It’s a matter of conjecture within our group of CISOs as to whether cyber security should be a change agent for an organization’s operational posture. For a small number of respondents, cyber operations have affected the way their organization does business. But for plenty, it has yet to make a mark.
What is clear is that a concerted move to the cloud and to digital operations puts greater emphasis on involving cyber operations far earlier than with other business transformation projects. Regulatory compliance has helped move cyber up the agenda. For more progressive organizations, the early and proactive adoption of a ‘security-by-design’ mindset has gifted them a lead on competitors when picking up new digital platforms.
There’s clear recognition that the frequency and complexity of modern cyber attacks overwhelm many in-house security capabilities. Many CISOs desire their own security operations centers (SOCs), but this is often tempered by budgetary constraints and acquiring the necessary security skills rather than a lack of confidence in their team[s]. This drives a widespread willingness to incorporate more third-party security services, while acknowledging that making the best use of these requires a concerted effort in partnership with providers.
CISOs revealed their motivation to buying decisions; peer recommendations and tools aligned to a specific threat clearly stand out, rather than being induced by leadership reports, or buying something that looks interesting. Incumbent vendors cannot rest on their laurels either. They need to ensure that their tools deliver their original capability, as well as maintain pace with the diversity of specific attack vectors.
Staffing was another hot-button topic, with general agreement on changing skills requirements and a warning note about driving specialists away with a belief that technology alone can defend the attack surface, rather than realizing that technology is a toolkit that supports security specialists.
Attitudes towards ongoing training are positive. However, there are concerns for the provision of, and available time for, training. The capacity for full immersion in self-led training is being pushed out by more urgent demands on staff’s time.
"Where has it changed? Some of the requirements for projects have considered cyber security upfront. Now they don’t think of cyber security as an afterthought – it’s front and center."
- Scott Goodhart, CISO Emeritus, The AES Corporation
It is clear from the remarks provided by the CISOs that there are occasions – often sporadic, opportunistic and incidental – where they demonstrate how cyber operations have changed their organization’s operational posture, primarily with supply chain and business partnerships. The average score of 5.3 highlights an almost equal 50/50 split of CISOs scoring above or below the mid-range (5).
The CISOs know that more digital and cloud offerings are approaching, or are already being integrated, and they need to involve security earlier on in such projects. These new offerings demand that organizations update the methods by which they provide access and interactions to enable growth and consistency for clients/consumers.
Many CISOs are pragmatic, taking the stance that cyber security is there to support the business rather than change the way it works; consequently, they will not proactively try to get in the way of the business.
"I need to make sure my business does the business they want to do. I actively avoid trying to make them change the way they do business."
- Ian Dudley, IT Director, DriveTech
Counter to this, the 74% of CISOs who scored an average of 8.3 (What are your beliefs about cyber security as a board discussion?) accept that cyber security should be a board priority, and believe that cyber security should be elevated and recognized as part of the business, not as an exception or back-office function. Those who operate their own SOCs believe this type of capability does provide the opportunity to increase business confidence to execute their business differently.
"Definitely more increased scrutiny of third-party vendors (GDPR, CCPA) and general risk management and maturity."
- Royce Markose, CISO, rewardStyle
With the growth in industry and privacy regulation, there is a recognized need to use cyber security access and process policies to allow the business to be compliant with the Gramm-Leach-Bliley Act (GLBA), General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA) and other international regulations. This requires the business and its partners to be respectful in how it obtains personal data and moves that data around the business – something that could make leaders appreciate the value of cyber security as increased digital platforms change the way a business engages with its customers.
Organizations that have been proactive and introduced the security teams early on in projects, providing support to enable secure operations, have seen adjustments to the architecture aligning with the perceived risks they could face. This was clearly evident in larger organizations, as businesses look to utilize more cloud-based digital services. If the business approaches operations with a security-by-design mindset, then it will function in a way that is beneficial to the organization and secure for its consumers.
The optimistic CISOs believe that as business delivery changes and cyber attacks evolve, especially with growth in DevOps and cloud, the future looks more promising to really integrate security as a recognized enabler for business operations.
Most of the CISOs in this study (71%) recognize that they will need to integrate more third-party security services to help combat the advanced threats of cyber criminals across a growing digital-first attack surface.
