By Diana Buccella Modified February 7, 2021
While relatively new to the corporate hierarchy, Chief Information Security Officers (CISOs) are becoming increasingly integral for ensuring uninterrupted business operations. Indeed, the prominence of the position has naturally corresponded to the growing reliance of technology solutions in the modern workplace.
To fulfill their principle goals of protecting and maintaining critical enterprise assets, CISOs are being tasked with a broad range of responsibilities, from cybersecurity response to data privacy and information security. It’s now common to see a CISO in charge of virtually all facets of an organization’s information risk management strategy.
There are many ways that a company’s information security can be compromised, many of them largely outside the CISOs control. With that said, the most effective CISOs keep their finger on the pulse of prevailing information technology (IT) trends and deploy solutions to help stay ahead of the most common dangers.
The increasing prevalence of cyberattacks is generally the top concern for CISOs and the drive for most of their day-to-day efforts. Few other threats pose a greater risk to a company’s revenue stream, brand value, and general operational capacity.
Take, for instance, the ubiquitous distributed denial-of-service (DDoS) attacks. DDoS attacks occur when attackers seek to disrupt a network by flooding it with traffic, congesting it with redundant requests and crippling its ability to function normally. For a customer-facing firm dealing in software solutions, such an attack can be deadly in terms of company revenue and customer satisfaction.
Even for more traditional companies that still use web services for internal operations and data storage, the heavy downtime that could result from damage to vital networks is sure to impact the organization on many levels. And such attacks are only growing in frequency, as Corero estimates that there was a 40% year-on-year increase in DDoS attacks in 2018. With an estimated average cost to enterprises of $2 million per DDoS attack, it is no wonder that CISOs fear cyberattacks more than ever in 2019.
The potential for malicious actors to access sensitive data during periods of vulnerability could also gravely impact customer trust and do near-irreparable harm to overall brand value. Take, for instance, the Equifax data breach of 2017. While the root of the vulnerability was apparently out-of-date software on a single web server, it resulted in a breach of the personal information of over 148 million customers, including sensitive data like credit card numbers, driver’s licenses, and Social Security number. While Equifax has begun recovering from the massive hit in terms of customer trust, that hasn’t saved the jobs of the company’s top information security officers. This merely illustrates the pressures and occupational dangers that CISOs face in their responsibility for the security and integrity of all aspects of company networks.
While Equifax placed the blame for the data breach on one employee for failing to patch a server, the actual situation illustrates the potential nightmare of internal company reporting structures. Despite Equifax being aware of the vulnerability, it was never patched, and the breach was not even identified for two months. Much of the blame can actually be placed on the fact that then-CSO Susan Mauldin “did not report to the CIO, but was buried underneath the Chief Legal Officer”.
Such a silo between IT and security significantly impacted the extent of the breach and prevented efforts to resolve the situation from worsening. Equifax has since fixed its organizational structure by placing the new CISO directly under the CEO, but it certainly learned this lesson the hard way. And it seems that other companies have not learned second-hand from the Equifax breach, as KrebsOnSecurity found that only five percent of the global top 100 companies lists a CISO on their executive leadership page. While each CISO faces unique challenges, the seeming need to fight for organizational attention and funding detracts from their ability to optimize networks and enterprise systems for security and risk mitigation.
Furthermore, even without any major organizational stumbling blocks, many CISOs simply find it challenging to fully staff their departments. A prolonged search for competent employees could draw resources away from important day-to-day tasks of shoring up a company’s cyber defenses and straightening out its network security processes, in addition to distracting the CISO from staying on top of new risks facing the organization.
If securing company networks from threats wasn’t already difficult enough, the arrival of the Internet of Things (IoT) is another reason why CISOs may have some sleepless nights.
Briefly, the IoT refers to a network of internet-connected devices that communicate between each other. Talk of the IoT usually extends beyond objects traditionally used to access the internet like computers and smartphones, now encompassing objects ranging from scanners to security systems and even to toasters. The widespread adoption of such IoT devices certainly makes our lives more convenient, but those working in cybersecurity are the most susceptible to drawbacks to this trend.
The downside to these expanded capabilities is that every additional IoT-enabled device brings potential security risks. Sensitive company information is gradually being shifted over to cloud storage, meaning that such networks are ripe for attack from malicious actors. Each additional access point to this information cloud represents another possible route for hackers to gain unwanted access and wreak havoc on the data integrity of the organization.
In short, the cat-and-mouse game between hackers and CISOs is still in an early stage when it comes to the IoT. This step into the unknown of massive IoT connectivity is most unnerving for CISOs, who will bear the brunt of the blame if previously unknown vulnerabilities become exploited. It is impossible to know how many vulnerabilities to data breaches and hacks may result from the increased connectivity through the IoT, and the phenomenon is new enough that data protection and risk mitigation solutions are not yet as robust as they inevitably will come to be.
Since CISOs are in charge of all aspects of IT risk management, they will likely be held responsible despite a reckless action on behalf of an employee. This outsized discrepancy between the lack of control, yet extreme risk causes the possibility of employee errors to never be far from a CISOs list of top worries.
For example, employees could fall for a phishing scam and introduce malware into the company’s network. Furthermore, the potential for employees to access company-sensitive information on mobile devices while connected to public networks raises a security nightmare for CISOs. Disgruntled employees may also choose to leak confidential information, making the complete security of company information virtually impossible. CISOs should be reviewing their organization’s information security policies on a regular basis and proactively introduce new training materials to educate employees on the risks of cybersecurity.
At the end of the day, the CISO bears the ultimate responsibility for the security and integrity of a company’s information network. Effective CISOs understand business risk on a level deeper than anyone else in the organization and are best able to understand the merits of new tools and solutions. They see better than anyone how the different departments communicate with each other and are able to propose control methods for keeping the flow of information within the organization secure. Even when unexpected disaster inevitably strikes, CISOs will have already prepared an incident response strategy that will hopefully mitigate damage and keep the company running smoothly.
No wonder the job, while stressful, is more important than ever. With such a range of critical responsibilities and the growing prevalence of cyberattacks and security vulnerabilities, CISOs have to see the big picture in terms of risk management while also navigating the day-to-day decisions regarding corporate information security.
At Resolver, we provide an integrated approach to third party risk management, capable of managing risk and security across the entire enterprise. With an understanding of the biggest information security risks facing organizations today, we offer industry-leading software in incident management and reporting, and IT risk and compliance, just to name a few.