Pandemic pressures have put CISOs in the spotlight – and helping them transform organizations’ attitudes to cybersecurity. Building on F-Secure’s survey of security leaders published earlier this year, they asked the CISOs for Better.com and Pepper Group to discuss how they dealt with rapid change.
The sharp rise in the use of cloud technologies during the pandemic is raising the profile of cybersecurity and changing the nature of the CISO role. “Cyber risk is increasingly visible at the top level of organizations. Many business leaders that used to see security as a purely technical/operational role are now looking to CISOs to act in a more strategic, advisory capacity,” said Tim Orchard, F-Secure’s executive VP for Managed Detection and Response.
Orchard was speaking alongside CISOs at the latest F-Secure webinar, Disruption, Data and Dealing With Uncertainty: Plotting the Future for Enterprise Cybersecurity. He noted that more than two-thirds of those interviewed for our recent research project, The CISO’s New Dawn, highlighted the importance of being able to advise, negotiate, communicate and persuade effectively. “CISOs need the emotional intelligence to articulate the link between cybersecurity and business risk in the right language,” Orchard said.
This was borne out by the other webinar speakers. Chris Gunner, Group CISO at global financial services company Pepper Group, said: “I’ve definitely had to improve my business acumen. For example, we have a business in China. Trying to tell the CEO we weren’t going to permit a particular piece of his native software on our network because we didn’t trust his government required a lot more tact than usual.”
Ali Khan, CISO at US fintech Better.com, said CISOs must be able to explain cybersecurity risks and options to the business clearly, understand the organization’s priorities and translate these into appropriate security responses. “Security’s not binary any more – there are lots of grey areas. You need to find out what the organization really wants to get done in the coming year and help them understand what’ll give them the best bang for their buck,” he said.
“Cyber risk is increasingly visible at the top level of organizations. Many business leaders that used to see security as a purely technical/operational role are now looking to CISOs to act in a more strategic, advisory capacity,”
Tim Orchard, Executive Vice President, Managed Detection and Response, F-Secure
CISOs are also working hard to improve the security culture of their organizations more broadly. A poll of webinar attendees found this was – by a landslide – their biggest area of focus for the coming year, cited as top priority by two thirds.
The webinar also explored in detail how CISOs are applying their priorities to the cloud. Here, their biggest concern is securing new digital initiatives, closely followed by worries about the increased attack surface caused by distributed working.
“Security’s not binary any more – there are lots of grey areas. You need to find out what the organization really wants to get done in the coming year and help them understand what’ll give them the best bang for their buck,”
Ali Khan, Chief Information Security Officer, Better.com
In this landscape, it’s critical to ensure everyone understands how to minimize risks to the organization. Today, CISOs increasingly realize driving a true culture of security throughout the business requires a lot more than emailing everybody a policy document. “One thing we do, for example, is phish our staff every month,” says Pepper Group’s Gunner. But he adds it’s important not to blame or punish people if they click on the fake phishing links: “As a CISO, I have to ask myself what I’ve not done to educate them properly and then put it right.”
Better.com’s Khan noted that, for him, ensuring the security of new digital initiatives has largely been about maximizing engineers’ design freedom within the organization’s guard rails. This has paid dividends in terms of gaining their trust. “For example, they recently spotted something suspicious and were perfectly comfortable approaching us and asking what to do. It turned out to be a very minor incident, but we gave kudos to the engineers that flagged it up because we want to encourage that type of participation,” said Khan.
As Gunner said: “Cloud pulls the rug from under your feet, but it allows you to experiment with new ways of doing things which keeps the job interesting and keeps you learning.”
“Cloud pulls the rug from under your feet, but it allows you to experiment with new ways of doing things which keeps the job interesting and keeps you learning.”
Chris Gunner, Group Chief Information Security Officer, Pepper Group
There’s not room here to include all of the panel’s many insights, but you can listen to the full webinar recording here.