The chief information security officer (CISO) is one of the relatively newer titles to take a seat at the boardroom table. It’s also arguably the C-suite role that’s changed the most over the last few decades—and that rate of change shows no sign of slowing.
CISOs first emerged in the mid-1990s (along with the advent of the modern Internet), rose to prominence in the 2000s, and became a requisite function for any organization serious about its security posture in the 2010s. Now the 2020s are poised to present the greatest test yet of the CISO’s capabilities and necessity, not only in protecting against attacks but also in driving business growth.
In this post, I’ll reflect on my own experience as a CISO and how that led me on a path to solve some of the greatest challenges facing this role. I’ll also share how, armed with the right data-driven intelligence, the CISO can evolve yet again to win on the cybersecurity battlefield and effectively provide executive insights in the boardroom.
From CISO to CEO
My own cybersecurity journey began in the 1990s, when I joined the Israeli Air Force. An untimely accident changed my path to cybersecurity, ultimately leading to my true calling. I oversaw security ops and red team efforts over the course of my 14-year service and continued my career in the private sector as a CISO in the 2000s.
I know all too well the immense challenges and demands placed upon this profession. The responsibility falls on security leaders like CISOs and CIOs to provide the relevant security to enable business growth. This requires a deep understanding of the threat landscape and key business drivers—and the ability to bridge the gap between the two. Because CISOs often don’t own the resources to do that, it can feel like mission impossible at times. As a CISO for a cloud services company, I found myself in a reality—like many other CISOs—that only allowed me to respond reactively to the high security demands of our major clients. The process wasn’t scalable and I felt like we were chasing our own tail—there had to be a more proactive way to protect their interests and meet those demands.
Many organizations are faced with plenty of assumptions about what’s happening on their security front, but they lack reliable, accessible data to help drive a proactive security program, strategy, and budget. What processes should I implement? What’s missing from my tech stack? How secure am I against specific attacks? Not having clear answers to these questions became one of my greatest frustrations as a CISO. I tried every product the security market had to offer—from penetration testing and red teaming, to outsourcing tools and building our own. Nothing provided the data I needed and, without it, my understanding of my security posture at any given moment remained vague at best. It was also difficult to correlate security spend to reduced risk.
Out of this pressing need—and not being able to find an existing tool to address the problem—I partnered with Itzik Kotler, a fellow red-teamer and seasoned hacker, and we began work on our own solution that would better enable security leaders to understand risk, drive informed strategies, and make smarter technology decisions. The result of our work was SafeBreach, where I now serve as CEO with Itzik as CTO. The SafeBreach breach and attack simulation (BAS) platform enables teams to assess the efficacy of their entire security ecosystem by safely executing breach simulations across the cyber kill chain to validate and optimize security controls, prioritize remediation efforts, and mitigate critical gaps before a breach occurs.
Enough about me, though. Let’s take a closer look at the position many CISOs find themselves in today.
Control the Controllables
The security market is broken. A typical enterprise may have implemented layers upon layers of protection, but they’re mostly siloed. And, unfortunately, simply buying more and more security tools over time doesn’t equate to greater security—it just creates greater complexity. Instead of thinking about the next shiny solution on the market, focus on how you can maximize the effectiveness of the controls you already have in place and drive efficiency.
99% of attacks are known and have been for years, yet too often I see CISOs relentlessly chasing after the unknowns in an effort to predict the next anomalous attack. In the process, they neglect known risks by not understanding attacks that have already taken place—if asked whether they are susceptible to an attack introduced a year ago, they would likely be reluctant to answer, because they don’t have the data to really know.
An enormous amount of information exists about the attack methods and vulnerabilities attackers have exploited in the past that can be used not only to ensure protection against known threats, but also to make educated predictions about future threats. While some details about the attacks may change (e.g., the payload), the majority of the TTPs will remain the same. A key way for organizations to reduce their risk is to leverage this known information to test their defenses and overall security posture.
But, like the CISO, hackers are a fast-evolving species, always adapting to breach your latest defenses. While we want to stop them from gaining access, it’s not always a realistic goal. Instead, we must also focus on ensuring the right protections are in place so that—in the event they do hack your system—there’s nowhere else for them to go.
To accomplish this, it’s useful to remember that attacks—no matter how sophisticated—aren’t a single action, but rather a sequence of logical steps. Every organization has the opportunity to limit these steps by controlling choke points, so that even if some steps are successful, a hacker still isn’t able to achieve their desired outcome. By preventing an attacker from moving laterally or exfiltrating data after they have gained access to your network, for example, you can significantly minimize the possible damage of that attack. This is a competitive advantage that many organizations are not fully leveraging today. Hone in on the steps you know you can defend against first, and don’t go chasing ghosts.
Align with Business Goals
There’s a myth about cybersecurity that it slows business down, but I actually see it as an accelerator. That said, I wouldn’t liken security to a gas pedal in a car—it’s really more like the braking system. Now, we all know we need brakes to drive safely, but brakes aren’t only good for slowing down or stopping. They actually enable us to arrive at our destination faster because they allow us to take more controlled risks along the way. On the contrary, what do you do if your brakes aren’t working properly? You drive painfully slow, avoid highways, and hopefully head to the nearest service station.
This is why a successful CISO can’t solely focus on beefing up security measures, but should also aim to enact strategies that will help reduce any possible obstacles that could disrupt their growth speed and trajectory. Once you know the risk scenarios that would be most damaging to your business goals, you can start to reverse engineer those into the tactics an attacker would leverage and gain a better understanding of your gaps. To do this, the modern CISO must first become closely aligned with their organization’s strategic goals.
I also recommend bringing a more CFO-like mindset and approach to the boardroom. The more consistent you can be in presenting a clear view quarter over quarter, with the data to back your decision-making, the more your fellow leaders will appreciate the value you bring to the organization—beyond just peace of mind. Board members also want to see that the person in charge of security knows what they’re doing and can communicate that knowledge effectively. Take it upon yourself to set the language and process around what you are measuring every day, month, and quarter, and find clear ways to demonstrate progress.
And please don’t present numbers on vulnerabilities or phishing emails. Instead, drive the discussion around the impact your operations will have on business growth and how the security program is closely aligned with that strategy. In doing this, you can join the next wave of successful CISOs who will not only earn their seat at the table—they’ll lead the conversation.
Want to learn more about how SafeBreach provides an empirical way for CISOs to gain visibility into the performance of their security controls and confidently communicate effectiveness with their fellow leaders? Connect with a SafeBreach cybersecurity expert to discuss your use case or schedule a personalized demo today.