Indeed, many continually look outside their employer’s sector to reinforce their decisions. In a hospital, for example, dedicated crash rooms and intensive care units are run by trauma specialists who deal with critical care. Their mission is to make the most of the first ‘golden hour’ for a casualty that requires prompt medical and surgical treatment to improve the patient’s chances of survival. Every second counts. The thought then follows: why should any organization not have similar action plans and approaches to survive distributed denial of service (DDoS), business email compromise (BEC), ransomware, or data breach incidents?
"Specialists provide the best knowledge, and we use those with business knowledge and security for operational technology. Those that don’t think this are kidding themselves."
- Scott Goodhart, CISO Emeritus, The AES Corporation
If CISOs could build their own security operations technology SOC, equipped with an army of 16 to 30 security specialists, then they would. But this luxury is not available to many CISOs. It is not that CISOs understate the capabilities of their teams – it’s more about the most effective way they operationalize their available budget, either for an in-house team or partnering with a managed security service.
For a number of CISOs, partnering with security service providers will be unfamiliar territory. They are reaching out to their network contacts for recommendations. Approximately 30% of those interviewed already outsource varying elements of their Level 1 monitoring and threat-mitigation services from managed security service providers (MSSPs). They know that using these outsourcing partners frees up staff to focus on critical incidents that are disrupting the business, eradicating the need to wade through floods of alerts that, in many cases, are false positives and a waste of valuable resource time.
"Yes, especially given the increased use of AI/ML in malware/ransomware and sophisticated attacker TTPs, I believe that everyone needs over-the-shoulder support that’s 24/7 and provides effective SLAs, such as an MDR provides."
- Mike Davis, CISO, Alliantgroup
Choosing the right service from an MSSP partner is critical to your business. One CISO confirmed that the numbers and types of threat alerts provided from their chosen MSSP partner did not constitute a constructive service. The CISO decided to revert back and in-source the service to achieve a greater level of intelligence of the cyber criminal activity and intent.
"We won’t be proactive enough. If it’s left to the team, then we will not be capable of supporting the business."
- Nathan Reisdorff, CIO, New England Law
Interestingly, an organization’s image can also be a major consideration when increasing resourcing levels. In a number of cases, CISOs believe that their company may not look as attractive, or be considered as one of the more progressive industries, for security specialists to consider joining them. Outsourcing can mitigate this issue, as security service providers can open the doors to specialist teams with wider knowledge sets across information technology (IT) and operational technology (OT).
Viewing this challenge from a technical aspect, many strongly believe the human is not the answer to current and more advanced automated attacks – or anticipated future threats – as organizations adopt new technologies and working practices. Their belief is that the security service providers have more readily available advanced skills and security technology that exploits varying levels of AI, ML and deep learning.
The scoring shows that not all CISOs share the same view. Around 25% saw outsourcing as an additional, unnecessary cost rather than increasing their security protection detail. The belief here is that if operations are approached from a ‘cloud-first’ mentality, then the cloud provider should alleviate any security concerns.
Also, if an organization already understands its capability, risks and threats should be transparent and appropriate employee training obvious. A good understanding also encourages strong controls in the first place. If not, then the problem is simply being moved around, not solved, and outsourcing could make the security posture weaker. In contrast, a mature capability would justify outsourcing for specialist areas of need.
Do you make at least 50% of your cyber technology decisions based on new technology that looks interesting?
It is clear that CISOs are very guarded in their views of new technology that looks interesting: 39% may look into the technology further, and 61% remain focused on tangible benefits while steering clear of ‘interesting tech’ until it has earned its stripes. Any interest is heavily biased in the US (50%) compared with Europe (29%). Interesting technology should clearly be left to the academics, researchers, and incubators before introducing it to the decision-makers.
Do you make at least 50% of your cyber technology decisions based on peer network contact recommendations?
Echoing the previous discussion about CISO engagements across their peer networks, 71% would definitely consider spending greater time researching technology that a peer network contact has recommended. Once more, US CISOs appear to value their peer network (86%) more compared with the slightly more reserved European CISOs (57%). These results show how CISOs globally respect the power of their networks and, more importantly, the critical importance of delivering and supporting products for the solutions promised.
