CDOTrends

Are We Ready for CISOs To Be More Flexible?

By Winston Thomas on October 25, 2023
Image credit: iStockphoto/Teraphim

Love them or hate them, companies need their CISOs and security teams.

Ask DevOps teams or lines of business leaders, and they will groan about the security measures, the constant security updates, and the inflexibility of some policies reining in their growth.

Some of these rants became muted during the latter part of the pandemic years. That’s when companies tried to connect remote employees outside of their company walls in the name of productivity and customer service. It exposed hidden holes and bad security practices, leading to a crescendo of attacks.

Related

Still, many today feel CISOs are getting in the way of modern business agility.

Wait, we didn’t hire them for flexibility

Part of the inflexibility is ingrained in security practices and approaches. And it's precisely this cautious and risk-averse mindset that many CISOs were hired for in the first place.

While their ability to see risks and dangers at every business corner can rub business leaders the wrong way, their methodical approach to identifying the threats and creating security policies to close potential vulnerabilities across a distributed IT environment makes them valuable when a breach occurs.

It’s not that CISOs do not want their business teams to seize opportunities and explore new revenue opportunities quickly; they just feel that the risks aren’t worth it.

The job scope of a CISO is also not static. That's because threat actors are evolving.

Take DevOps, for example. Many developers do not want CISOs and their security teams coming near their sacrosanct CI/CD processes. But with supply chain attacks on the rise, CISOs, DevOps teams and vendors need to integrate DevSecOps processes.   

Meanwhile, the unloved CISOs are tasked to face off attacks that are becoming more one-sided. Generative AI and generative adversarial networks (GANs) are worsening asymmetry.

While vendors talk about the virtues of Zero Trust, better threat intelligence sharing, secure access service edge (SASE), and security service edge (SSEs), CISOs have no respite. They know it only takes a successful breach to bring down reputations, lose customers, and invoke increasingly expensive fines.

Yet, CISOs have no choice but to get flexible

There are valid reasons why CISOs need to adopt a more flexible mindset—and fast.

Take IoT security, for example. With the number of devices in use, in all shapes and sizes, it becomes virtually impossible to stop all IoT devices with malware from breaching company defences. Most security policies also focus on unintentional deployment of devices; halting the deployment of a small, powerful IoT malware with intent is still possible.

Then you have ransomware, which is becoming cheaper and simpler to create. There’s a whole underground ecosystem based on an as-a-service model and services supporting it. A lone CISO and his or her team can’t compete against an industry increasingly populated by state-sponsored syndicates.

At the same time, CISOs are increasingly asked by their business leaders and boards to become more strategic. One reason is that today’s senior leadership and boards are more security aware (especially after the baptism of fire during the pandemic years). So, today’s CISOs are asked to develop strategic security plans that align with the business.

Moving from tactical to strategic thinking is a challenging feat. However, it is a chasm that CISOs must cross as they work closer to different CXOs and the boards to roll out security frameworks aligned with risk management. And collaboration calls for some flexibility.

Also, today's CISOs have less control over their infrastructure or data. Look at the number of security incidents and breaches due to misconfiguration at the cloud data center. In addition, more developers are using software containers to control infrastructure (e.g., infrastructure as code or IaC) that can potentially create new vulnerabilities.

These trends mean that CISOs must work with different team heads and players, some inside their company and others outside. Such an approach is not something they might have signed up for initially, but one that is essential today.

Lastly, there is AI, a double-edged sword. Forward-looking CISOs use the same techniques that make them good hacker tools to protect their data and applications dynamically.

However, it does require CISOs to become comfortable with the probabilities associated with data science and machine learning and constantly ensure the outcomes do not stray from the expected. This is a far cry from the more definitive approach of the past but more aligned with the risk management approach of modern security.

But corporate accountability needs a reboot first

CISOs need to shift their mindsets if they want to manage modern digital assets, networks and platforms. They need to do this to become strategic when, for so long, they've been asked to be tactical and drive a security culture from within.

However, they can’t do it alone. They need the other business stakeholders to evolve together with them and understand that modern security is a game of probabilities.

These stakeholders must also understand that their cybersecurity investment correlates to compliance and business risk mitigation. If the CISO is using AI, they need to become comfortable with the shortcomings of a security AI model that may have drifted, for example, because of a sudden shift in business fundamentals.

That's a big ask and brings up questions on corporate accountability. At the moment, however, it is much easier to point a finger at the human in charge.

Winston Thomas is the editor-in-chief of CDOTrends. He's a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].

Image credit: iStockphoto/Teraphim

Related Articles

White papers & Case studies

2017 - 2021 © CDOTrends