly exploiting laterally across systems is less of an emphasis thanks to the cloud. In the modern enterprise, identities are the new perimeter.
What makes managing identity complex is the breadth, they can span not only across one cloud but also all clouds, and the depth, they include person and non-person identities. Security teams are tasked with understanding who is accessing your data, when did they access it, what did they gain access to and what they did with it?
Basic SIEM use cases are seeing a resurgence in relevance. Foreign cyber security threats are at an all time high and ransomware is positioning itself as the new CISO buzzword. So, what does all of this have to do with identity management? The bottomline is companies need end-to-end visibility of their identities and data across their clouds at all times.
With data breaches on the rise, a lot of CISOs have reverted to using a zero trust model. The cloud transformation is enabling CISOs to ditch on-premises legacy systems. Many are enthusiastic about building cloud security right from day one, and zero trust is a big part of this. Zero trust limits role-based access by default. It ensures users are who they say they are, and that their devices meet reasonable security standards before connecting, but isn't enough. CISOs need to take this a step further by getting to and maintaining the status of least privilege.
“CISOs are defaulting to VPNs to deal with a work from home population that grew from 20% to greater than 80% of employees in a matter of weeks. In some cases, basic VPN access has superseded more thorough zero-trust access projects that require time and planning for things like policy management.”
These methods offer a secure posture but require additional investments into tools such as firewalls and other gateway appliances. They also entail a significant investment in man hours for policy management planning to ensure their model is not counterproductive to the workforce.
It is important to note that while Security is always a top CISO concern, so are KPIs related to response and recovery times, product development, and customer satisfaction. A CISO is not just responsible for keeping their company’s data safe from outside threats, they are also responsible for ensuring that projects are done efficiently. Many companies and vendors that position themselves to prioritize the NOC and the SOC also have dual applications into the DevSecOps world. It is a very similar technology that allows companies to locate and mitigate malicious actors; this allows companies to locate and detect outages in real time. The man hours and the opportunity cost from an outage can be enormous and is often overlooked by the business and financial team. Maximizing a developers time is key, and every hour wasted on fixing the environment is an hour lost to the company. CISOs should be quickly moving into this space and making significant investments if they have not already. Vendors that have dual use cases are positioned to better upsell their products. A CISO is always positioned to reduce the number of technologies and reduce everything to a single pane of glass wherever possible.
“Shockingly only 22% of companies say their Security function is integrated with other business functions”.
Few companies have the reach and resources needed to hire a dedicated Chief Compliance Officer and, in most cases, their responsibility actually falls to the CISO. We have even seen a trend of Sr. Audit and Compliance individuals being groomed and promoted into the CISO role. Being able to create meaningful reports and show compliance in real time is a major struggle for most organizations. What the CISO wants most is to be able to stand in front of their customers, executives, and BoD and attest with confidence to the quality of their controls. Reducing the amount of time auditors spend on-site at a company is key to maintaining good relations and to redirecting key staff back to more productive endeavors. The truth is, compliance is changing and making the world more secure. CMMC is a new form of compliance issued by the DOD, essentially, anyone who does business with the DOD anywhere on the supply chain will be required to adhere to some level of CMMC compliance. This is important given the market will begin to prioritize brands and organizations that meet these standards, even when not required to do so. The ability to assist an organization in creating accurate reports and translating large manuals will become even more prevalent as this year continues.
The ability to identify risks quickly and respond in real-time is becoming increasingly more important as the very real emergence of “alert fatigue” sets in.
“Over 65% of SOC professionals say stress has caused them to think about quitting”.
This puts an overwhelming burden on the already stressed out and overworked CISO. As we have discussed, a CISO’s job descriptions do not stop and end at security, they are often responsible for much more. In this case, employee happiness and reducing CHURN is a key CISO responsibility. The ability to use triggers to detect a problem before it arises and to find the source of a problem in seconds rather than days is a key metric for any CISO. The aforementioned is no longer ONLY regarding data health anymore, human health and stress is of utmost concern; with qualified employees at a shortage, employee happiness is finally valued as crucial to a successful operation.
It may seem like common sense, but the only way to stay at the forefront of security is to stay constantly vigilant and provide useful continuing education to employees.
“CISOs will need to devote some time to educating a displaced workforce on the present dangers of phishing through email and other communications, including video conferencing tools like Zoom”.
However, the need for education and vigilance goes well beyond online classes and testing employees with basic phishing emails.
“Cox Enterprise’s McLeod points to several other priorities that he sees as common for large-business CISOs. One is to constantly re-evaluate the company’s existing security systems, and wherever possible, streamline them to reduce the administrative burden, reduce licensing costs, and fight complexity. “You should have metrics on everything, and back those metrics up with dollars,” he says.”
Metrics, constant re-evaluation, and simplicity in the number of technologies are now all part of the vigilance and continuing education required of any successful CISO.
The CISO role has changed. According to Jon Oltsik, Senior Principal Analyst, Fellow, and the Founder of ESG Research, the CISO role is “all about securing remote users. This one is obvious, as stated earlier, but it’s also the reason why CISOs are busier than ever. The mandate from executives was to get employees up and running first and then address security afterward. CISOs have been fighting ‘bolt on’ security cycles like this for years, but the virus has forced security teams to work uphill to catch up. This means on-the-fly risk assessments, controls adjustments and lots of work in tandem with IT and network operations teams,” Oltsik continues. “CISOs are asking trusted vendors for help.”
CISOs will face new security challenges each year, requiring them to keep pace with the constant revolutions of the technology world. This pace, however, is accelerating rapidly with the new “normal.” CISOs and security teams have an important role to play in strengthening security, in addition to business continuity, by ensuring that current and future telecommuting and WFH policies do not create tradeoffs between usability and security. These increasingly varied risks in 2020 will continue to push CISOs priorities.