How to Think Like An Enterprise CISO
Enterprise CISOs are in an unenviable position. Given today’s dangerous threat landscape and rapidly evolving IT initiatives, CISOs have a long list of tasks necessary for protecting sensitive data and IT assets. At the same time, however, most organizations are operating with a shortage of skilled cybersecurity professionals. According to ESG research, 46% of organizations claim that they have a “problematic shortage” of cybersecurity skills in 2016.
In the past, CISOs (and let’s face it, all cybersecurity professionals) were control freaks often suspicious of vendors and service providers. Faced with today’s overwhelming responsibilities, however, many CISOs I’ve spoken with lately say they’ve changed their tunes and have adopted more of a portfolio management approach to their jobs.
One CISO summarized this trend quite succinctly by assessing all of her priorities and responsibilities and placing each in one of three categories:
1. Technology-centric solutions. In this category, CISOs look for innovative security solutions that can improve security efficacy with minimal associated work — as close to “set-it-and-forget-it” as you can get in the cybersecurity domain. Next-generation AV solutions like Cylance, Invincea, SentinelOne, and Triumfant fit into this category. In theory at least, these tools can greatly improve exploit/malware detection/prevention efficacy without a lot of additional work associated with configuration settings, policy creation, or monitoring oversight. Micro-segmentation is another relatively easy way to decrease the network attack surface. These solutions don’t need to be perfect as the goal here is simply to eliminate noise and operational overhead in the system.
2. Resource-intensive projects. This is the heavy lifting category where CISOs decide where to point their people for more strategic benefits. Incident response automation and orchestration is a good example. Yes, there are a lot of innovative integrated cybersecurity orchestration platforms (ICOPs) available today including Hexadite, Phantom Cyber, Resilient Systems (IBM), and ServiceNow, but the magic here is using these systems to weave together processes and skill sets. In other words, you can’t simply buy a product for IR automation and orchestration, rather you need to integrate lots of security and IT operations products, map out workflows, find and address process bottlenecks, define policies, and build policy enforcement rules. Resource-intensive projects tend to follow a “crawl, walk, run,” evolution, producing increasing benefits over time as organizations gain experience and establish best practices.
3. CISOs are taking a page out of the CIO playbook by looking across their domains and figuring out what they really don’t need to own anymore. Examples here include outsourcing email security (MessageLabs (Symantec), Proofpoint), web security (Blue Coat, Cisco, McAfee, Trend Micro, etc.) or aspects of identity and access management (Microsoft Azure AD, Okta, Ping). Outsourcing can also be part of a hybrid solution like moving to a cloud-based management plane for on premise security solutions. CrowdStrike and Sophos come to mind here. With the rise of the cloud, more and more complex cybersecurity solutions fit this category — think FireEye-as-a-service or Zscaler for network security as examples.
Enterprise organizations can’t possibly do everything themselves — even large banks and technology leaders are struggling to recruit, train, and hire an adequately sized cybersecurity team. Smart CISOs are adopting this type of portfolio management approach for cybersecurity as it can help them get the most out of scarce resources.