Do you make at least 50% of your cyber technology decisions based on the leader or incumbent vendor?
The adage that you never get fired for buying IBM is old school. CISOs indicated (68%) that incumbents or leaders get no preferential treatment when they are making their technology decisions. European CISOs put a stake in the ground, with 79% indicating that their position is to remain clearly objective, stressing that vendors of all levels of maturity need to show continued value, innovation and commercial sensitivity to be invited to the field of play.
Do you make at least 50% of your cyber technology decisions based on whether they are aligned to a threat?
Risk is the priority of the CISO. If vendor technology aligns to a known, perceived, or future threat and can prove its capability, the opportunity to engage with CISOs (68%) increases. European CISOs expressed a willingness to be influenced (79%), more so than their US peers, but they advised security vendors to focus engagements on the realities of threat benefits and keep well away from hype and marketecture.
"Yes, I look for people who understand the overall risk picture, on top of their security specialties."
- Mike Davis, CISO, Alliantgroup
In line with the widening reach and increasing influence of cyber security across businesses, the skills and disciplines for the security professional have had to maintain pace. With greater interaction across the business, CISOs are under pressure to recognize the value and advance their own – and their team’s – security toolset in growth areas such as cyber analytics. While that might allow them to excel in the technical aspects of the role, there is also now a greater emphasis for all members of the security team to understand and use more soft skills (curiosity, adaptability, understanding the bigger risk picture, and an analytical mindset) to engage with other teams on a deeper level, as well as appreciating the diversity of the people they come across in their work.
"I have always looked for good humans with solid communication skills, and who are self-starters. Tech skills are nice to have, but it’s a commodity, so what’s changed in the past 12 months are the ability to manage themselves, and having the enthusiasm and the right attitude."
- Chani Simms, CISO, SHe CISO Exec
"Yes, shifting focus to new skills: cyber analytics focus, allow to make new response models."
- Scott Goodhart, CISO Emeritus, The AES Corporation
Seventy-one per cent of CISOs clearly believe the role of the security specialist has evolved and become more critical to the business. Our interviewees’ challenges come with the need to ensure that the security specialist learns new skills and specialisms – as new technology is introduced – while also ensuring that updates to legacy technology (>18 months) are optimized to gain the full capability of the product.
On the flipside, CISOs have a concern that although their teams’ technical skills are good, they could become a commodity in the near future with the advance of AI/ML increasingly embedded within security tools. The validity of AI/ML language used within marketing vocabularies should be factual, so CISOs must understand the reality of intelligence-led tools or risk losing specialists who have become dispirited by the belief that technology will minimize the impact their role has in the future. It has always been the case that a well-rounded security specialist understands the relationship between business architecture and the integration of security tools that protect the operating environment.
The plethora of new technology introduced almost daily has meant that a well-rounded and efficient security team skillset has spiraled to provide the full range of capabilities within DevSecOps, cloud, app develop, SOC analyst, UX designer, VR designer, Python, Ruby, 5G, software-defined networks, blockchain, 3D, among many others. Many of these requirements align to the increased use of digital applications, where there has been a focus to ensure that everyone has cloud, data and AI security capabilities alongside the IoT (Internet of Things) and OT devices used by the business.
Certifications such as CompTIA A+, S+ or Network+ are seen as more beneficial to the specialist than the organization. CISM and CISSP are viewed as a ‘nice to have,’ even though a majority of CISOs would assist security specialists gaining these certification awards once the base certifications are achieved.
As digital evolves across every aspect of the business, CISOs are concerned that the role of a security specialist will appear discouraging for any aspiring individual, limiting the growth in people resourcing and restricting the ability for individuals to learn new skills as they manage growing workloads.
There are only 24 hours in a day; unfortunately (or fortunately), most cyber specialists are only officially active for eight or nine of those hours. Even so, the CISOs have a mindset that they and their teams are continuous learners who read, eat and drink cyber.
The increase in workloads, created by the diversity of technology that require securing means that, in many cases, busy specialists often relegate training to an afterthought if CISOs and their management did not insist on regular business and cyber security-related training. Some of the respondents accepted things are not as good as they would like, due to the pressures of day-to-day operations, with the larger majority of training coming when new security tools are introduced.
