The role of chief information security officer (CISO) has expanded in the past decade thanks to rapid digital transformation. Now CISOs have to be far more business-oriented, wear many more hats, and communicate effectively with board members, employees, and customers alike, or else risk serious security failures.
In a wide-ranging press Q&A at CPX 2024 in Las Vegas, a panel of CISOs and vice presidents (VPs) of international organizations conferred on how digital transformation, bottom line pressures, and lack of security awareness have forced a shift in the nature of their positions–broadly, from being technical to businesslike, and highly social.
Today, they suggested, the difference between an effective CISO — and, by extension, an effective security culture at an organization — is as much about softer communication skills as it is mitigating vulnerabilities and defining policies. In fact, security leaders who thrive with the latter but lack in the former end up exposing their organizations to major breaches.
“You asked about the consequences?” Dan Creed, CISO at Allegiant Travel Company, asked rhetorically in response to a question from Dark Reading. “Ask SolarWinds what the consequences are. They had a password policy, an intern didn’t follow the password policy, look at the consequences.”
How Digital Transformation Transformed the CISO
“The role of the CISO has changed over the past 10 years, and we never really stopped to notice it,” Frank Dickson, program vice president for cybersecurity products at IDC, stated in a separate CPX press conference on March 6.
Years ago, the position was created with the relatively narrow cyber risk focus that it’s still associated with today. But it’s expanded, thanks firstly to a broadening of the corporate attack surface. Typical breaches used to require vulnerabilities in corporate resources — think Target, Ashley Madison, and the like. Nowadays, particularly since COVID, it’s employees’ emails, phones, and other devices that instead represent the greatest risk to organizations. As the responsibility of information security has become a collective one, CISOs have been forced out of their silos.
Frank Dickson briefing the press on IDC’s new report; Source: CPX
Digital transformation has also moved IT from its siloed corner, straight into the line of business. As Dickson pointed out, “About 40% of all the revenue for the [Global] 2000 next year is going to be driven by digital products and services. So what that does is change the nature of IT from a cost-setter, to something that’s on the path to generating revenue. And if you think about what that does, that fundamentally changes the role of the CISO.” The more that companies today conceive of IT as a business driver, the more CISOs need to be integrated in not just preventing and mitigating cyber risks, but also advising the board on business decisions, and rendezvousing with developers, salespeople, and customers.
The increasingly business-facing responsibilities of the CISO were reflected in an IDC survey revealed at CPX. Of 847 cybersecurity leaders polled, 10% believe that the most important job of a CISO is leadership and team-building skills, and 8% believe it’s business management skills. Actual cybersecurity awareness and understanding, and IT architecture and engineering skills, received hardly more votes at 12% apiece.
How CISOs Can Do Better by Employees
It’s not merely that CISOs باید double as businesspeople — they need to. “The consequence of not establishing those relationships [is] you get a culture at the company of ‘Well, it’s not my responsibility.’ Like SolarWinds, and MGM. They reset their MFA just by a call to the Help Desk, though they don’t understand or realize the consequences of not having security awareness,” Creed explained.
The subtlety in Creed’s argument — echoed by others at the roundtable — is important. Preventing security lapses by employees is not simply a matter of spreading awareness, they emphasize, because even knowledgeable employees ignore security when their relationship with their security team isn’t healthy, or when hygiene is simply too effortful.
“[They say] security should be hidden. I take it one step further: security should lubricate business and make it faster,” said Pete Nicoletti, Field CISO at Check Point, echoing the evolved philosophy of the modern CISO. He offers VPNs as an example of where limited, old-fashioned CISOs have traditionally slowed business down. “How long does that hold my email for: two seconds, or 10 seconds? How long does VPN take for signing up? Are [employees] going to work around it because it takes 22 seconds and authentication? [It’s about] trying to make these as transparent and easy to use as possible. Start picking tools that actually speed up the process, to where now you have a competitive advantage.”
“Some of my earliest initiatives that I’m driving are exactly that,” Creed seconded. “Let’s move away from VPN, and get to an always-on where with your laptop, you turn it on, you’re fired up, and you’re connected into our network, going back through our security stack. The next objective is we’re now laying the foundation to move to passwordless.”
If talking to employees and making security easier for them isn’t enough, CISOs can also experiment with alternative incentives. “We actually have KPI metrics around security culture. And we’re getting ready to the point that we’re going to start actually impacting bonus pools, to where if your department does better, it increases your bonus pool above the norm [. . .] and if you don’t, then it hits your bonus,” Creed explained.
How CISOs Can Collaborate Better With Fellow Executives
Then there’s the board.
