08 Jun Expecting Too Much From CISOs Can Drive Them Out The Door
Chief information security officers need boardroom support
Melbourne, Australia – Jun. 8, 2023
The practice of cybersecurity has become so complex that sky-high expectations for CISOs are driving them out the door at record pace, the CISO of a leading managed detection and response (MDR) provider has warned in advising businesses to take a more collective approach that positions security as a team effort, driven by company culture and shaped by a realistic understanding of security capabilities.
Despite their position as the titular head of their company’s cybersecurity efforts, CISOs “are not there to fix everything and they don’t own all the risks,” eSentire CISO Greg Crowley said during a recent visit to Cybercrime Magazine’s studios.
“The CISO is there to raise the risk, to shine light on it, to offer solutions, to differentiate and prioritize what needs to be fixed,” he explained. “You can’t ask the CISO to do everything and everything; you need to give them the support — and give them a team that can really make sure the cybersecurity and risk management program is well-functioning.”
Expecting too much from CISOs — as so many company boards still do — continues to drive attrition from the security function at a brisk pace, with burnout and the desire for greener pastures pushing 24 percent of Fortune 500 CISOs to switch roles within a year of starting.
Cybercrime Radio: Advice for Chief Information Security Officers
How to do more with less
Such metrics highlight the potentially severe consequences of poor cybersecurity culture, but they also frame the challenge that lies ahead of executives as they increasingly formalize their companies’ cybersecurity risk management strategies.
“CISOs are in demand, so we can go elsewhere,” Crowley said. “So, have a company that has a culture that is important, that is supportive, that is empowering. A company that takes security seriously, and is not just looking for a scapegoat. That’s the place where a CISO can thrive.”
Finding the right numbers
No matter how much the CISO thrives, however, overall cybersecurity success still requires strong engagement across the business — and the right balance between doing security in-house, and bringing in external expertise where necessary and appropriate.
Here, Crowley said, it’s important to remember one simple truth: there simply aren’t enough cybersecurity specialists in the market — or funding in corporate budgets — to equip every company with experts with every key capability.
“There are 3.5 million unfilled cybersecurity jobs, and those are never going to get filled in-house,” he explained. “It’s hard to have a specialist that can know everything about configuring your service, specialists that can do all the malware analysis, that are going to have threat intelligence.”
“You can’t have all those, and it’s just not reasonable to think that you can. What you are going to have is some security people, likely — so focus those people on the work that matters, the people that know the business, that can connect with the business.”
The increasing complexity of the modern cybersecurity defense has dovetailed with the rapid expansion of managed service providers like eSentire, whose ability to offer the full breadth of security capabilities — and to do so confidently enough to offer guarantees like four-hour response times for remote threat suppression — puts them well ahead of anything the average corporate information security department can provide.
To extend that lead, eSentire has been building capabilities in the key areas where companies must have strength — monitoring as an enabler of resilience, MDR capabilities, threat intelligence, digital forensics, and incident response.
“All three elements — the anticipate, the withstand, and the recover — are all very important,” Crowley said, calling out the particular competencies of eSentire’s Threat Response Unit (TRU) — a team of seasoned industry veterans that proactively research and analyze new threats, applying machine learning models to build new detection rules.
TRU not only continuously runs active threat hunts on its customers’ networks but is continuously engaging with government bodies and other threat-hunting bodies, Crowley said — contributing to and drawing from collective threat intelligence to run “hypothesis-driven threat hunts” based on analyzing security logs for indicators of compromise.
By taking a “people first” approach to security and building up far more comprehensive capabilities in-house than most companies can contemplate, Crowley believes the managed services model allows company CISOs to offload the care and feeding of security technology — and, in so doing, spend more time tracking metrics around issues such as nurturing a security-conscious corporate culture, investing to improve cyber resilience, and shepherding employees through essential security awareness programs.
As a career CISO himself — he previously spent 17 years managing and securing the infrastructure for World Wrestling Entertainment (WWE) — Crowley knows all too well the challenges that eSentire’s customers are facing.
Strategic outsourcing of operational security functions, rather than trying to replicate the capabilities of a third-party security specialist firm, will typically fit in better with corporate objectives — and budgets.
“Prioritize keeping in-house your core people, your loyal people, your good workers and security-minded people,” he said, “and then look to outsource the rest.”
“Outsource that SOC, outsource that 24×7 monitoring. If you’re not a security company, why would you want to spend a lot of money on security analyst tools and training up security personnel and training of analysts?”
“Leave that to security professionals, and hire people that can help you run your business.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.
Sponsored by eSentire
eSentire, Inc. is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit esentire.com and follow @eSentire.