As cybersecurity becomes more central to enterprise risk management CISOs will have a growing role in embedding security throughout business operations
It has been a challenging year for CISOs. The pandemic brought rapid changes to ways of working, cyber attackers are more active than ever and budgets are tight.
But, as many of the industry leaders who gathered at Corinium’s CISO Champions, Online US conference last week noted, there are more challenges on the horizon, and CISOs must be prepared.
“My team’s motto is ‘automate or die’,” says Karen Holmes, VP and CISO at workforce management firm TrueBlue. You’re never going to keep up from a human perspective, so it’s for me it’s been all about interoperable tools that can respond and the threats in an automated fashion.
“The bad guys only have to be right once. We’ve got to be right every single time, and that is a distinct disadvantage,” Holmes concludes.
To spotlight how leading cybersecurity executives are achieving this, we have gathered here some of the key insights from last week’s three-day virtual event.
Addressing the Long-Term Impact of a Remote Workforce
The disruption caused by the COVID-19 pandemic caused many businesses to scale their remote working capabilities practically overnight.
This rapid change created both technical and cultural challenges for senior cybersecurity executives. CISOs had to provide a secure network at an unprecedented scale while at the same time educating staff on minimizing risk outside of the office.
It is likely that remote work will remain a feature of business operations even after the pandemic. As a result, forward-thinking CISOs are addressing remote work as part of their control posture.
“Remote work is here to stay, except it and plan for it and by all means stop fighting it,” says Sutter Health Executive Director of Cybersecurity and Investigations Jason Elrod. “Once you do that you can begin to proactively start addressing the evolved control needs associated with it.”
“Individuals, understandably, now have a blurred line between what is work and what is personal. Our control posture needs to reflect that, which means our controls need to be geolocation and platform agnostic,” he continues. “Location doesn’t really matter now, so don’t rely on it as a security control.”
Another consequence of long-term work from home is the unauthorized use of personal devices for work. Staff may be tempted to use personal devices and applications more often if company-approved ones do not work as efficiently.
To address this challenge, Elrod suggests a combination of tactics including the implementation of secure access service edge (SASE), endpoint detection and response tools and digital rights management solutions.
“SASE puts the control plane in the cloud. This eliminates the need to backhaul data through the enterprise data center which helps mitigate latency and performance issues by removing that particular hairpin,” Elrod says. ‘This is big because it makes it less likely your remote workforce will try to get around your controls due to performance problems.”
For the near future at least, remote work is here to stay. CISOs will need to adapt their security strategies to meet the needs of a long-term remote workforce.
Managing Vendors to Control Supply Chain Risk
The SolarWinds hack is the most recent posterchild of third-party risk and has brought the issue to the front of mind for many CISOs.
An initial assessment of a new vendor should include a privacy and security impact assessment (PSIA). However, vendor selection and onboarding are approached differently by different business and often on a case-by-case basis.
However, the resources available for vendor tracking and management vary widely by industry. While, running a vendor management program may not be difficult for a company with deep pockets, others may have to work with the tools they have.
“The financial sector can afford to have a vendor management team and a management team over that team, but a lot of us in the healthcare sector are not quite as lucky with that,” says Mark Eggleston, VP and CISPO at health maintenance organization Health Partners Plan. “It’s challenging but do your best due diligence, check certifications and do a lot of monitoring.”
“If SolarWinds was hacked, what else is out there? And how do we as companies your try to address it?”, adds Chapman University CISO George Viegas. “It’s difficult to assess our vendors at scale and that is a problem, I think, that is just emerging right now.”
The response, according to Viegas should be to ask tough questions of vendors and to conduct additional security reviews.
“[We should] review our technical connections inbound and outbound that these software products are making. In the SolarWinds case, many customers were asked to turn off their anti-virus and that allowed some of this to proliferate undetected,” Viegas notes. “So, asking the tough questions [is important], and, in addition, doing enhanced reviews of critical providers.”
However, it is important that the onboarding process does not impede the pace of business. To prevent this Viegas recommends a two-track process for vendors based on the monetary value of the contract and how much sensitive data they have access to. “Move the big products to a separate queue, triage them, and spend more time evaluating them”, Viegas says. “This kind of two-pronged approach will allow you to move the review process forward faster.”
How the Role of the CISO will Evolve in 2021
Research from consulting firm Deloitte shows that cybersecurity has been a top priority for enterprise companies in each of the last three years.
In parallel, the role of the CISO has become more prominent. A growing number of CISOs now report directly to the CEO, allowing them to influence strategic decision-making and embed security throughout business operations.
“That’s the reason why more and more of us are reporting not just into boards but also into a CEO directly,” says Mark Eggleston, VP and CISPO at health maintenance organization Health Partners Plan.
He continues: “It’s important because if you’re going to roll out a product you better have your privacy pieces down pat. It better be secure and [you’d better be] making sure that you’re doing things to minimize reputational damage to your company.”
As cybersecurity and the role of the CISO continue to develop in prominence it will be increasingly important for CISOs to work collaboratively with other business leaders to create an organization-wide security culture.
“Security is foundationally embedded in everything we do, so there’s almost nothing that we don’t touch in some way shape or form,” notes Karen Holmes, VP and CISO at workforce management firm TrueBlue.
“because [cybersecurity] touches almost everything, we want to make sure that as we build-out security programs for the organization, we incorporate not only our technical peers but our business peers as well,” adds Delta Dental CISO Fred Kwong. “You don’t want to grow like a fiefdom around security where security is acting on its own,” Kwong concludes. “That would be a recipe for disaster.”
To discover more insights from the industry leaders who spoke at CISO Champions, Online US, register to view the on-demand sessions here.