Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
Is 2021 the year the CISO-Executive Suite relationship boils over?
By Douglas Ferguson, CEO and Founder, Pharos
Security
2020 has been an unprecedented year for people, business,
economies, cyber risk, and the CISO.
Due to a sudden and unanticipated shift in cyber
risk exposure, the CISO has been forced to pivot from a focus on classical
business environments - like offices and the assets in those environments, to the
environments of homes of employees, contractors, and partners. Exacerbating
this change was that cyber security teams, which typically work shoulder to
shoulder, were suddenly working via VPN and a myriad of video calls and
conferences. A change in management, resource and task tracking was thrust upon
them.
But that wasn't enough for the CISO to manage.
2020 is ending with a rash of high profile, pandemic style, cyber breaches of unprecedented
scale and complexity. This includes not only the breach of numerous US Government
agencies, but also the SolarWinds breach, with technologies central to
delivering cyber security capability to organizations around the planet - and
possibly their own organization.
There has always been an untenable relationship
between the CISO and enterprise executives. The C-suite and Board are more
recently at risk of career jeopardizing events that are in the hands of their
CISOs. And, in many cases, very well-funded security programs have experienced
and precariously handled breaches with unacceptable impact. Executives must ask
themselves, what does a good enterprise security program look like? What is the
right budget? Does it matter? Is cyber security just a bottomless pit of budget
with no assurance that any level of threat actor could cause us unacceptable
cyber breach?
As crazy as it may sound, it is possible that what
has strained the CISO-executive relationship has been the honeymoon phase, and
the CISO's life is about to get much challenging? What could a CISO do to turn
this dark prospect into an opportunity?
If a CISO wants to be a better business executive
- A.K.A. a modern CISO, they need to take a security-economic approach a ensure
they answer these challenges:
- If you cannot protect the organizations crown
jewels from chosen levels of threat, does it really matter what you're doing?
The security strategy must matter and be justified at the executive levels.
- Has the security strategy been calibrated and
aligned to protect crown jewels assets from chosen levels of threat, by the
greatest levels of threat exposure? If the strategy doesn't realistically align
to how crown jewels will be targeted, is it a strategy at all?
- Has the security strategy been formalized in a
business plan that is cost calibrated to targeted outcomes? Can it be restructured
based on scale and capability thus given executive stakeholders cost options to
choose their risk appetite? Or is the business plan actually just a collection
of individual budget asks that aren't unified to a justified strategic vision?
- Are security operations measured and tracked to
a common set of metrics and KPIs to ensure balanced and efficient leverage of
resources and delivery of stakeholder agreed capability? If controls are
measured and managed like a supply chain, then they will often fail to deliver
to need.
- Can protection outcomes be objectively and
independently verified by non-conflicted sources? And can these be articulated
for business stakeholders to have confidence in current cyber risk exposures,
and the leverage of budget. Are pen tests and red teams perceived or leveraged
as advanced vulnerability assessment? Or are the effectively seen and
articulated as control and security operations performance assurance?
Is 2021 the year the CISO steps up and becomes business
savvy and a business partner - or is 2021 the year executives lose patience
with commercially unsavvy CISOs and refocus their attention on other means to
mitigate cyber risk?
I predict 2021 will see many CISOs come to terms
with the business drivers of their executive stakeholders and embrace a
security-economic approach to cyber security strategy and operations.
##
About the Author
Douglas Ferguson, a security professional of over 20 years, is the
Founder and CEO of Pharos Security. Pharos specializes
in aligning security goals and strategy to the business and a calibrated risk
appetite, ensuring an integrated business plan and optimized operations build
that to plan and on budget.
Prior to Pharos, Ferguson was with Barclays Bank in London, where he was
responsible for numerous security programs and initiatives across more than 40
countries. Previously, Ferguson was a Managing Consultant and researcher on the
acclaimed X-Force at Internet Security Systems. He delivered security services
to more than 200 clients globally and was a co-creator of the breakthrough
System Scanner technology.