For the CISO, It’s a Mad Max World

Matthew Todd is a security expert, with experience at all levels of business, from CISO to specialty enterprise security consultant.

Matthew Todd, principal consultant, Full Scope Consulting LLC

In a CISO’s mind, it’s Mad Max every day.

In this post-apocalyptic world, the enterprise is a truck careening down the highway with the CISO strapped to the hood, calling out road hazards to the C-suite behind the wheel while attempting to replace the front bumper that was recently recalled by the manufacturer. The C-suite has the pedal to the metal, driving the enterprise truck as fast as possible to the promised land of happy customers.

Meanwhile, the Baddies are circling overhead in their choppers, trying to drop hazards in the road ahead. At the same time, the enterprise’s own loyal workers are adding a nitrous booster to the fuel line, not aware that they are attaching the fuel tank dangerously close to the hot exhaust.

Ideally, things are seldom as dire as this apocalyptic scenario. Yet, the fact remains that CISOs and their security teams spend far too much time reacting to new or changing threats and vulnerabilities.

Threats to operations, staff, clients, systems and data must be monitored and evaluated for risk. New tools must be purchased—or existing ones modified—to mitigate vulnerabilities identified in new systems, data, apps, libraries, third party tools and SaaS or other cloud services. Clients, auditors or regulators may have their own requirements for security, requiring changes in tools, training, logging, policy or procedure. There is very little opportunity to be proactive.

Very often, the latest threat to the enterprise is created by its own developers or operations staff, and the CISO is the last to know.

The landscape is constantly changing, and most security teams feel they must constantly play catch-up.

The CISO’s Dream

The Changing Tides of Cybersecurity: A CISO's Perspective

In a landscape of rapid change, how can the CISO protect the business against cyberattacks without stifling innovation?

CISOs would far rather work on new, interesting challenges. For instance, how might the CISO anticipate regulatory requirements, so the next conversation with Chief Counsel results in smiles and high fives? How might the CISO anticipate developers’ needs, so the development team’s productivity goes up while security is improved, and the VP of Product gets a nice bonus? What kinds of materials and data might a CISO provide that reduce the length of the sales cycle, improving sales numbers?

Every CISO’s dream is to have a resilient, resistant and responsive environment from the start. If the foundation for the company’s operations is built so that security is built-in (not bolted on), effortless (not a roadblock) and easy, then it’s straightforward to extend the enterprise while maintaining security. Security becomes far less of a reactive process, limited to when the risk is substantially new. The CISO (and the security team, by extension) is seen as an enabler of business operations. They become not only an integral part of planning for major corporate initiatives, but also a subject matter expert sought out by any team that wants to improve operations.

What Does this Dream Look Like to the Rest of the C-suite?

The CISO is, fundamentally, a risk expert. They identify and prioritize risks and offer meaningful mitigation strategies. In this ideal scenario, the CISO would work with the C-level executives to identify their teams’ risks and ensure that those risks are properly mitigated. For example:

The CIO & CTO

Every development team wants access to tools, environments and data that let them rapidly build, test and release changes to code, while avoiding roadblocks and rework. Development tools and training can be provided to ensure that code is secure well before it is checked in. Environments and data can be segregated or obfuscated in ways that ensure that developers have the access that they need, when they need it. Smart network and application controls can ensure that applications or data are not inadvertently exposed to threats.

Are We Losing the Fight Against Cyberthreats?

5 questions you need to know about the quickly changing cybersecurity industry.

The CHRO

Human resource teams want to get new staff in seats and effective as soon as possible. Onboarding processes can be designed to ensure that access is automatically provided to key resources in a timely manner, based on clear requirements (e.g., acceptance of responsibility, training, etc.). Similarly, offboarding can be designed to efficiently and automatically terminate access.

Chief Counsel

Legal and compliance teams want assurance that the enterprise is in compliance with the regulations and contracts that apply. Evidence and reports can be provided to demonstrate compliance with control requirements. (This also makes auditors happy.)

The CMO

Marketing wants access to tools and data that helps them make informed decisions based on real user data that will have a meaningful impact on the business. Obfuscated data sets can give marketers access to up-to-date user data without risk of exposure of personal information.

The CSO

Sales teams want to be prepared for prospective clients’ demands. Evidence of compliance with GDPR (where applicable) can reduce the length of the sales cycle, on average.

The CEO

The CEO wants the C-level execs to work together toward a common goal and is pleasantly surprised to find it happening.

From Mad Max to Superhighway

Far away from the Mad Max universe, the CISO envisions the enterprise truck driving down a newly paved superhighway with clearly marked lanes, guide rails, street lights, easily legible signs and a highway patrol that keeps the riff raff off the road. Overhead, it’s clear and sunny. The enterprise can go just as fast as it wants. If the CISO wants to ride on the hood, that’s a personal decision.