In its survey, IDC asked CISOs and their fellow CIOs what CISOs actually do — like, whether they’re focused on strategic architecture, or whether the job is tactical by nature — and found not insignificant discrepancies in the responses, indicating that even the CISOs’ closest C-level partners aren’t totally on the same page.
Creed recalled one such case recently, where “We ordered some new 737s. And these are our first e-connected aircraft. [The board] did not include me in the earlier conversations, and then it became a fire drill that all new e-connected aircraft have cybersecurity requirements — that, in fact, if you don’t have a network security plan approved and accepted with the FAA on file, you lose your airworthiness certification for those aircraft. Do you think the board, when they first started talking of going down this path of ‘we’re going to expand the fleet’, considered that there might be security implications in that?”
“So you have to educate them, and explain to them: this is why we need a seat at the table. In every strategic decision that’s made for the business, there’s risk involved. [. . .] The more you include us at a seat at that table, the better that we can protect the business and weigh in on where that risk is at the onset rather than once it becomes a fire,” he said.
To that end, in an interview with Dark Reading, Russ Trainor, senior vice president of information technology at the Denver Broncos, offered a simple tip:
“Sometimes I’ll forward news of the breaches over to my CFO: here’s how much data was exfiltrated, here’s how much we think it cost,” he says. “Those things tend to hit home.”
- محتوای مبتنی بر SEO و توزیع روابط عمومی. امروز تقویت شوید.
- PlatoData.Network Vertical Generative Ai. به خودت قدرت بده دسترسی به اینجا.
- PlatoAiStream. هوش وب 3 دانش تقویت شده دسترسی به اینجا.
- PlatoESG. کربن ، CleanTech، انرژی، محیط، خورشیدی، مدیریت پسماند دسترسی به اینجا.
- PlatoHealth. هوش بیوتکنولوژی و آزمایشات بالینی. دسترسی به اینجا.
- منبع: https://www.darkreading.com/cybersecurity-operations/ciso-role-changing-can-cisos-keep-up
- : دارد
- :است
- :نه
- :جایی که
- $UP
- 10
- 2000
- 2024
- 22
- 7
- a
- درباره ما
- بالاتر
- پذیرفته
- واقعی
- واقعا
- مزیت - فایده - سود - منفعت
- مشاوره
- پیش
- هواپیما
- به طور یکسان
- معرفی
- همچنین
- جایگزین
- an
- و
- تایید کرد
- معماری
- هستند
- استدلال
- دور و بر
- AS
- پرسیدن
- مرتبط است
- At
- حمله
- تصدیق
- اطلاع
- دور
- به عقب
- BE
- شد
- زیرا
- شدن
- شود
- بوده
- بودن
- باور
- بهتر
- میان
- تخته
- جایزه
- پایین
- نقض
- جلسه توجیهی
- کسب و کار
- اما
- by
- صدا
- CAN
- مورد
- گواهی
- cfo
- تغییر دادن
- تغییر
- تبادل
- متغیر
- بررسی
- رئیس
- افسر ارشد امنیت اطلاعات
- CISO
- همکاری
- Collective - Dubai Hills Estate
- ارتباط
- ارتباط
- شرکت
- شرکت
- رقابتی
- کنفرانس
- تعهد شده
- متصل
- نتیجه
- عواقب
- در نظر گرفته
- گفتگو
- گوشه
- شرکت
- هزینه
- کاوید
- ایجاد شده
- فرهنگ
- مشتریان
- سایبر
- امنیت سایبری
- تاریک
- تاریک خواندن
- داده ها
- دهه
- تصمیم
- تصمیم گیری
- تعریف کردن
- دنور
- بخش
- میز
- توسعه دهندگان
- DID
- نشد
- تفاوت
- دیجیتال
- دگرگونی های دیجیتال
