18 Jan The Past, Present, and Future of Chief Information Security Officers (CISOs)

Hacking in the Hamptons, In Partnership with Evolution Equity Partners

– David Braue

Melbourne, Australia – Jan. 18, 2024

Reports of data theft, critical infrastructure compromises and nation-state attacks have become so commonplace these days that it’s easy to forget that there was a time when the idea that a cybersecurity breach could cause real damage was something that you’d mostly see in Hollywood movies.

There was certainly no sign of what was to come when Paul Connelly began working with the National Security Agency (NSA) back in 1984, when the Internet was still a glorified government research project and business computers did not — and, thanks to a plethora of data standards, nascent technology and rudimentary connectivity overall, could not — talk to each other.

At that time “I could have never dreamed that infosec would become a key tool of warfare and something that causes billions of dollars of business losses, shuts down city governments and hospitals and factories, and becomes a board-level issue,” Connelly — who most recently served as chief security officer at Nashville, Tenn. based HCA Healthcare — told a panel of his peers during Cybercrime Magazine’s fall 2023 Hacking in the Hamptons roundtable.

During the 1980s “most organizations were just beginning to tap into the capabilities of computing,” Connelly explained. “There was really little or no thought about privacy or security, at least in the private sector. Everything was built to just be wide open for ease of adoption.”

“It was still during the Cold War, and our focus at that point was mainly how we could protect our communications on the military and diplomatic side.”

---

---

Yet even as the open-technology mindset helped improve technology dramatically over the next decade, it dovetailed with the adversarial Cold War mentality to produce a challenging and confrontational situation that would ultimately spell trouble for technology-using businesses.

Thanks to steady improvements in connectivity — and the quantum leap delivered as the Internet hit the mainstream during the 1990s — technologically curious hackers were soon joined by malicious-minded cybercriminals who saw open technology as a playground for vulnerabilities, exploits, and increasingly menacing attacks on businesses.

By 1995, when a series of successful attacks by Russian hackers led Citibank to appoint the world’s first chief information security officer (CISO) — Steve Katz, who went on to build an illustrious career including founding Security Risk Solutions LLC before passing away in December — the terms of the high-stakes, high-pressure cat-and-mouse game between cybercriminals and CISOs had been laid out in stark relief.

Not on my watch

Decades later, that rivalry has continued unabated, with an ever-growing string of data breaches and ransomware attacks highlighting the changing threat that CISOs have had to deal with — often in the face of opposition from executives who have taken their time embracing a corporate worldview in which security spending is anything more than a sunk cost.

Meanwhile, cybercrime is rampant — with damages from cyberattacks expected to reach $9.5 trillion this year alone — and CISOs, while far more common than in the past, have all too often become scapegoats for cultural failings in organizations that still rationalize inadequate investments in cybersecurity technology, staff, and services.

“It’s unquestionably something that’s top of mind for CISOs,” said Jamil Farshchi, who as CISO of Equifax spends his days bolstering security defenses in the sights of cybercriminals whose successful 2017 breach made the company a household name for all the wrong reasons.

Farshchi — whose resumé includes CISO roles at the likes of NASA, Los Alamos National Laboratory, Visa, Time Warner, and Home Depot — joined the company a year later, ostensibly with a brief to shore up Equifax’s defenses to prevent a repeat of the embarrassing and expensive earlier breach.

“A breach is that seminal moment that is the exemplar for whether you’ve been successful in your capacity [as CISO] or not,” he explained. “And so many CISOs, who are in organizations that aren’t taking security seriously enough, or aren’t getting the investments they believe they need, are willing to leave or have already left for other jobs because they don’t want that breach on their watch.”

With great budget comes great responsibility

Connelly has been there and done that, recalling that — unlike the Citibank executives who gave Katz a blank check to ensure the company didn’t get breached again — in two of his CISO roles “I didn’t even have a budget” for security investments.

“I had to fight for dollars out of the IT budget,” he said, “and I was not always successful. It was really only after helping our senior leaders understand the risk and educating them, that we got our own budget — and at first, it was pretty much a blank check.”

“I even had a CFO tell me once that ‘nobody wants to be the CFO who said no to something that ended up causing a breach later.’”

Yet that was not necessarily “a healthy thing,” Connelly noted — a point he kept in mind as he tempered his enthusiasm about executive recognition with the need to practice sensible restraint.

“It was definitely great to be able to come in and ask for something and get the answer ‘yes,’” he explained, but “I always felt it was a credibility builder for me to not take advantage of that and ask for the world.”

“Within our team, we were the hardest critics of our budget,” he said, “and we would not take anything forward unless we absolutely had to — and as a result of that, our CEO and CFO really trusted our team’s judgement.”

Despite many blaming executives for inadequately supporting cybersecurity efforts, Farshchi said the situation is often more nuanced due in part to the highly intangible nature of cybersecurity defenses, which defy quantification like other business metrics. “It’s difficult to measure security,” he explained.

“I know CISOs who do a great job and yet they were victims of these breaches,” he said. “The challenge is how do we actually know that, when [CISOs] present to the board or executive team, and have measures that aren’t crystal clear. It’s not like a football team that goes out and wins because they have a higher score than the other team.”

CISOs are getting better tools to address this shortcoming, as innovative vendors like SecurityScorecard standardize the evaluation of enterprise security defenses and provide meaningful ways to benchmark companies against best practice.

Such metrics inform the CISO’s relationship with executives and, in Connelly’s case, have proven transformative for the relationship with the business. “In recent years, the education level of our company leaders has grown,” he said, “and the better we’ve gotten at measuring success and ROI, it has become more of a business decision.”

“We come in and talk about the risks and where we felt we needed to make investments and what the impact of those investments would be if we did not, and it became a much healthier conversation.”

Persistence — and growing clarity about ways to bridge the perception gap by portraying cybersecurity risk in business terms — are proving invaluable in helping CISOs catch the ear of executives who, no matter how much they may fear a data breach, must always consider cybersecurity within the broader portfolio of business investment.

“Being a leader in security doesn’t mean that you’re the best at finding and buying a ton of tools and hiring a quintillion people,” Farshchi said. “It’s about being a good business leader and being responsible about the spend because you’ve got to keep other facets of your business in mind.”

“As we evolve as a discipline, the better we can get at being able to articulate and measure what success and good really look like,” he continued. “This will help to reduce the risk and mental bias that we have around CISOs that have been at organizations that have experienced a breach.”

Not just about the executives

Yet CISOs’ jobs don’t only revolve around the relationship with business executives. Users remain an even bigger challenge, as CISOs balance the need to maximize organizational security while preserving usability, functionality, and employee productivity.

This was previously difficult as ideal security was often compromised in the name of not inconveniencing employees.

Yet as cybercriminals have expanded from technology-driven hacking to more direct social engineering that exploits recent innovations like cell phones, former White House CIO and current Fortalice Solutions CEO Theresa Payton said, today’s CISOs are just playing another variation on a long-running theme.

“The technology has changed, how we used it in our daily lives has changed significantly, and the tactics of cybercriminals have changed significantly,” Payton said. “But at the end of the day, it all boils down to the human user story — and the favored technique of cybercriminals is social engineering of the human.”

The immediacy of human vulnerabilities has bolstered CISOs’ primacy as catalysts of organizational security, with the elevation of the CISO role “the first real recognition at the biggest organizations around the globe that this is not a problem that is going away,” Payton said, “and that the conversation around this problem needs to be elevated if we ever want to have a hope of being proactive instead of reactive.”

For those acting in the CISO role now — whether or not they have been given the formal title — Payton said a key part of this proactivity is engaging with the human element as well as addressing the technological part of cybersecurity.

That means being “a student of your job,” she explained.

“Just because you get elevated into the role, you’re not done. Your job is going to be constantly changing and evolving. And you have a sense of responsibility to turn around behind you, and to motivate and encourage and professionally develop the people behind you.”

Such engagement is crucial to preserve the momentum that has escalated the CISO role’s prominence over the years — and that need, Payton said, makes it imperative for CISOs to spread the word and engage other security-minded potential leaders.

“Make sure you’ve got a great succession plan for when it’s time for you to be promoted, retire, or move on,” she said, “so that somebody’s ready to take your place.”

---

---

Proxies enter the cybercrime fight

Just as CISOs have progressively guided company security organizations through several phases of security tools — from standalone antivirus tools that had to be deployed and updated across thousands of desktops, to centrally managed perimeter defenses and then into managed services and towards cloud-based systems that facilitate sharing of threat intelligence — the CISO-business relationship is facing another inflection point.

This year, CISOs will particularly be called upon to help executives understand the real-world implications of generative AI technology, which barnstormed the world last year and is rapidly changing both the way that corporate security defenses operate and the way those defenses are targeted by malicious actors.

Vendors have invested extensively in adapting generative AI large language models (LLMs) to cybersecurity and CISOs should recognize their value “to make our lives a lot easier with these insights” as they formulate plans for leveraging the technology, Farshchi said.

And while the cybercriminal world’s rapid adoption of malicious LLMs may have helped them rapidly and successfully adapt their methods — for example, by producing ever more convincing personalized phishing attacks — Farshchi is confident that in the long run tight collaboration between CISOs and business executives will give defensive LLMs the upper hand.

“Who has a better understanding of my environment to be able to build and train those models, and who has more data about my company and the behaviors therein, than me?” he said.

“The bad actors sure as heck don’t. And while in the short term they’ll have a bit of an advantage as we digest this technology and operationalize it, in the long term [generative AI] should serve as a boon for most security teams by allowing our people to be able to move upstream and focus on more challenging issues that we have — and really accelerate our progress and maturity as security programs.”

Generative AI’s broad applicability for any business could finally put paid to the notion that security is the CISO’s problem alone — leading Connelly to advise CISOs to seize the opportunity to lead the conversation with executives who have likely heard of generative AI but have little real understanding of its implications for cybersecurity.

“As long as cybersecurity is viewed as an IT issue or the CISO’s job, we’re at a huge disadvantage and probably not going to be as successful as we need to be,” he said.

“The real watershed change is when business leaders in different areas of the organization all recognize that they also own IT. That’s when the CISO can be the most effective, and really drive the kind of activity that needs to happen to make an organization successful.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

---