In the short span of twenty years, companies of all sizes have experienced rapid transformation in the way they receive, process, store, and transmit data of all types. The most heavily impacted data sets have been personal health information (PHI), financial data, and personally identifiable information (PII). The CISO and security practitioners’ job is, and always has been to protect the confidentiality, integrity, and availability of that data. But what has changed to add such complexity and alter the CISO dynamic so drastically compared to twenty years ago?
In the early 2000s, CISOs were few and far between. Many security professionals with the acumen and interest to learn something new evolved from IT-related roles, such as IT managers, system admins, or network engineers. These individuals were tasked with protecting, what I often refer to as, the hard candy shell of the organization consisting of nothing more than a firewall, anti-virus, and in some cases, signature-based Intrusion Detection and/or Prevention Systems (IDS/IPS). The biggest perceived focus for many of these individuals was protecting their organization from the evolving prevalence of nuisances, such as script kiddies. The firewall protected the outer shell from the bad guys on the Internet, and the AV solution identified and eradicated viruses that got through to the soft center, usually through opened email attachments, and the IDS/IPS gave some visibility into failures of the other controls. The technology worked fairly well if the vendor updated the hard-coded signatures in a timely manner.
As security vendors developed signature-based virus detection tools and intrusion detection and prevention systems to thwart the script kiddy, veteran threat actors also began to adapt by making small modifications to their virus and malware code to evade detection. The industry soon followed suit and developed anomaly-based detections. This back and forth still goes on to this day, only much more sophisticated methods are used today.
Regulatory Compliance and Security Standards
The introduction of Federal Government regulations and non-government enforced Standards began changing the way organizations looked at data from a handling and storage perspective. The CISO soon became a check-the-box senior practitioner or director and was responsible, along with the IT and Legal teams, for sorting through government regulations and industry standards and determining a path forward.
In addition to some of the earlier laws enacted, such as the Computer Security Act of 1987 focusing on the security of U.S. Federal Government systems and the Privacy Act of 1974 requiring certain data types be identified and secured, we began experiencing the transition from walls of filing cabinets to digitization and storage of records that accompanied new laws and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), finalized and published in December of 2000, the Gramm-Leach-Bliley Act, enacted in 1999 for the financial industry, and the Sarbanes-Oxley Act of 2002 for publicly traded companies.
In 2004, five of the major credit card companies, Visa, Master Card, American Express, Discover, and JCB, joined forces and created the Payment Card Industry Data Security Standard (PCI-DSS) due to the costly rise in credit card fraud. Add in the EU General Data Protection Regulation (GDPR) mandating the protection of data identifying individuals (PII) of the European Union and you have a diverse mix of regulatory soup that requires a dedicated individual or team of individuals to stay on top of. This either forced the propeller head out of the leadership role or required a great deal of learning on the fly with mixed results.
Please don’t take offense. I was one of those propeller heads back in the day. I have evolved!
All the Buzz
Without getting into the entire history and evolution over the past two decades, discussing the digital transformation age, rapid public cloud adoption, zero trust, and artificial intelligence— which are often loosely defined and over-utilized buzzwords by security vendors and are too many to list as of 2023—Cyber Espionage, Ransomware outbreaks, data leaks, credential theft, and exposed databases, let’s understand how and why the CISO’s job has continued to evolve and become more complex.
The Holistic Approach
You may have heard the phrase or a variation thereof, “Being compliant does not make you secure, and being secure does not make you compliant”.
This is where a holistic approach to cybersecurity must be strategically considered. While you’re performing tool rationalizations and performing risk assessments based on NIST 800-30, you may also want to consider either a maturity-based framework such as the Center for Internet Security’s Critical Security Controls Version 8 (CISv8) or a risk-based approach such as the prescriptive NIST 800-53 or the heavily adopted NIST CSF. Any of these frameworks provide a holistic and strategic approach to security, allowing you to assess your current posture and set short-, mid-, and long-term goals, improving your posture over time. The bonus to adopting and working through these non-regulatory frameworks is that you will be addressing many, if not all, of the regulatory requirements as you go. They also force you to avoid the “boil the ocean” approach, which often leads to disaster.
The Top-Down Approach
Prior to the late 2000s, most organizations took a bottom-up approach to security by reacting to incidents that occurred either within their own organizations or industry partners. Organizations would react by implementing technology and solutions that would give them a warm fuzzy feeling during the next virus outbreak, credential mishap, or malware ingested from a USB stick found in the parking garage.
Very few organizations considered governing their security programs from the top down by developing policies, standards, and procedures and then enforcing them with full cooperation of and dissemination by C-Suite leaders of the organization.
Presenting to the Executive Suite and Boardroom
Have you ever gone into a board meeting with a polished presentation and started talking about technology or how the latest and greatest Ransomware prevention tool will reduce risk and move the 5×5 color matrix from a bright red box to a light red box if they give you funding? You may have seen eyes glazing over, and in response, received a slew of questions such as, What was the decision criteria for determining the difference between bright red and light red? How much will the financial impact be on the organization if we don’t implement your solution? How much does the solution cost compared to the cost of the breach?
Business Acumen and the New CISO
Although business leaders may not understand the difference between EDR, MDR, XDR, SOAR, or SIEM, they are smart individuals who understand assets, cash flow, liability, and profit and loss—so why not speak to them in a language they understand and truly impacts the business’s bottom line?
You wouldn’t speak English to a person who only speaks Spanish if you are fluent in Spanish.
Referencing the 2023 IBM Cost of a Data Breach report, we learned that there was a 2.3% increase from 2022 with the 2023 average cost of a breach being US $4.45 million and the average cost per record involved amounting to US $165, up from $154 in 2022. Now these numbers vary depending on the industry, with healthcare taking the top spot at US $10.93 million per data breach. The point is that the data is there, use it. There’s even a graph showing the amount of impact on total cost by implementing certain controls, such that if you incorporate an Incident Response Plan and perform semi-annual tabletop exercises you may reduce the cost of a breach by -$232,008, or how much it may add to the cost by migrating to the cloud $218,362.
Over the past 20 years, the CISO’s job has gotten substantially more complex and has evolved from a technical director to a business-minded, technically savvy executive, and for just reasons.
A few tips for success:
- Know the business you’re in.
- Understand how it makes money and become part of that money-generating engine by supporting and enabling the business.
- Polish policies, procedures, and standards.
- Learn the laws and regulatory requirements that your organization must follow.
- Develop relationships with business unit leaders, Finance, Legal, HR, and IT executives. Find out how you can be part of the team and help them do their jobs more efficiently while building in security.
- Build a supporting cybersecurity team that meshes well with the business culture.
- Prioritize what is critical and important and learn to delegate non-critical, unimportant tasks.
- Speak to your audience in a way that your audience understands.
- Understand probability theorems and begin to quantify risk. The board members like that.
- Accept the fact that you are a life-long learner.
By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA