The role of a Chief Information Security Officer (CISO) is changing.
While 76% of CISOs expect to see their budget increase this year, these security executives say they're also facing new challenges. 54% of those surveyed expect to prioritize the DevSecOps integration, while 62% highlighted the ongoing management of cloud, infrastructure, and APIs.
But the bottom line is that decision makers are prioritizing areas where they can see impact and ROI. So what is the impact on risk-focused security programs and on the CISO?
Tim Rohrbaugh, CISO of JetBlue Airways recently joined Dave Stapleton, CISO at CyberGRX to discuss the evolving nature of a CISO’s role and the steps that can be taken to help manage and mitigate critical cyber risk.
A CISO’s Primary Goals
Despite the shift in CISO operations, Tim notes that the primary goals remain the same: reducing the risk of a cybersecurity event and reducing the time to discovery. “CISOs must continue to elevate the threat of cyber attacks as they have become more of an existential threat to successful business,” added Dave.
Both risk management and reducing discovery time are also critical to controlling costs, another CISO objective. As noted by the 2022 Cost of a Data Breach report, the average cost of a breach is now $4.35 million and the average detection time is 277 days. By reducing detection time to 200 days or less, however, companies can save $1.12 million on average.
The average cost of breach is $4.35 million and the average detection time is 277 days. By reducing detection time, companies can save $1.12 million on average.
However, cyber criminals are unrelenting and continue to keep Tim and his industry peers on their toes. As a result, “we have to put at the forefront the criminal actor and their motivations,” he said.
Protecting the Crown Jewels with Data Privacy and Security
The most basic criminal motivation is profiting from what is stolen.
To make the most money means attacking the areas of greatest value – data or the “crown jewels.” There may be unintended consequences from these attacks, such as the case of the Colonial Pipeline, but the original attack was still initiated to make money from stolen data with the collateral consequence coming in the form of shutting down the pipeline. “As CISO, we have to think through consequences, not only for compliance but on the business as a whole.” Tim continued, “security compliance is not actual security.”
As CISO, we have to think through consequences, not only for compliance but on the business as a whole.
Cybersecurity is an important part of managing compliance risk, as well as ensuring the security, and privacy, of data. Due to the modern criminal, though, compliance is now table stakes for the modern CISO. Privacy rules and global regulatory compliance are key drivers; however, best in class cybersecurity must be focused on the threats themselves with a preemptive mindset.
For Tim, protecting the crown jewels – company data – requires tension. The modern CISO has to put in place the appropriate tension – technologically and operationally – relative to the threats. “We’re paid to make someone’s life miserable," says Tim. "In this case, the (cyber) criminal’s life. But since the tension we put in place slows down the business, it has to be balanced with the threat.”
To determine the appropriate amount of tension, cyber risk intelligence is critical to an organization and must be aimed at orchestrating both defensive and testing activities. Tim outlined three key questions for effective cyber risk intelligence: “who is coming after us; why are they coming after us; and how are they coming after us?”
Answering each of these questions helps to improve threat response and addresses three key areas necessary for data defense: improved response times, and managing cybersecurity spend, and third-party risk.
Mitigating Third and Nth Party Risk
While knowledge about common attack types can help reduce total risk, a CISO also has to understand who's coming after the organization and where they're coming from. For example, is a managed security services partner being targeted to gain access to clients?
82% of enterprises now say third-party threats present the most significant risk for exposure, but many don't take actions that reflect effective mitigation. What's more, cyber threats have also moved beyond third-party risks to “nth” party risk. Cyber risks multiply as additional vendors are contracted directly, and those same risks multiply even further as your vendors contract with their vendors.
Even for the largest of organizations — from the Fortune 500 to the federal government — risk is asymmetric. For small organizations, prioritizing where to deploy limited resources is even more vital. A recent CyberGRX blog post, “Defining Risk Management: Third-Party Risk, Vendor Risk & Supply Chain Risk,” lays out three types of supply chain attacks — compromising commercial software, compromising open source software, or embedding malware during the physical production of technology.
Improving Response Times
Understanding why attackers choose specific targets is also critical for companies to improve response times and reduce overall risk.
As a result, companies must continuously re-skill their cybersecurity workforce, because cyber criminals are doing the same. "We have to look not just at the tools and how we use them," says Tim. "We have to look at the ‘who and the why’ of criminals. This means fresh thinking from places like psychology can help our teams as we recruit.”
According to Dave, “the perimeter, as we know it, has fundamentally changed as a result of new remote work models. Identity is now its own perimeter, as is third-party risk.” In other words, cybersecurity is more than the sum of its parts. It is tools and people. It is art and science. And it's only by understanding this balance that CISOs can gain a better understanding of why cybercriminals are targeting organizations — and what they're trying to accomplish.
With this information in hand, teams can then leverage third-party cyber risk management (TPCRM) solutions to pinpoint common attack vectors and create frameworks that empower improved detection, in turn reducing the time between initial threat and active response. The result? Attackers spend less time in the system before being found, meaning they have less time to cause damage and exfiltrate data.
Managing Cybersecurity Spend
As digital transformation accelerates and the threat surface expands, every modern enterprise, large or small, is faced with a similar question: How much should we spend on cybersecurity?
As noted above, part of the answer to that question is informed by threat intelligence and where the attacks are occurring. The answer is also informed by a business's overall IT spend. Tim notes the rule of thumb is that 10% of the IT spend should be going to cybersecurity. He also highlights that cybersecurity spend is both an art and a science — IT informs cybersecurity and vice versa.
Learn more about budgeting for your TPRM program.
Harnessing tools like CyberGRX’s Exchange allows companies to make better-informed decisions about what their spend should be and where those dollars should go, both for tools and for people. As Tim points out, “we can’t boil the ocean and handle every risk. It’s too much. If we can focus on the right attack vectors and the key threat actors through the sharing of threat intelligence, then we can build the right emulation plans, for the right vulnerabilities, with more focused ‘hunting’ on the biggest threats.”
Business is Better Together
Cybersecurity is no longer an individual sport.
Each company and organization must make its own unique decisions as it balances its own threat profile, risk posture, and business priorities. As these decisions are made, however, there are several ways to share non-competitive information in collaborative ways to mitigate risk and strengthen threat intelligence within, and across, industries.
As cyber risks evolve and cybersecurity teams work to respond – reactively and proactively – the role of a CISO is evolving, too. The CISO is no longer simply protecting the castle with fancy new technological moats. They are a vital strategic thought partner with the C-suite and board.
Dave and Tim put it simply: “by strengthening trust with better security and decreasing risk for both physical and digital assets, cybersecurity and CISOs can contribute to both the top-line, and bottom-line, results of their organizations.”
Continue your learning: Get our free eBook, Cyber Risk Intelligence in a Digitally Transformed World, outlining the advantages of cyber risk intelligence and how to apply it in your organization.