The contemporary CISOs need to align with their security teams, supply chain, extended enterprise and the organization’s incident response capabilities to be able to fight the growing menace of attackers. The challenge of having the board’s buy-in for a security and risk program has become an absolutely non-negotiable too. In such a scenario, the role of a CISO has to evolve. The CISO, in the current schema, should not only be technology savvy, but also business savvy and should evangelize the security program within their organisation. In an exclusive interview with dynamicCISO, Gary Hayslip, Vice President & CISO Webroot shares his list of to-dos for 2019.
Below are the excerpts:
DynamicCISO (DCISO): The World Economic Forum 2018 has, for the first time, put “cyber” as one of the top 5 risks in terms of likelihood. Researchers also say that by 2021, there will be at least one “zero-day” attack every day. How do you view this fast changing threat landscape? Where do you see the majority of the threats coming from?
Gary Hayslip (GH): Two of the biggest threats I am concerned about, as we move into 2019, are the social engineering threats that target the employees through phishing and the targeting of supply chains and 3rd party vendors. For protecting the employees, we are incorporating training and various data/email protection methodologies to try and remediate as much risk as we can from that threat vector. The issue you run into though is the phishing attacks and financial fraud-oriented attacks that we see in the social engineering space. They are becoming more sophisticated. It looks as if we are in a digital arms race trying to respond and manage those threats.
As for the targeting of our supply chain and partners, as a CISO you have limited visibility into their networks to understand the risk exposure your organization is accepting when doing business with them. For that threat, we are trying to use technologies like Security Scorecard that provides visibility into my vendors and partners networks. With that information, one can make a recommendation to the legal department that they should remediate specific issues and have a scorecard rating at specific levels. This provides us a level of confidence that our partners are adhering to best practices and they should have the same in return for my networks.
DCISO: Every day there’s a new in the world of cyber. However, do you see some unique trends emerging? What would be those?
GH: Continuing drive for visibility into how data is being accessed, manipulated, shared, stored, etc. is the foremost thing. There’s no looking back on it. Use of AI/ML to augment teams and help with faster response to incidents and reduce monotonous workloads is what a CISO and a security organisation should look at to ramp up the intelligence. Continued investment in threat intelligence and its uses to assist with real-time decision making, orchestration, and the training of new ML algorithms are some of the key areas to focus in the times to come.
DCISO: How do you see the role of a CISO emerging as the significance of cyber-security has gone higher in the corporate?
GH: While talking to several of my CISO peers, we see the CISO position evolve into one that businesses require to survive the threats it faces today. That said, it is incumbent on the CISO to adjust to the new roles the position is assuming and many of these roles are business-oriented and not technically-focused. For the CISOs to be effective, they need to understand how their company conducts business, what data and technology are important to strategic operations, and what vendors/partners are critical to the organization. To gain this insight, CISOs must be visible, they must be involved and get to know their peers in various business units. Through these relationships, CISOs should develop an understanding of the impact their security program has on the company.
This insight will help CISOs align their program to company priorities, and in the long run, their security program will thrive because it will be protecting the right things and providing value that business leaders understand and acknowledge.
DCISO: What are some of the key challenges facing cybersecurity professionals in 2019?
GH: Similar to the past few years, the threats and breaches will keep coming. They are not going to slow down. Keeping that in mind, it will be critical for CISOs to be evangelists of their security programs within their organizations and should continue working with their leadership teams. CISOs need to help business stakeholders understand the risks the company has and provide recommendations to the executive team for them to decide how, as a team, they should remediate those issues.
Along with this continuous fight for getting executive leadership’s buy-in is should also be part of the CISO’s role S/he should work with the internal business culture of the organization to let employees realize the value of cybersecurity and the best-practices.
CISOs will also need to focus on trying to get security accepted as a standard for the routine work and not just as a fallback program we use to triage an incident and clean up the mess.
DCISO: Automation is increasing in every sphere. Cybersecurity is also experimenting with futuristic technologies like Artificial Intelligence and Machine Learning. Do you think extreme automation can be a potential threat to the jobs of cyber-security professionals?
GH: It’s the opposite. AI/ML will enhance many cybersecurity operations. At the moment, these technologies are matured enough to take away the jobs. I see these technologies being incorporated into more security products and platforms to manage the massive amounts of data that security teams review for anomalous behavior. Coupled with threat intelligence, these technologies can do reviews quickly, allowing teams to focus on anomalous behaviors that need to be investigated in real-time and enable teams to better manage incident response operations.
To me, AI/ML are currently technologies that I will leverage to build resilience into my operations. Having said that as I have been doing this for the last two years at Webroot, I have been hiring more people not less. The jobs they do are different. There is more focus on scripting and connecting technologies in the security stack to share data and automate responses to a specific level for human decision/intervention. As a result, many of our manual procedures are getting automated but this opens new services and new maintenance requirements for my team members. So, I don’t see job losses; I see jobs maturing.
DCISO: What are your top 5 recommendations for CISOs for next year?
GH: My top 5 recommendations are as follows:
Collaborate: Don’t be afraid to reach out to your peers for help.
Have the Basic Cyber Hygiene: Follow best practices continuously and make it a habit so that it is ingrained into how the security teams operate.
Select a Framework: Select an industry framework to measure your risk and maturity as a security program.
Develop Metrics: Once you have a framework in place, you need to continuously measure where you are at and changes you may need to incorporate. Don’t be afraid of how you score; use it to get better and tell a value story.
Revenue Enhancement: It is hard to measure cybersecurity’s value to a business. Focus your security team and a service team that provides risk management to your departments. Use metrics to measure the reduction in risk and the provisioning of new services for business units to be competitive. Your job, as CISO, is to be a business partner and help enhance revenue operations by protecting the organization as it seeks to be innovative.