Left to right: Dan Creed, Cindi Carter, Russ Trainor, Pete Nicoletti, and Felipe García Vivanco at CPX 2024 in Las VegasSource: CPX
The role of Chief Information Security Officer (CISO) has expanded in the past decade thanks to rapid digital transformation. Now CISOs have to be far more business-oriented, wear many more hats, and communicate effectively with board members, employees, and customers alike, or else risk serious security failures.
In a wide-ranging press Q&A at CPX 2024 in Las Vegas, a panel of CISOs and vice presidents (VPs) of international organizations conferred on how digital transformation, bottom line pressures, and lack of security awareness have forced a shift in the nature of their positions–broadly, from being technical to businesslike, and highly social.
Today, they suggested, the difference between an effective CISO — and, by extension, an effective security culture at an organization — is as much about softer communication skills as it is mitigating vulnerabilities and defining policies. In fact, security leaders who thrive with the latter but lack in the former end up exposing their organizations to major breaches.
"You asked about the consequences?" Dan Creed, CISO at Allegiant Travel Company, asked rhetorically in response to a question from Dark Reading. "Ask SolarWinds what the consequences are. They had a password policy, an intern didn't follow the password policy, look at the consequences."
How Digital Transformation Transformed the CISO
"The role of the CISO has changed over the past 10 years, and we never really stopped to notice it," Frank Dickson, program vice president for cybersecurity products at IDC, stated in a separate CPX press conference on March 6.
Years ago, the position was created with the relatively narrow cyber risk focus that it's still associated with today. But it's expanded, thanks firstly to a broadening of the corporate attack surface. Typical breaches used to require vulnerabilities in corporate resources — think Target, Ashley Madison, and the like. Nowadays, particularly since COVID, it's employees' emails, phones, and other devices that instead represent the greatest risk to organizations. As the responsibility of information security has become a collective one, CISOs have been forced out of their silos.
Frank Dickson briefing the press on IDC's new report; Source: CPX
Digital transformation has also moved IT from its siloed corner, straight into the line of business. As Dickson pointed out, "About 40% of all the revenue for the [Global] 2000 next year is going to be driven by digital products and services. So what that does is change the nature of IT from a cost-setter, to something that's on the path to generating revenue. And if you think about what that does, that fundamentally changes the role of the CISO." The more that companies today conceive of IT as a business driver, the more CISOs need to be integrated in not just preventing and mitigating cyber risks, but also advising the board on business decisions, and rendezvousing with developers, salespeople, and customers.
The increasingly business-facing responsibilities of the CISO were reflected in an IDC survey revealed at CPX. Of 847 cybersecurity leaders polled, 10% believe that the most important job of a CISO is leadership and team-building skills, and 8% believe it's business management skills. Actual cybersecurity awareness and understanding, and IT architecture and engineering skills, received hardly more votes at 12% apiece.
How CISOs Can Do Better by Employees
It's not merely that CISOs should double as businesspeople — they need to. "The consequence of not establishing those relationships [is] you get a culture at the company of 'Well, it's not my responsibility.' Like SolarWinds, and MGM. They reset their MFA just by a call to the Help Desk, though they don't understand or realize the consequences of not having security awareness," Creed explained.
The subtlety in Creed's argument — echoed by others at the roundtable — is important. Preventing security lapses by employees is not simply a matter of spreading awareness, they emphasize, because even knowledgeable employees ignore security when their relationship with their security team isn't healthy, or when hygiene is simply too effortful.
"[They say] security should be hidden. I take it one step further: security should lubricate business and make it faster," said Pete Nicoletti, Field CISO at Check Point, echoing the evolved philosophy of the modern CISO. He offers VPNs as an example of where limited, old-fashioned CISOs have traditionally slowed business down. "How long does that hold my email for: two seconds, or 10 seconds? How long does VPN take for signing up? Are [employees] going to work around it because it takes 22 seconds and authentication? [It's about] trying to make these as transparent and easy to use as possible. Start picking tools that actually speed up the process, to where now you have a competitive advantage."
"Some of my earliest initiatives that I'm driving are exactly that," Creed seconded. "Let's move away from VPN, and get to an always-on where with your laptop, you turn it on, you're fired up, and you're connected into our network, going back through our security stack. The next objective is we're now laying the foundation to move to passwordless."
If talking to employees and making security easier for them isn't enough, CISOs can also experiment with alternative incentives. "We actually have KPI metrics around security culture. And we're getting ready to the point that we're going to start actually impacting bonus pools, to where if your department does better, it increases your bonus pool above the norm [. . .] and if you don't, then it hits your bonus," Creed explained.
How CISOs Can Collaborate Better With Fellow Executives
Then there's the board.
In its survey, IDC asked CISOs and their fellow CIOs what CISOs actually do — like, whether they're focused on strategic architecture, or whether the job is tactical by nature — and found not insignificant discrepancies in the responses, indicating that even the CISOs' closest C-level partners aren't totally on the same page.
Creed recalled one such case recently, where "We ordered some new 737s. And these are our first e-connected aircraft. [The board] did not include me in the earlier conversations, and then it became a fire drill that all new e-connected aircraft have cybersecurity requirements — that, in fact, if you don't have a network security plan approved and accepted with the FAA on file, you lose your airworthiness certification for those aircraft. Do you think the board, when they first started talking of going down this path of 'we're going to expand the fleet', considered that there might be security implications in that?"
"So you have to educate them, and explain to them: this is why we need a seat at the table. In every strategic decision that's made for the business, there's risk involved. [. . .] The more you include us at a seat at that table, the better that we can protect the business and weigh in on where that risk is at the onset rather than once it becomes a fire," he said.
To that end, in an interview with Dark Reading, Russ Trainor, senior vice president of information technology at the Denver Broncos, offered a simple tip:
"Sometimes I'll forward news of the breaches over to my CFO: here's how much data was exfiltrated, here's how much we think it cost," he says. "Those things tend to hit home."