The Changing Role of the CISO: From Cybersecurity IT to Cyber Risk Manager

Business Insights

Oct 10

The problems that CISOs face are not new.

Cyberattacks are evolving at an alarming rate, becoming increasingly sophisticated and dangerous. Attackers are leveraging advanced techniques and technologies, such as artificial intelligence and machine learning, to launch more targeted and stealthy assaults. State-sponsored actors are orchestrating complex, long-term campaigns, while criminal groups collaborate globally, sharing knowledge and tools.

Business environments are becoming more complicated. Today’s hybrid cloud and on-premises infrastructure presents businesses with a myriad of challenges. Migrating data and applications to the cloud can be a logistical nightmare and ensuring seamless integration with existing on-premises systems and applications can prove complex. From a security perspective, since sensitive data now resides off-site, robust cloud security measures and compliance adherence are necessary.

In a world where vulnerable software installed on one laptop can bring a global shipping conglomerate to its knees, just as a side effect of an attack, how can a CISO keep their company safe? This need has driven an evolution in the role of a CISO.

From Technology Managers to Cyber Risk Managers

In the past, CISOs were expected to manage a company’s cybersecurity technology stack. It was thought that if you built your cybersecurity firewall high enough and thick enough, like the walls of a medieval castle, it would be enough to repel any attack. These days there is an understanding that this strategy doesn’t work. Instead, CISOs are being called on to be cyber risk managers.

A cyber risk manager plays a pivotal role in safeguarding an organization's digital assets and operations from the ever-evolving threat landscape. Their responsibilities encompass several critical areas:

Risk Assessment: Identifying, evaluating, and prioritizing cybersecurity risks based on their potential impact on the business.
Strategy Development: Developing comprehensive cybersecurity strategies and risk mitigation plans tailored to their organization's needs and objectives.
Compliance: Ensuring adherence to industry regulations and standards, and managing compliance assessments and audits.
Incident Response: Establishing and executing incident response plans to minimize damage and recovery time in case of a breach.
Security Awareness: Promoting cybersecurity awareness and training across the organization.
Vendor Management: Assessing and monitoring the cybersecurity practices of third-party vendors.
Budgeting: Managing cybersecurity budgets and resource allocation.
Insurance: Evaluating and recommending cybersecurity insurance policies.
Continuous Improvement: Staying current with emerging threats and technologies, and adapting security measures accordingly.
Communication: Keeping stakeholders informed about cybersecurity risks and strategies.

Recent regulations such as the Securities and Exchange Commission's Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, further emphasize the importance of the CISO's new role. Overall, CISOs are expected to proactively identify and mitigate cyber threats in order to protect an organization's digital assets and reputation and ensure their resilience in the face of cyber threats. They need to make intelligent, informed decisions about what needs to be protected and how to protect it, and then communicate those decisions to the Board of Directors. Given all of this, how can a CISO keep up with evolving cybersecurity requirements?

Prioritization and Critical Functions

Identifying critical business functions and prioritizing them is paramount for risk management and resilience initiatives. The first step in resilience best practice is to create a list of all the functions and processes within the organization. These are the core activities that, if disrupted, could significantly impact an organization's operations, reputation, or bottom line. It is essential to consider all aspects, including customer-facing operations, supply chain management, financial processes, and communication channels.

Once the list is complete, the next step is prioritizing the functions based on their criticality. This can be done through a risk assessment process that evaluates the potential impact of a cyberattack on each function. Methods used can include:

Impact Analysis: Assess the potential consequences of disruption for each function, considering financial, operational, legal, and reputational aspects.
Dependency Mapping: Understand how functions interrelate and depend on each other, identifying single points of failure.
Recovery Time Objectives (RTOs): Establish timeframes within which each function must be restored to minimize business impact.
Risk Evaluation: Evaluate the likelihood and severity of various threats affecting these functions, such as natural disasters, cyberattacks, or supply chain disruptions.
Resource Allocation: Allocate resources and budget to protect, recover, and maintain these critical functions.

Prioritizing critical business functions ensures that limited resources are allocated to where they will have the greatest positive impact on business continuity and resilience.

The Key to Managing Cyber Risk: Visibility

A CISO can’t assume that their security infrastructure will be able to stop every cyberattack. Instead, they need to plan for when an attack gets through. They need to know what functions are critical to doing business so they can protect them and so that their team can get them back up and running after an attack. In order to do this, they need hard data that provides them with the answers they need to focus on what's important, referencing a resilience plan, get everyone else aligned with the plan, and justify the resources their team will need to carry out the plan.

Before they can think about protection, detection, or response, CISOs need visibility into the full extent of their company’s IT infrastructure. After all, if you don’t know where your assets are, how can you protect them?

