Virtualization Technology News and Information
Pharos Security 2021 Predictions: Is 2021 the year the CISO-Executive Suite relationship boils over?

vmblog 2021 prediction series 

Industry executives and experts share their predictions for 2021.  Read them in this 13th annual series exclusive.

Is 2021 the year the CISO-Executive Suite relationship boils over?

By Douglas Ferguson, CEO and Founder, Pharos Security

2020 has been an unprecedented year for people, business, economies, cyber risk, and the CISO.

Due to a sudden and unanticipated shift in cyber risk exposure, the CISO has been forced to pivot from a focus on classical business environments - like offices and the assets in those environments, to the environments of homes of employees, contractors, and partners. Exacerbating this change was that cyber security teams, which typically work shoulder to shoulder, were suddenly working via VPN and a myriad of video calls and conferences. A change in management, resource and task tracking was thrust upon them.

But that wasn't enough for the CISO to manage. 2020 is ending with a rash of high profile, pandemic style, cyber breaches of unprecedented scale and complexity. This includes not only the breach of numerous US Government agencies, but also the SolarWinds breach, with technologies central to delivering cyber security capability to organizations around the planet - and possibly their own organization.

There has always been an untenable relationship between the CISO and enterprise executives. The C-suite and Board are more recently at risk of career jeopardizing events that are in the hands of their CISOs. And, in many cases, very well-funded security programs have experienced and precariously handled breaches with unacceptable impact. Executives must ask themselves, what does a good enterprise security program look like? What is the right budget? Does it matter? Is cyber security just a bottomless pit of budget with no assurance that any level of threat actor could cause us unacceptable cyber breach?

As crazy as it may sound, it is possible that what has strained the CISO-executive relationship has been the honeymoon phase, and the CISO's life is about to get much challenging? What could a CISO do to turn this dark prospect into an opportunity?

If a CISO wants to be a better business executive - A.K.A. a modern CISO, they need to take a security-economic approach a ensure they answer these challenges:

  1. If you cannot protect the organizations crown jewels from chosen levels of threat, does it really matter what you're doing? The security strategy must matter and be justified at the executive levels.

  2. Has the security strategy been calibrated and aligned to protect crown jewels assets from chosen levels of threat, by the greatest levels of threat exposure? If the strategy doesn't realistically align to how crown jewels will be targeted, is it a strategy at all?

  3. Has the security strategy been formalized in a business plan that is cost calibrated to targeted outcomes? Can it be restructured based on scale and capability thus given executive stakeholders cost options to choose their risk appetite? Or is the business plan actually just a collection of individual budget asks that aren't unified to a justified strategic vision?

  4. Are security operations measured and tracked to a common set of metrics and KPIs to ensure balanced and efficient leverage of resources and delivery of stakeholder agreed capability? If controls are measured and managed like a supply chain, then they will often fail to deliver to need.

  5. Can protection outcomes be objectively and independently verified by non-conflicted sources? And can these be articulated for business stakeholders to have confidence in current cyber risk exposures, and the leverage of budget. Are pen tests and red teams perceived or leveraged as advanced vulnerability assessment? Or are the effectively seen and articulated as control and security operations performance assurance?

Is 2021 the year the CISO steps up and becomes business savvy and a business partner - or is 2021 the year executives lose patience with commercially unsavvy CISOs and refocus their attention on other means to mitigate cyber risk?

I predict 2021 will see many CISOs come to terms with the business drivers of their executive stakeholders and embrace a security-economic approach to cyber security strategy and operations.


About the Author

Douglas Ferguson 

Douglas Ferguson, a security professional of over 20 years, is the Founder and CEO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized operations build that to plan and on budget.

Prior to Pharos, Ferguson was with Barclays Bank in London, where he was responsible for numerous security programs and initiatives across more than 40 countries. Previously, Ferguson was a Managing Consultant and researcher on the acclaimed X-Force at Internet Security Systems. He delivered security services to more than 200 clients globally and was a co-creator of the breakthrough System Scanner technology.

Published Monday, January 18, 2021 7:34 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2021>