The good news is that security and risk management has become a board-level issue for organisations. In hindsight, this is likely to have been precipitated by the number and sophistication of security breaches in recent years, and which has itself spurred increased regulation to protect consumers and put security at the forefront of business decisions, said Gartner.
Charged with leading this new focus is the Chief Information Security Officer (CISO).
The CISO is the architect of an organisation’s information security strategy. He or she is tasked with developing and implementing procedures and policies designed to protect an enterprise’s communications, systems, and assets from internal and external threats.
In the digital era, a recurring challenge for the CISO is that the boundary of the threat is not static, in fact, it is expanding. To complicate matters, it is evolving at a pace the organisation is designed to ‘almost’ never be able to catch up.
What has been added to the CISO role and responsibility since 2020 (COVID-19 pandemic)?
Joanne Wong: The pandemic has fast-tracked digital adoption among businesses worldwide, compressing approximately seven years of digital transformation into a matter of months. Such a rapid shift online has been instrumental for business continuity, but also simultaneously induced a paradigm shift in cybersecurity. There have been two fundamental changes; the first being that there are simply more cyber threats today.
The pandemic has directly exacerbated the cyber threat landscape, resulting in record-high figures of ransomware attacks and data breaches. As organisations pivot and go online, their digital operations increasingly become an inextricable part of their business.
What this means is that cybersecurity has now been elevated to the top of the business agenda. Security priorities are now business priorities. Executives understand they cannot afford to suffer a cyberattack - or face devastating financial or reputational damage - and now turn to their CISOs for a solution.
With that, the past year has seen CISOs emerge from behind closed doors and play a more active role to shape the business.
Before, CISOs might have run their cybersecurity operations in isolation. But today, as digital becomes front-and-centre across all businesses, they are finding that they need a broad knowledge of the business environment in which they operate.
They must now understand specifics like their senior management’s priorities, what their competitors are doing, and how consumer behaviour is changing, to effectively implement an IT security strategy in line with their company’s goals.
Another huge responsibility that CISOs are now undertaking is finance and budgeting. Rather than being given a set allocation of funds, they are now expected to formulate their own budget and convince their senior management of what investments to make.
This is no easy feat, as such planning must consider the organisation’s core business activities. Security needs to be seen in the context of all business activity to ensure it is relevant and effective, so it is imperative that CISOs need to get knee-deep and truly understand their business.
To what extent should a CISO be accountable for any cybersecurity breaches?
Joanne Wong: CISOs are often the prime scapegoat for cybersecurity incidents. According to a study we conducted with the Ponemon Institute earlier this year, 43% of respondents in APAC believed that IT security leaders alone should be held most accountable for preventing or mitigating the consequence of a cyberattack. This surpassed that of the CEO (18%) was almost twice that of even holding both the CEO and CISO accountable (22%).
Cybersecurity cannot be the sole responsibility of an individual. As part of the same study, we found that even though 60% of respondents believe cybersecurity leaders should report directly to the CEO, only 6% do.
This poses challenges in ensuring that the leadership have an accurate and complete understanding of security risks facing the organisation - and without this buy-in, CISOs lack the influence to establish their desired security posture.
All parties have got to pull their weight. For organisations to adopt an effective and robust cybersecurity strategy, it is critical for the executive leadership and CISO to develop a stronger relationship based on trust.
At the same time, the CEO and board members must adopt cybersecurity priorities as a central plank in their business strategy and be open to what their CISO has to say. In doing so, they can empower their cybersecurity leader and team with the resources they need to safeguard their organisation.
Given the extent to which technology evolves, what qualifications and certifications should come as standard with the CISO role in the post-pandemic era?
Joanne Wong: CISOs will always have to possess the bread-and-butter skills that come with managing cybersecurity technologies – like SIEM and SOAR – and such technical expertise will constantly evolve alongside emerging technology.
Beyond that, the changing role of CISOs necessitates the need for new, non-technical skills to stay ahead of the curve.