Creating an IT asset inventory is essential for efficient management and security. While this sounds quite simple, it can be deceptively difficult to do. There are several legacy techniques that have been traditionally used to create an asset inventory including:

Network Scanning: Employ automated tools to scan network IP ranges, identifying connected devices and collecting data on each. However, this is not without risk. Active scanning can negatively impact the operation of endpoints and can cause network performance issues including network congestion. It also relies on each asset having a unique IP address and can miscount assets that change their IP address or share an IP address.
Manual Audits: Physically inspect and document assets like servers, workstations, and networking hardware. This technique is time-consuming and tedious and requires you to know where all of your assets are physically located. It will also miss cloud-based assets.
Asset Management Software: Utilize specialized software to automate inventory tracking, record asset details, and track changes over time. This software is only as reliable as the effort spent to maintain, update, and verify the accuracy of the results. Since the purchasing department is often tasked with managing the inventory, and since they are often out of the loop with day-to-day IT operations, the contents of the inventory management system will likely bear little resemblance to the on-the-ground reality.
Agent-Based Solutions: Install agent software on devices to gather and report asset information, especially useful for remote or mobile devices. However, this ignores any asset where it is not possible to install an agent or where an agent has not been installed, as well as cloud-based assets.
Cloud Discovery Tools: Employ cloud-based services to discover and manage cloud assets and services. This technique ignores on-premises assets and other physical assets.
Documentation Review: Review documentation, purchase records, and invoices to cross-reference and validate asset information. This depends on the documentation of acquisitions being retained, and it may overlook assets that have been decommissioned since then.
Asset Tagging: Use physical or digital asset tags to uniquely identify and track assets. Again, this overlooks assets that are not physical, such as cloud-based assets. It can also be cost-prohibitive to deploy and maintain.
User Reporting: Encourage users to report their assigned assets, aiding in accuracy. However, each user has only a small slice of the picture, and compiling all of those small slices into one coherent whole is time-consuming and tedious, and may still leave you with an incomplete picture.

While a combination of these techniques can be used to create and maintain an asset inventory, each technique suffers from being excessively manual, tedious, and/or time-consuming; offering only a small slice of the total picture; or both.

An alternative way to compile an asset inventory is to place sensors in your network that capture communications data and use it to create a map of your corporate infrastructure. This gives you complete visibility into the extent of your connected IT asset infrastructure, including which assets are interrelated or interdependent. Everything from core network servers to the IoT-enabled coffee pot in the employee lounge. If it connects to and communicates with anything else in your network, it will show up.

An important aspect of assessing the impact of a cyberattack is understanding the interdependencies between different organizational functions. Often an attack on one function can cascade effects on other business areas. By mapping out these dependencies, organizations can identify potential vulnerabilities and develop strategies to minimize the impact of such attacks. Legacy IT asset mapping techniques cannot provide the confidence you need. A communications data-based IT asset mapping technique can identify interrelated assets and surface dependencies that your teams were previously unaware of or had forgotten.

The benefits of a communications-based approach to IT asset management include:

Evidence-Based Planning: Data-based proof is a CISO's best friend when it comes to cyber risk assessment and planning. It provides proof that helps them prioritize their efforts related to the most important, business-critical functions.
Prove Interdependencies: The connections between critical assets are based on solid data that proves that assets from different business functions are communicating with each other. This is important when understanding possible attack paths and interdependent systems within an organization.
Find Weak Points: Identify areas of the organization that rely on a single source of failure or are one hop away from compromise so that they can be adequately protected and planned for. Also, discover if parts of your organization are utilizing shadow IT so that it can be brought into the IT umbrella and secured depending on the needs of the organization.
Quick and Low Impact: Other processes can take weeks as paperwork is sorted through, employees are interviewed, and assets are chased down and verified, either physically or using software. This is also a huge disruption to your business as employees are pulled away from their usual activities. Using communications data, on the other hand, has a low impact on day-to-day business operations. An initial inventory can be completed quickly and updated continuously as the environment changes.
Cloud or On-Premises Agnostic: Sensors collect data from cloud, on-premises, and container-based assets alike, eliminating the need to compile separate sets of data.
Massively Scalable: Collect petabytes of communications flow data across large enterprises without the correspondingly huge charge.

This modern technique ensures that a CISO has a comprehensive and up-to-date IT asset inventory, facilitating their cybersecurity efforts.

Conclusion

Once upon a time, CISOs were expected to be technology managers, keeping an eye on the cybersecurity technology stack and making sure that the company had the right solutions deployed to keep them safe and compliant. However, the role of a CISO has changed. Along with the increasing sophistication of the cyber threat landscape, CISOs have also been called upon to evolve their role into cyber risk managers. Instead of managing technology, they are relied upon to make decisions about what needs to be protected, how, and how to recover if attacked.

In order to fulfill this new function CISOs require solid, data-based evidence that allows them to focus on what's important, get the rest of their organization aligned on a plan, and justify the resources they need. Identifying critical functions involves comprehensively examining the organization's operations and dependencies, including developing a complete list of hardware and software IT assets across the organization. Risk assessments and impact assessments help quantify the potential risks and help CISOs prioritize their mitigation efforts.