CISO (r)evolution

The CISO Evolution/Revolution. There has been a lot of change for the CISO over the last few months. It is no secret that the last six months have brought about a revolution in businesses change and transformation. Transformation towards a more digital model of business has been in progress for years. The current pandemic has accelerated this movement at a rate and scale like never seen before. In the last six months, more transformation has taken place than in the previous ten years.

The “new normal” is now accepted. Roles and responsibilities have changed. The business world will never return to the way it was, and this is especially true for the CISOs. With a multitude of users now working remotely, distance and isolation breed issues of their own.

Chief Information Security Officers have worked long and hard for many years, often without being noticed. The role of a CISO is a tough one, and when things go wrong, everyone looks tot the CISO. When things are good, the CISO is almost invisible. The pandemic further proved that.

CISOs worked many hours altering business technology models to enable and secure a new, remote workforce along with the varied technologies they bring. Now they are working to ensure protection and security are in place for these remote workers.

So what has changed for the CISO?

Remote Working

Well, the first shift is the acceleration in the adoption of messaging solutions. Solutions adopted include packages such as Microsoft Teams, Skype, Discord, Zoom and Go2Meeting. These are becoming embedded in businesses in place of face to face meetings and conversations.

Adversaries have taken note of this change, and they are targeting these platforms. The CISO now needs to consider where attackers can eavesdrop and steal sensitive information. Can digitally transferred files be intercepted or read by unintended recipients? In the past meetings were confidential, held in rooms where doors could shut. Now consideration must be given to where the connected participants are, and who can overhear them. Equally, each party must consider their surroundings. What is on display? What information is exposed?

It is not just the traditional criminal adversary that the CISO needs to consider. Consideration must include the administrative adversary. Nothing is more potent than the Data Protection enemy, and now that enemy is feeding on chat logs and messaging voice files too.

All of these issues and considerations need to feed into awareness training and delivered to the businesses community. Creating this takes time to prepare and deliver in a meaningful way that will not bore the community.

Awareness and Training

With all of the changes we have discusses already, policies and procedures need communicating. For more than 20 years, I have talked about the 70/20/10 rule. It is as accurate today as it was 20 years ago. 70% of your security is going to come from your business community. And this provides the best Return of Investment in security.

All of the changes that the pandemic has brought about means attackers are in the wings waiting. A virtualised business community means reliance on new, rapidly adopted solutions. It means relying on the community to do the right thing, consistently. Policies and procedures come into play here.

The CISO and their team need to communicate topics such as information classification, handling and transmission. They need to educate and empower the people but not only talking about security in the business but the home too. For a long time business has resisted the CISO’s desire to make information security personal in training. The house is now part of the company, and making information security personal is no longer an option. So the way security awareness training is delivered must change.

Awareness training can no longer be a sit-down and watch video training. It must be interactive. Gamification of training keeps employees engaged and entertained. Short and frequent messages keep security in their daily operational mind. Over the last few months, we have delivered training within the Second Life and World of Warcraft worlds. We have slid into internal meetings uninvited (with the consent of the companies board of course). We even went so far as to create a non-technical CTF for the businesses community.

We thought outside the box and embraced the companies culture to find that maximum impact training. After all, security is everyone’s job, so we made it fun again.

Cloud

The community need fast and secure access to information. That is obvious. But how to deliver it quickly and efficiently and ensure access globally?

Businesses now realise the potential of cloud services to scale and deploy new services rapidly. Adoption of these cloud computing requires the implementation of a robust security framework and foundation. Robust frameworks ensure the protection of business assets stored online. These frameworks are another rapid adoption phenomenon, with more businesses looking to the ISO27000 series of standards and controls.

In closing

Return to the in-person office work environments may never happen. A hybrid version of a remote/in-person model is highly likely. When that happens, no one knows. But when it does, all employees will be well trained in security concerns. They will understand the security expectations for both the office and at home. If they don’t, then the CISO will be very busy clearing up the mess, and everyone will pay attention to them again.