Even with these constraints, 57% of the respondents ensure that their teams are being provided with 7+ hours of training per month, and 36% ensure that more than 10 hours of training is achieved per month.
Putting aside on-the-job training of new products, CISOs try to bolster their teams’ technical capabilities around coding, cloud, analytics and business applications such as ERP (enterprise resource planning). Additionally, personal development of the individual ensures they are able to apply soft skills in their day-to-day activities.
Certifications are not included within the monthly training statistics, nor are individual vendor certifications required to manage their products. These are seen as exceptions and not part of their specialist’s standard development objectives. CISOs know that their teams find self-learn systems too difficult to undertake piecemeal, as many require full immersion – a rare luxury for many when it comes to setting aside a full day or more for training.
The CISO’s job is never done. It is a continuous and challenging environment. The majority (72%) believe there has been good progress in stemming the capability of cyber criminals, but they’re ever-conscious that cyber criminals retain the element of surprise and therefore the ability to carry out unknown types of attacks. Increased awareness of cyber security by senior leadership and boards provides incremental increases in budgets, which is helpful for CISOs. But they recognize that money is only part of the solution and they have to be smart about where they invest. CISOs will not, and cannot, just throw money at the problem; instead, they ensure they align investment to the known and perceived [future] risk(s).
"Maturity assessments show the improvement, but we need to be a continuous improvement process. The financial crisis could create a regression; cyber security needs to be kept front and center."
- David Lello, CISO, Burning Tree
The many personas of a cyber adversary continue to grow, each introducing new tactics and tools. CISOs are no longer just dealing with individuals and disruptive techies. Their security teams are having to defend their business operations from organized criminal groups (OCGs) and nation-state actors. Both have more money, resources and technical capability than the CISOs of the biggest businesses.
Some CISOs are concerned that the effects from the first half of 2020, where they have been asked to deliver amorphous strategies and deal with extremely disruptive changes to working practices with very little warning, are creating vast holes in their defense surface. Even with these unprecedented business needs, they are worried that financial investment in cyber security could be reduced, creating a regression in capability, back-foot firefighting, and stalling the momentum achieved.
CISOs continue to implement a strategic approach to mitigating cyber attacks and reducing cyber incidents via the implementation of more threat-aligned security tools, standards and frameworks such as NIST and MITRE ATT&CK, as well as maturity assessments and a continuous improvement process.
"Capabilities have improved over time as new solutions become available. I have found success with a greenfield approach that allows me to build a program for the future rather than adapting a program from the past."
- John Scrimsher, CISO, Kontoor Brands
The respondents all agreed that you can never be complacent with your security posture as your adversaries have the capability to move with agility and speed. While combatting general attacks such as phishing has advanced, there is still plenty of room for improvement in the technology and employee/user awareness via cognitive training. A number of CISOs continue to challenge security vendors’ technology efficacy to execute and deliver on what the salesperson claims it will do.
For perspective on this chapter and the wider report, we invited our own CISO, Erka Koivunen, and Jukka Seppänen, our Information Security Officer, to comment.
Reading this report, we could immediately relate to our fellow CISOs and senior infosecurity officers. I think there are some universal experiences for our profession: the issue of taking responsibility of security impacts of what others do and decide, the eternal struggle with shadow IT, and the virtual 180-degree change in perspective on cloud security during the past five to 10 years.
Influencing business [unit and function] owners to take security into consideration in their own operations is what brings sustainable results. We can’t continue to go down the road of IT security being ‘just’ the job of the CISO and their team – the rest of the business can’t absolve itself of responsibility for security. But equally, we have to give them the tools and skills. I see many respondents echo this and I am happy about what it implies: the security function should not be preoccupied with setting up ‘security gates’ and forcing the business processes to present their cases to the gatekeepers.
The security leaders of the 90s we grew up with were quite inflexible and spent far too much time building their own universes from which to keep the business hostage. I think they really gave security officers a bad name, something we younger ones are still being measured against.
