Home » Cybersecurity » SBN News » MY TAKE: COVID-19 cements the leadership role CISOs must take to secure company networks

MY TAKE: COVID-19 cements the leadership role CISOs must take to secure company networks

by bacohido on May 13, 2020

Chief Information Security Officers were already on the hot seat well before the COVID-19 global pandemic hit, and they are even more so today.

CISOs must preserve and protect their companies in a fast-changing business environment at a time when their organizations are under heavy bombardment. They must rally the troops to proactively engage, day-to-day, in the intricate and absolutely vital mission of preserving the security of IT assets, without stifling innovation. And they must succeed on executive row, with middle management and amongst the troops in the operational trenches.

That’s a very tall order, made all the more challenging by a global health crisis that has slowed the global economy to a crawl, with no end yet in sight. One new challenge CISOs’ suddenly face is how to lock down web conferencing tools, like Zoom, Skype and Webex, without gutting their usefulness.

Cyber criminals have discovered Zoom logons, in particular, to be useful for carrying out credential stuffing campaigns to probe for deeper access inside of breached networks. Thanks to the sudden rise in use of Zoom and other video conferencing systems by an expanding work-from-home workforce, their logons are begin targeted by threat actors; underground forums today are bristling with databases holding hundreds of thousands of recycled Zoom logon credentials.

Sponsorships Available

I had the chance to discuss this state of affairs with Vishal Salvi, CISO of Infosys. In its 2020 fiscal year, ending March 31, Infosys reported revenue of $12.8 billion, with $7.8 billion coming from North America, $3.1 billion from Europe, $333 million from India and $1.5 billion internationally

Infosys is making a big push to expand its U.S. presence. The occasion for our meeting was the opening of Infosys’ Cyber Defense Center (CDC), in Indianapolis.

Salvi has been in the security trenches in enterprise settings for nearly two decades. We discussed how the role of CISOs has shifted from that of a security guru competing for slices of the IT budget to much more of a mission-critical leadership role. For a full drill down, please give a listen to the accompanying podcast. A few key takeaways:

CISOs’ changing role

CISOs, naturally, must be technically proficient. One of their main duties continues to be vetting security solutions and making buy versus build decisions with respect to security tools and services. However, in just the past few years, expectations attached to the CISO’s role have changed dramatically in corporate circles. Observes Salvi:

“We’ve gone to a stage where the Chief Information Security Officer has become a well-defined, mainstream role. It has become a leadership role. CISOs today need to be able to stand in front of a board and articulate a security response in a way in which all stakeholders can understand. To make an impact, they must be able to address the audience in accessible business language and in risk language.

“One important skill that’s required is the ability to influence. CISOs are reliant on their stakeholders to drive change across the organization. These stakeholders in operations, human resources, legal and IT need to be influenced, in the right way, to get them to do things for the CISO, so influencing skills are extremely important.

Salvi

“The CISO role has fundamentally changed. Beyond just understanding the technical aspect of cybersecurity, CISOs also need leadership qualities and influencing skills; they need to be able to articulate a vision, a mission, a strategy. The ability to explain the strategy, and then execute the strategy, has become a critical requirement. They have to be able to really drive the strategy and vision, and provide strong leadership, so that execution becomes flawless.”

CISOs’ fundamental challenge

Continual clear communication is needed to cut through the noise and confusion of digital transformation. Enterprises are in the throes of migrating their legacy on-premises IT infrastructure into the cloud. They are also expanding their use of Internet of Things systems at a time when their reliance on remote workers and third-party contractors also continues climbing. Operational efficiencies and agile innovation are the carrots on the stick. But all of these speedy digital advancements have a dark side: cyber exposures are multiplying and threat actors are taking full advantage. Salvi paints the backdrop:

“The audacity and lethalness s of the attacks have grown significantly and this has created a very fundamental challenge. CISOs need to build a security strategy under the assumption that their organization is constantly under attack.

“I personally believe that it’s not a hopeless situation and that this problem can be solved. It requires a clear understanding of organizational risks, and then CISOs need to be able to get the necessary sponsorship to drive change within the organization . . . The intensity and frequency of cyberattacks are growing, and those who ‘get it’ will come out winners, and those who are not able to execute will be exposed.

“CISOs must elevate their role to be able to not just have a technical conversation with the techies, but also to be able to have a business conversation with the board and a liability conversation with the risk manager. And at the same time, they’ve got to carry the constant burden of executing a security strategy, which assumes that you’re constantly under attack. None of this is easy.”

Empowering troops for battle

Enterprises are comprised of people; enterprises succeed or fail based on the performance of people. A company can have elegant processes and leading-edge technologies. But people can ignore processes and bypass tech tools. Getting people to pull in the same direction to protect IT assets is not as simple as it might appear. Attests Salvi:

“It is extremely important to have the right team to run your ship. You can buy the best technologies, but if you don’t have the right team to navigate that ship, it’s of no use. And you need to make sure your team is empowered to do the right things. It’s important to try to cut the bureaucracy and curb the micromanagement as much as possible and empower them to do their stuff.

“Then you need to constantly train your team members using various techniques, such as breach response assessments or cyber range exercises. If you look at the military model, the military is constantly training. There is continual training and upgrading of skills to be ready for battle, so that when an attack happens they’re completely ready to actually tackle any possible obstacles.

“The same thing needs to be done when it comes to cybersecurity. This means when there are no attacks, you need to constantly keep training your team members to keep them constantly vigilant because, without that, you will never be able to identify and mitigate these attacks.”

Shrinking the skills gap

People factor in another way. When it comes to skilled cybersecurity analysts and technicians, there are far too few of them. Finding qualified security team members remains one of the biggest headaches for CISOs. Some 3.5 million cybersecurity jobs are projected to be available, but unfilled, by 2021, according to a widely cited report from Cybersecurity Ventures. CISOs have had to scramble to find experienced security analysts to interpret alerts and skilled technicians to patch and test their systems.

However, it’s starting to look like the cybersecurity skills gap may shrink dramatically, going forward. This is because security vendors are expanding their offerings to include not just specialized tools, but services of their own skilled technicians as third-party contractors. Vendors of endpoint detection and response (EDR) tools, identity and access management (IAM) systems and vulnerability management (VM) services are moving in this direction.

So instead of having to having to recruit and retain inhouse technicians and analysts to operate on-prem EDR, IAM and VM systems, CISOs today can go shopping for hosted services that supply both the tool and the expert human operators of the tool.

Infosys has entered this space supplying a full-range of turn-key security systems as a subscription service. In addition to its new Indianapolis facility, it operates six other CDCs in Europe, India and Australia; these facilities function as state-of-the-art Security Operations Centers for hire.

Enterprise clients route their daily network traffic through one of Infosys’ CDCs, where the traffic gets dissected by security analysts, who correlate risk indicators, keep an eagle eye out for malicious activities and also make improvements to overall performance whenever they can.

“It can be extremely difficult, especially for non-technology companies, to build, maintain and retain a cybersecurity team,” Salvi says. “If you want rapid scaling and quick time to value, it’s much easier to partner with someone who can leverage a large pool of security resources, someone whose full focus and purpose is all about building and retaining an agile and heavily trained cybersecurity team.”

The rise in stature of CISOs is a move in the right direction. So is the rapidly maturing hosted security services space. Both will contribute to making digital commerce as secure as it needs to be. I’ll keep watch.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)