“A rock star in the information security world” is how a New York Times article described former Uber CISO Joe Sullivan. It explained that the rockstar CISO is facing two felony charges that could ruin his life for mishandling a data breach. The case and subsequent conviction represent an earthquake for security professionals, and while it might be unprecedented now, it’s almost certainly not the last time we’ll see a case or conviction like this. CISOs are facing a significant rise in attacks, business cultures of pressure, increasing numbers of tools, and no simple way to see, track, and measure what is actually happening. It's time CISOs gained the necessary visibility to take action and effectively communicate with their boards and broader teams, so cases like Joe’s will remain a rarity.
With Threats Skyrocketing CISOs Left Navigating Complex Network of Tools
Working from home may have been a boon to work-life balance, but it has also been a boon for cybercriminals and an increasing headache for CISOs. Ransomware attacks “rose by 93% in 2021 compared with 2020 levels,” and CISOs are feeling the heat, with 67% perceiving the current threat landscape to be worse than a year ago. Adding fuel to the fire is the fact that the cost-benefit calculation of cyber attacks is heavily in the attackers' favor. Attackers have little chance of getting caught, the average ransomware payout is $211,000, and the sophisticated tools to carry out attacks can be bought for less than $100 on the dark web. CISOs, on the other hand, must navigate a complicated web of tools and capabilities (10-100+ depending on the organization's size) and need to communicate data to the board and teams across an organization to make decisions. CISOs often rely on laborious manual processes simply to get the data they need to make a case for action. Even then, the findings are overwhelmingly based on static questionnaires and don’t offer any way of showing trends or progress.
CISOs Lack of Data Clarity Presents Communication Challenge
CISOs face a common challenge, communicating the complexity and vastness of the current cyber situation to their board in 10-15 minutes. But those 15 minutes and the required prep in advance of meetings should not represent the standard for a CISO’s relationship with the board. CISOs that are able to establish a baseline that reflects clearly-defined KPIs and highlights gaps and progress throughout the year are at a major advantage. With such an approach, board meetings would become a natural continuation of the conversation.
The ability to communicate using real-time data can unlock tremendous benefits not only when it comes to the board but with other teams as well. Imagine the difference between asking the CMO to tell her team members to implement MFA because it’s important vs. showing her the specific team members that have not implemented it despite an imminent security threat targeting users of the software they use on a daily basis.
Whether Uber’s former CISO, Joe Sullivan, should or should not have been convicted is a decision for the legal experts. But it is an important moment for the industry to address the wider issues of complexity and lack of visibility that are harming security and making CISOs’ jobs even more difficult.
CISOs Must Prioritize Security Vendor Consolidation
According to Gartner, 75% of organizations are pursuing consolidation, up from 29% just two years ago in 2020. While that two-year jump is surprising for such a short period, it’s no surprise that the number one reason provided for the uptick in vendor consolidation in that same Gartner survey was to reduce complexity and improve risk posture. For too long, CISOs and security professionals have been tasked with mission-critical tasks with legal liability and no innovative tools to help.
Marketing has tools and measurement, as do business intelligence and finance teams. Most tech aspects of modern companies rely on them daily (think of the Bloomberg terminal for finance professionals, which was cutting-edge decades ago) to focus on making decisions rather than understanding the landscape. CISOs must be able to operate in the same way, understanding their tools' utilization and capabilities in one place with standard metrics. That ability will take the gathering burden off of CISOs and their valuable resources, allow CISOs to communicate more effectively with boards, and ensure more effective spending and procedures to ensure security. It also creates transparency that can form the foundation of an open and direct relationship that builds trust in a CISO and empowers them, their teams, and management.
Cybersecurity Performance Management [CPM] is the evolving category of solutions that CISOs are looking for. While companies that embrace it might still be considered “early adopters,” they’re already late to the game compared to other departments, the current threat landscape, and the high stakes at play. The time has come for a consolidated, real-time approach to ensure CISOs and companies can manage their stacks and communicate more effectively.