- do
- میکند
- دان
- دو برابر
- پایین
- رانده
- راننده
- رانندگی
- پیش از آن
- اولین
- آسان تر
- ساده
- تکرار می شود
- تعلیم دادن
- موثر
- به طور موثر
- دیگر
- پست الکترونیک
- ایمیل
- اهمیت دادن
- کارکنان
- پایان
- مهندسی
- کافی
- ایجاد
- حتی
- هر
- تکامل
- کاملا
- مثال
- مدیران
- گسترش
- منبسط
- تجربه
- توضیح دهید
- توضیح داده شده
- گسترش
- FAA
- واقعیت
- شکست
- بسیار
- سریعتر
- همکار
- رشته
- پرونده
- آتش
- از کار اخراج
- نام خانوادگی
- ناوگان
- تمرکز
- متمرکز شده است
- به دنبال
- برای
- مجبور
- سابق
- به جلو
- یافت
- پایه
- رک
- از جانب
- اساساً
- بیشتر
- مولد
- دریافت کنید
- گرفتن
- جهانی
- رفتن
- بزرگترین
- بود
- آیا
- داشتن
- he
- سالم
- کمک
- اینجا کلیک نمایید
- پنهان
- خیلی
- اصابت
- بازدید
- نگه داشتن
- صفحه اصلی
- چگونه
- HTTPS
- i
- IDC
- if
- چشم پوشی از
- تصویر
- تأثیرگذاری
- پیامدهای
- مهم
- in
- انگیزه
- شامل
- افزایش
- به طور فزاینده
- نشان دادن
- اطلاعات
- امنیت اطلاعات
- فن آوری اطلاعات
- ابتکارات
- ناچیز
- در عوض
- یکپارچه
- بین المللی
- مصاحبه
- به
- گرفتار
- نیست
- IT
- ITS
- کار
- تنها
- نگاه داشتن
- عدم
- لپ تاپ
- LAS
- لاس وگاس
- تخمگذار
- رهبران
- رهبری
- اجازه
- پسندیدن
- محدود شده
- لاین
- ll
- طولانی
- نگاه کنيد
- از دست دادن
- ساخته
- عمده
- ساخت
- ساخت
- مدیریت
- بسیاری
- مارس
- ماده
- me
- اعضا
- صرفا - فقط
- متریک
- MFA
- قدرت
- تسکین دهنده
- مدرن
- بیش
- اکثر
- حرکت
- نقل مکان کرد
- بسیار
- my
- باریک
- طبیعت
- نیاز
- شبکه
- امنیت شبکه
- هرگز
- جدید
- اخبار
- بعد
- اطلاع..
- اکنون
- هدف
- of
- ارائه شده
- پیشنهادات
- افسر
- on
- یک بار
- ONE
- شروع
- or
- کدام سازمان ها
- سازمان های
- دیگر
- دیگران
- ما
- خارج
- روی
- با ما
- تابلو
- ویژه
- شرکای
- کلمه عبور
- گذشته
- مسیر
- فلسفه
- گوشی های
- پس مانده
- برنامه
- افلاطون
- هوش داده افلاطون
- PlatoData
- نقطه
- سیاست
- سیاست
- استخر
- استخرها
- موقعیت
- ممکن
- رئيس جمهور
- رئیس جمهور
- فشار
- فشار
- جلوگیری
- روند
- محصولات
- برنامه
- محافظت از
- پرسش و پاسخ
- سوال
- سریع
- نسبتا
- RE
- مطالعه
- اماده
- تحقق بخشیدن
- واقعا
- اخذ شده
- تازه
- منعکس شده
- ارتباط
- روابط
- نسبتا
- گزارش
- نشان دادن
- نیاز
- مورد نیاز
- منابع
- پاسخ
- پاسخ
- مسئولیت
- مسئوليت
- نشان داد
- درامد
- خطر
- خطرات
- نقش
- s
- سعید
- فروشندگان
- همان
- گفتن
- می گوید:
- ثانیه
- تیم امنیت لاتاری
- آگاهی از امنیت
- ارشد
- جداگانه
- جدی
- خدمات
- تغییر
- باید
- امضای
- سیل زده
- سیلوهای
- ساده
- به سادگی
- پس از
- مهارت ها
- So
- آگاهی
- SolarWinds
- برخی از
- چیزی
- گاهی
- منبع
- سرعت
- گسترش
- پشته
- شروع
- آغاز شده
- اظهار داشت:
- گام
- هنوز
- متوقف شد
- راست
- استراتژیک
- چنین
- سطح
- بررسی
- جدول
- گرفتن
- طول می کشد
- سخنگو
- هدف
- تیم
- فنی
- پیشرفته
- تمایل
- نسبت به
- با تشکر
- که
- La
- خط
- شان
- آنها
- خودشان
- سپس
- آنجا.
- اینها
- آنها
- اشیاء
- فکر می کنم
- این
- کسانی که
- اگر چه؟
- رشد
- از طریق
- نوک
- به
- امروز
- هم
- ابزار
- کاملا
- به طور سنتی
- دگرگونی
- مبدل
- شفاف
- سفر
- تلاش
- دور زدن
- دو
- نوعی
- فهمیدن
- درک
- us
- استفاده کنید
- استفاده
- وگاس
- معاون
- معاون رئیس جمهور
- رای
- VPN
- VPN ها
- آسیب پذیری ها
- بود
- we
- پوشیدن
- وزن کن
- خوب
- بود
- چی
- چه زمانی
- چه
- WHO
- چرا
- با
- مهاجرت کاری
- سال
- سال
- شما
- شما
- زفیرنت