For one, we are seeing an increasing number of CISOs opt to study for a Master of Business Administration (MBA). Having business acumen provides CISOs with greater clarity on how their organisation operates, while at the same time empowering them to speak the language of the executive and board.
In doing so, they are better equipped to tailor their cybersecurity strategy to align with business objectives.
Even the best qualifications and certifications will be for nought if these aren’t complemented with soft skills. CISOs are leaders, so they must be confident in communicating with their stakeholders and leading their teams to overcome challenge after challenge. They must know how to prioritise and problem-solve, especially given the many “crises” and moving parts that come with the job.
When evaluating solutions as part of an organization’s cybersecurity strategy, what questions must the CISO ask himself/herself, the team, and the vendor?
Joanne Wong: There’s no doubt that in today’s interconnected world, more and more organisations are turning to third-party vendors to deliver specific goods and services. Vendors play an important role to advance organisations’ core business goals, but simultaneously the risks associated with supply chain attacks have never been higher because the attack landscape has dramatically changed.
With Vendors and service providers having access to your systems and confidential customer and employee information, malicious cybercriminals can and will target them as a proxy to that data.
Recent supply chain attacks are convincing enough - who can forget the high-profile SolarWinds incident? And closer to home, renowned companies like Singapore Airlines and Singtel have not gone unscathed either.
More than ever, CISOs must take a proactive, hands-on approach in evaluating each one of these vendors. They cannot adopt a myopic view to their cybersecurity operations and only focus on securing their organisation’s immediate network, but instead recognise that these vendors are very much part of the picture as well.
It is critical that CISOs safeguard their operations and maintain visibility over their entire network, by ensuring that third-party vendors have the same levels of safeguards to identify and remediate threats with speed.
In this vein, they must ask important questions on how to maintain a strong cybersecurity posture while establishing a strong working relationship with vendors. How much access can they afford these third-party suppliers? When and what can they be given access to?
As cybersecurity leaders start to adopt a Zero-Trust mindset, they must consider how they tailor controls around sensitive data and network across their entire digital operations. Additionally, CISOs must perform their due diligence and assess vendors’ internal cybersecurity processes - do they have industry certifications, and are they aligned with frameworks like ISO and NIST?
By understanding vendors’ own approaches to cybersecurity and incident response plans, CISOs can make more informed decisions on who can better serve as a trusted partner.
What are the top three things a CISO must always stay on top of as part of his/her role?
Joanne Wong: Things move fast in the digital era, and CISOs must bear in mind three key tenets: keep up to date, keep communicating, and keep an eye on talent.
It is critical that CISOs maintain a view of the wider business and technology landscape, to understand emerging cyberthreats and ensure that their IT architectures are aligned with the needs of the day. At the same time, they must ensure that they have an open line to their executive leadership, where they can be transparent about potential threats and offer timely recommendations.
Lastly, CISOs must invest in nurturing the next generation of cybersecurity leaders, especially those already in their team. Lean security teams are facing increasing stress and burnout, and CISOs need to keep a close eye to provide necessary support – such as upskilling opportunities or new IT solutions to alleviate their workload.
What can the CISO expect in 2022?
Joanne Wong: As we look to the year ahead, CISOs can expect even more complexities in the cyberthreat landscape, and must prepare to fend against the exacerbating risk of cyberattacks. This is in large part because of the widespread adoption of 5G – according to Juniper Research, the number of 5G connections in Asia-Pacific will increase by more than ten times to reach 3.2 billion over the next five years.
What this means is an unprecedented level of connectivity. Businesses will only continue to expand their online presence, and together with the growing popularity of Internet-of-Things (IoT), the attack surface will just keep getting exponentially larger. Be it data breaches or ransomware attacks, incidents will take place more frequently and each more devastating than the one before.
Cybersecurity teams that work in silos will not be able to combat this threat. CISOs must assume the responsibility of escalating these concerns to the executive leadership and integrate cybersecurity as a central plank of the business.
Only then can CISOs effectively implement a holistic cybersecurity strategy and cultivate a culture of cyber awareness and hygiene, so the organisation can stay resilient in the face of such risk.