The growth in maturity required to move a team from the eternal naysayer – the ‘Department of No’ – to become a communicator of risk appetite and the security implications of business choices is quite substantial. One must be truly enthusiastic about the opportunities to succeed nowadays – not just fixated on preventing risks.
Security leaders must appreciate the fact that the ultimate task of the board of directors is to handle strategic and business risks. CISOs can’t just show up and present their gallery of horrors (risk registry, incident history, failures in execution and dark clouds in the threat horizon). As much as these are a daily reality for CISOs and mostly nothing more than a professional challenge, they shouldn’t be presented to the board unfiltered. Instead, it’s really important to identify and explain to the board the genuinely business-halting risks that threaten the core and indicate that the basics are not right.
Looking at the report overall, the commentary on emotional intelligence and EQ raises another issue. The coaching approach recognizes that while the CISO and their team may be an expert in security, they succeed best by humbly taking the time to understand what business and other support functions are trying to achieve. That means taking a reading on their underlying assumptions for the current cyber risk position and understanding the etymology of what controls have been put in place and why. The power of empathetically asking ‘why’ at the right moment can set things in motion with greater force than the CISO could ever wield by attempting to issue diktats.
We have also been preaching to anybody willing to listen that we (as in organizations and blue teamers) have never had better tools and access to smarter security pros than we have now. That contributes to security for those willing to invest in it.
That’s a good thing, because we’re also seeing the window for successful detection and response shortening to hours between initial compromise and incident. It’s still a huge ask for most organizations and most teams to meet this sort of threat without outside help.
We remain hungry for evidence of us investing in time, resources and controls in the right places and ways that bring effective security. There’s nothing more satisfying than our team seeing that, without X (or a combination of A, B and 3), we would have been exposed and impacted, but that we won the day for now.
The idea of ‘building security in’ could mean that systems are being designed and built with their defense in mind. That could be compartmentalization; containment strategies that reduce the blast radius of an incident and lessen the likelihood of losing the whole estate at once. It could mean the ability to track and monitor not only anomalies but also for compliance and normalcy.
And it definitely means the ability to respond in a meaningful way. That can be for investigatory purposes, for understanding the impact and the root causes. In cases where there is a proper threat actor, it can also mean understanding the adversary’s motivations.
It is not always evident what the defenders can do to frustrate and disrupt the attacker and to limit further damage. Without the necessary technical skills, without an intimate understanding of the system and its environment, and without a plan, the response is going to be improvised.
If the client is not a master of their own estate, they can hardly benefit from the help of outsourced services such as managed detection and response.
The author of this research is Kevin Bailey (an independent cyber security analyst from Synergy Six Degrees on behalf of Omnisperience) and it is published by F-Secure. F-Secure funded the report while all interviewees contributed on a voluntary basis.
The qualitative interviews for this research have been conducted independently from the sponsors of the work. All editorial control has remained with the author.
Twenty-eight interviews were undertaken between July and September 2020. A total of 23 interviews were conducted one-on-one and five interviewees provided their responses via the qualitative questionnaire, all on a confidential basis. At no time was the sponsor aware of the full interviewee list. All call-out and respondent listing attributions were sought by the author following completion of all interviews. This approach was adopted to encourage candid contributions. The setup and questioning approach has been designed to avoid bias, and where there has been risk of bias, this has been explicitly discussed in the interviews. Only three of the interviewees were existing F-Secure customers at the time of the research. Each interview lasted at least an hour, with most lasting around 90 minutes and many leading to follow-up conversations to discuss the conclusions of the research.
The cohort of interviewees were approached based on their depth of expertise and were selected to build a balanced set of inputs.
The author had no commercial connection with the interviewees.
The participants were assured that the report was not intended to directly, imply or intimate that they endorsed or validated any sponsor products or services. The roles covered in the cohort include CISOs (or equivalent title), Head of Cyber Security, Director of Information Security and Head of Threat Intelligence.
Financial services is the most strongly represented cohort.
Twenty-eight qualitative interviews supported with targeted quantitative data points to achieve a grounded theory of the research objective.
July - September 2020
Europe - 14
US - 14
CISO - Chief Information Security Officer
CSO - Chief Security Officer
CIO - Chief Information Officer
Director of Security & Privacy
Director IM and Security
Director Information Security
IT Security Manager