Increased cyber risks redefining the CISO
Increased cyber risks and a recent string of major breaches have changed the game for chief information security officers, making cybersecurity a top priority for board members and helping CISOs more effectively make the case for bigger budgets.
In fact, many healthcare leaders are seeking to reshape security strategy and budgets in light of latest security trends. In the past, cybersecurity plans of many organizations were based on industry best practices. Oftentimes they failed, however, thanks to lack of funding and focus.
A recent IBM-sponsored research project performed by the Darwin Deason Institute for Cyber Security at Southern Methodist University in Dallas sought to explain this new shift.
Researchers interviewed 40 executives, the majority of whom were CISOs; others were CIOs and other high-ranking roles. Participants were polled from large firms: five healthcare firms, eight financial firms, eight retail and 11 government firms. Others hailed from automotive, energy, higher education and other sectors. 31 participants were from the U.S.
The results concluded there were three types of CISOs effectively innovating the way their firms handle cybersecurity.
"In the past, we've always found that these 'mavericks' provide great clarity and insight into the practice and possibilities of cybersecurity," according to the report. "These are the conversations that are most likely to impact our assumptions and thinking."
The first type of "maverick" only uses implementation in his cyber-risk policies, without risk-based development. He employs "three-lines of defense", where the CIO, COO and CISO are in three different silos.
To this CISO, the implementation focus should be "based on a firm view of the threats", through the use of an "ethical hacking" team. The goal of which is to analyze the threat and conduct penetration testing to ensure the information is completely secure to the company and customers.
The second maverick, meanwhile, employed his cybersecurity plan based solely from the attacker's viewpoint. The goal is to steer away from risk-centered policy to focus on compliance and governance.
"It seems like we've all been engaged into a cyber arms race for which we have no option to opt out or to seek treaty," according to anonymous "second maverick" quoted in the report. "There's no other choice but to respond to the threat."
His framework identifies the four biggest risks; loss of confidential data; financial account compromise; business continuity; and regulatory non-compliance. The primary threat agents stem from hacktivists, organized crime, nation states and Insiders.
Perhaps the greatest outlier is the third maverick, who does no implementation and focuses on risk-based developments. The VP of security compliance and audit of a firm that deals with sensitive data, for instance, works with his team to define and analyze controls, group and network policies.
They assume their applications will be breached and consider the consequences when it occurs. They're also the gatekeepers for their firm, including database access and shared data.
"I don't believe that email, the Internet, anything is secure – period," said this security professional. As a result, he is constantly testing outward-facing applications to ensure his policies are adequately protected.
Even the average CISO is transforming how cybersecurity is handled, in what the report calls "new traditionalists."
These CISOs frequently don't report to the CIO, but rather various C-suite members and use detailed frameworks to create a risk analysis to prioritize cybersecurity efforts, which are reported to cybersecurity oversight boards, headed by C-level and board members. Most receive adequate funding, as long as they demonstrate a focused plan of attack.
"There is a hunger for security in the company," said one CISO interviewee. "Senior management has gotten religion about how important security is."
Access the full report here.