There are a number of factors that have significantly influenced the way the role of CISO (chief information security officer) has developed, says Senior Director, Solution Engineering at VMware, Sean Kopelke.
With over 20 years of experience in the industry, the first factor he cites relates to the prevalence of cybercrime. “If you go back 15 or 20 years ago, the risk was quite different,” he says. “Now we’ve got sustained attacks into organisations that mean the whole threat landscape has increased dramatically.”
The other great upheaval he nominates is the way we work today. “The move to the cloud has changed the whole conversation about what security looks like,” he says. “How do we manage that? And the move to remote workers has changed security as a whole.”
He also notes the way that the concerns around privacy have grown. “We probably never talked about privacy 10 years ago, but today it’s a really important conversation.”
Plus, with work practices during the pandemic only increasing the likelihood of remote working, there are additional challenges for CISOs today – namely in-house security practices. “I can guarantee that 99.9 percent of company employees haven’t patched their home wireless router since the day they bought it,” says Kopelke. “So that can easily be compromised.”
It’s therefore up to the CISO to do their best to understand what personal devices people are using and what the infrastructure is like, and try to keep some level of control over updates and security measures.
All these factors combined means the successful CISO has moved away from being first and foremost a protector to now becoming someone who is enabling the business to seek new revenue opportunities, leveraging an organisation’s privacy and security capabilities as a competitive advantage.
CISOs today
Kopelke believes that the current CISO has to be fully across a couple of areas – namely, understanding the company’s business goals and then endeavouring to map this to the associated security risks and the security stance or posture in which the business would like to position itself. Allied with this is being a vocal advocate because “privacy and security are still not 100 percent understood” and also taking an educational role, even at board level, he says, “to help the executives of the business understand risk as it relates to their business.”
In order to be in this position and stay ahead of the challenges, Kopelke says, “Great CISOs do two things. One, they’re well connected and network in the industry. They get to know their counterparts, even in competitive industries. They build relationships because they’re all in the battle together.”
The second thing is to do with taking a business leader role, he says. “Those who are successful hire strong talent. There’s no way a CISO can be across everything, so strong talent can help keep them ahead of the industry.”
Even though hiring the best people is a vital part of keeping abreast of new technology, it’s also important for the CISOs themselves to understand the changing landscape and the tools within it.
When every vendor may have a different view of the world and the best tools to approach it, this is where networking with industry peers can be tremendously helpful, says Kopelke.
Tools for the job
Without nominating specific products, Kopelke identifies three areas of top priority, when it comes to the technology a CISO needs to thrive:
Cloud-ready – security, workloads, and applications are moving to the cloud; the days of appliances as a concept or hardware in security are dying very rapidly. Limited staff interaction – removing the need for employees to make decisions is key. While those in a tech world bubble may think others know what they know, it’s unfair to expect regular staff to always make the right decision in different cases. Automation – there are usually many flashing red lights saying something is wrong in big data breaches, but analysing all that data manually is impossible. Once the process is automated, a range of different indicators that don’t mean much individually can be interrogated collectively. So the tools that automate from detection right through to response are key. Trust no one
Above all, Kopelke says, is the need for today’s CISO to assume that everything and everyone is compromised. “We’ve spent 20 years educating staff on how to be more security conscious and it’s not working, so the ‘trust nothing’ approach is really important.”
But at the same time, he stresses that it’s vital to understand risk cannot be completely eliminated, and nor does it need to be. If a business safeguards against 80 percent of the risk, but the cost of the final 20 percent outweighs the 80 percent, that may make it an acceptable risk. It’s a matter of weighing the odds, he says. The business must, however, know how to respond to the 20 percent if it does happen. “Let’s understand that it’s OK to have some level of risk, but get agreement with the business as to what that risk should look like and make sure they’re aware that they’re signing off on that risk.”
Continued change
And in the future? Kopelke believes the CISO role will further develop in the thought leadership space, “not just advising on what sits in front of us today, but understanding the trends that we’re seeing and how to get ahead of those,” he says. “I see it constantly evolving from a non-technical role to an advisory leadership role inside the business. It’s not just the information, it’s actually security as a whole for the organisation.”
