From all appearances, leadership is missing in action.
Given my background, I empathize with cybersecurity leadership and can’t imagine trying to do the job at current expectation levels during the storm in which we find ourselves.
The competition between business unit owners driving toward the 4th industrial revolution, pockets of shadow IT running unknown quantities of cloud sessions, increased dependencies on supply chains, open source everywhere, new heights of network complexity, a lack of available resources to fill the gaps, and increased sophistication and smarter attacks from cybercriminals along with promises of safety and security from 4,000 point solution vendors would drive anyone crazy.
If you have a CISO who appears to be keeping the lights on, make sure they are happy.
For every competent CISO, there must be a dozen who aren’t.
Weight of the World
But CISO leadership is not limited to technology choices, maturity programs, operations and governance and the provisioning of adequate detection and protection capabilities to assure a computing environment is safe from bad guys.
The CISO is responsible to the company and shareholders to do everything possible to assure maximum protection and the implementation and support of well-thought out and carefully designed layers of defense, leveraging the best and most effective technology tools, the optimal use of available resources, the appropriate levels of education and training delivered to the right people at the right time and communication with C-suite and board members at a level where both sides can operate from the same page of the play book, at all times.
Butting Heads, Creating Friction
In addition, in most corporate IT environments, the relationships between the IT leaders and the security leaders appear opposed, or operate with a substantial amount of friction. One requires the absolute cooperation with the other to enable their programs and achieve their goals, cooperation that is not always forthcoming.
The relationship between the board, C-suite and the CISO is often ill-suited to the execution of actionable programs as the definitions of accountability and responsibility are soft-peddled and generally ignored by the senior party.
This translates to responsibility and even accountability on paper but not extended in fact or downright withheld in practice, leading to mistrust and an inordinate amount of anti-productive meetings, analysis and proposals.
My experience is that the board simply does not trust either the IT or security leadership; they don’t trust that either team understands the business nor could make the right executive decisions were they in charge, and as a consequence, the board will not relinquish the reins of leadership outside of their domains. The CISO doesn’t seem to be able to grasp business basics or understand for example, the notion of risk transfer.
We’re on the Same Page, Right?
We hear frequently that 99% of the global business leaders claim cyber risk is the greatest risk facing our economy and when Fed Chairman Jerome Powell said on 60 Minutes that the greatest risk to the economy is cyber risk, we assume that our business leaders are all on the same page.
They don’t worry about inflation, another financial crisis or another a pandemic — they worry about cyber risk.
The World Economic Forum (WEF) Global Risk Report 2021, tells us that the top three short-term risks to the world, as defined by its survey of 650 WEF leaders, are infectious disease, income inequality and extreme weather events. The fourth is cybersecurity. Nearly 40% of WEF leaders cited cybersecurity as a “clear and present danger” to the global economy.
While we have seen some degree of global cooperation around the first three issues, we have not seen that same level of cooperation around cybersecurity. The Convention on Cybercrime (AKA the Budapest Convention) has been ratified by 65 nations, but focuses primarily on nation states assisting each other in the prosecution of cybercrimes, not addressing today’s nation states attacking private sector companies at will.
Are 65 companies asleep at the wheel or have they all signed up for Chinese protection under the BRI initiative?
Even though we have seen these attacks in action now for years, we still have no Convention-like treaty that establishes rules of engagement for nation states in cyberspace and provides a legal framework for the international prosecution of violators.
Change Not Forthcoming
And as a consequence, nothing will change the global landscape for private or public leadership with regard to cybercrime and cyberattacks. Without modernized laws at a whole of global government level, it is impossible to impress upon the decision makers in private companies to break from the pack.
Risk transfer will remain the Sleepeze for board members unless and until our CISO leadership community determines that it is their responsibility to force reality into their presentations in a way that the board can both grok and understand the details of liability as they relate to their fiduciary responsibilities.
Until then, business as usual.
As a result, without changing the way that CISOs manage within their organizations, the lack of leadership will always be one of the great Achilles’ heels of the cybersecurity space. It is the equivalent of laws that protect retail criminals from prosecution if all they steal is valued below $900.
As even casual observers will recall, it only took Colonial one day to decide on a $5 million ransomware payment, in spite of aggressive Federal and Law Enforcement advice to the contrary.
Step Up to the Plate
That is risk transfer in action and it did nothing to help prevent another attack, either to Colonial or its brethren pipeline companies worldwide.
What we need is for the CISO to step into the breach – to embrace a true leadership role – which translates to defining a path forward that will minimize the probability of a catastrophic event.
This means having the courage to architect and promote an enterprise-wide Zero Trust strategy that begins with third party assessment, a rigorous identification of critical assets, an isolation of these assets through micro-segmentation and access protection through granular identity management and policy engines with a fully saturated monitoring of lateral activity beyond initial entry through to behavior while on the networks and upon session exits, the dedication of fully staffed cybersecurity hygiene programs, and the discipline to adhere to best practices throughout.
It means translating that strategy into language that the board will understand and contextualized outside the standard threat/consequence matrix, so that professional risk decision makers can make determinations aligned with realities that they can now understand.
Only Thing to Fear…
We may not be able to fix leadership issues at the national or international levels, but nothing stops us from doing so within our own domains.
Other than fear.