At the RSA conference there was a CISO panel, talking about the perils of becoming a CISO. Joe Sullivan, the CISO of Uber who just avoided jail time but did have to pay a $50,000 fine has noticed a real shift in the questions that he is being asked. Things have changed from, “What do I say to get the job?” to “Do I want this job?”.
The CISO’s Struggle is real
The CISO challenge is being responsible for the security of the company, but not getting full autonomy to act in the best interest of security of the company. There are several factors that contribute to this: reporting structure, political pressures, the complexity of risk exposure, changing requirements and architectures, and finally, the day-to-day operations.
First, let’s look at the reporting structure. The CISO should report directly to the CISO, but some organizations have the CISO report to the CFO or CIO. If the CISO is reporting to the CFO or CIO, they are at a disadvantage. The CFO does not typically have the security and technical acumen and background to understand the risk to the business based on the overall security strategy of the organization. Ideally, the CISO should report to the CEO and the standard that would show this should be the case is: if your most precious data assets ended up on social media – what would your exposure be? The order of magnitude of that exposure makes it clear that the CISO should report to the CEO.
Second, the CISO’s security knowledge is going to most likely exceed that of the CEO. However, contradicting the CEO could be a career limiting move. The politics of this could hamper the CISO from being as effective as they can be. They might withhold information or not provide more details to ensure he or she does not embarrass the CEO. It is absolutely correct to not want to embarrass any colleague or co-worker, this is when a private conversation with the CEO is appropriate and further makes the case that the CISO needs to report to the CEO.
Third, clearly communicating security risk and aligning that with business risk can be very difficult. Simplifying the risk exposure and then prioritizing exposures by the business value of the asset that could be compromised. The CISO needs to ensure that the board understands the damage a breach can do to the organization’s reputation, revenues, and customer base.
Fourth, the CISO is dealing with an ever-changing threat landscape, cloud architecture, and compliance requirements. It is very difficult for static security tools to keep up with dynamic architecture and business requirements.
Finally, after handling all of the above board-level and executive-level challenges, the CISO needs to ensure they are effectively handling the day-to-day security operations of the organization. The average activity in the SOC is 4,487 daily alerts and 83% of them are benign. However, most SOC tools do not look at the overall context of the alert to accurately indicate which ones are benign and which are truly malicious – so the team is wasting valuable manhours on 83% of the alerts.
If security is a priority – you need to elevate the CISO
The first thing organization’s should do is elevate the CISO. The CISO needs control of his or her organization and budget and needs to have C-suite visibility in terms of their needs and challenges and the needs and challenges of other business units. The CISO needs to work with their peers to understand the business’ goals and priorities and how security can help these priorities.
The CISO needs to create the security and compliance requirements that the business implements. Each business unit needs to review and understand the risks to revenue, customers, and brand that could come about should a business unit feel they know better and can ignore the security requirements.
In order to ensure the productivity of specific teams or individuals, there may be exceptions to following these requirements. The risk associated with ignoring specific security requirements must be understood and managed. There is some risk that the business is willing to accept to ensure the productivity of employees, and revenues. The CISO is able to effectively guide these decisions and ensure awareness at the executive level so the business understands the risk and can support the CISO.
Today’s Tools do not support the CISO
Another barrier to the success of the CISO is that focus of current security tools – they only look at the post-incident (read: post-breach) activities. If the security strategy of an organization is focusing on alerts which indicate there are breaches, the security team cannot be successful. They are already too late. The CISO cannot take a proactive approach to the cloud security and cannot manage risk. Post-incident tools support the CISO after something bad has happened and that is not helpful.
- CNAPPs (Cloud-Native Application Protection Platforms): These tools focus on keeping threat actors out, but the reality is that breaches will happen. Incident response is crucial, but by then, it’s already too late.
- SIEMs (Security Information and Event Management): SIEMs rely on rules, but as cloud environments update, these rules often break, compromising security.
- Cloud-native tools: As these are part of the cloud, if your cloud is compromised, so are your cloud native tools. Threat actors can query these tools to see if they have been detected.
In terms of the number of tools, security teams are just overwhelmed. On average, there are over 80 security tools in the SOC – all of them generating alerts. Even if all of them generate just five alerts a day – that is 400 alerts per day! How can any security team review each of these alerts, understand if they are indicating a true threat to the business or not, and if so, then resolve the issue to its fullest – 400 times per day.
Today’s security tools have CISO’s constantly looking back. When you are always looking in your rearview mirror – you cannot be successful. It is like driving – you must look forward. Skyhawk Security looks forward and can support a CISO’s goals and objectives – to prevent cloud breaches.
Secure different. Be the Proactive CISO.
There are a couple of things that need to change for the CISO to be successful. In our opinion the top two are as follows:
First, if you are going to hold the CISO accountable for breaches, then you need to empower them with a seat on the executive staff and the budget and staff they need to be successful. Skyhawk Synthesis Security Platform helps CISOs look forward and predict where the attackers will land. According to a recent article on it states: At many companies, security executives lack the organizational power to make changes in pursuit of better security. The CISO needs to be empowered.
Second, the CISO needs to stop looking back and needs to look forward. At Skyhawk Security, we empower CISOs to shift from reactive to proactive security. Our AI-driven platform detects threats in real-time, simulates potential breaches, and provides tailored responses to keep your organization ahead of attackers. With Skyhawk, you can confidently manage risks and protect your valuable assets, ensuring a secure and resilient cloud environment.
Skyhawk Synthesis Security Platform helps CISOs overcome their challenges by:
- Providing real-time threat detection and response.
- Leveraging AI-driven simulations to predict and prevent potential breaches.
- Offering tailored automated responses that adapt to evolving threats.
- Reducing alert fatigue by focusing on actionable, high-priority alerts.
With Skyhawk, you can shift from a reactive to a proactive security posture, effectively managing risks and securing your organization against future threats. Be the CISO who leads with confidence and foresight.
CISOs can now confidently implement automated remediation. The purple team clearly demonstrates that specific events and behaviors can cause an incident or breach. The purple team then builds an automated response to prevent the incident from progressing to a reach. CISOs know they need to implement automation to resolve the threats to their business – their teams are overwhelmed. However, they have never had alerts with such high fidelity and pre-validated automated response until Skyhawk. CISOs can alleviate the burden to their security teams and prevent cloud breaches with tested, verified, and accurate alerts and automated remediation.
Drive executive level-conversations on risk.
Skyhawk Security enables the CISO to elevate the conversation from the alerts that have been addressed to how the overall risk of the cloud is being managed. The CISO can clearly show how risk exposure is decreasing over time and how resolving a single choke point helps eliminate dozens or hundreds of potential attack scenarios. Skyhawk Security enables the CISO to showcase the criticality of their role, as well as how they are improving it.
CTA: Unlock Your Cloud Security Insights – Free Purple Team Assessment. Learn more here.
