The role of the CISO is changing, writes Nils Krumrey, Cybersecurity Expert at the Security Incident and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) product company Logpoint.
CISOs face unparalleled pressure and distress as they navigate a landscape marred by relentless cyber threats, budgetary constraints, and regulatory demands, all of which will require them to find solutions that offer greater assurance to the business. The role has always been a demanding one but there are a number of additional factors that could now put the CISO in crisis.
Knowing the buck stops with you is one of the prime reasons why 94 per cent of CISOs are so stressed and their culpability is growing under new regulations. In the US, the SEC has tightened disclosure requirements and it recently sought to make an example of the SolarWinds CISO, Timothy G. Brown, who was accused of overstating the company’s cybersecurity practices and failing to disclose known risks surrounding the SUNBURST attack. The case prompted a wave of concern that CISOs could now face personal repercussions and even jail time for their role in tackling incidents.
Regulation gets personal
Closer to home, the NIS 2 regulations set to be introduced in Europe this October also include legislation pertaining to the personal accountability of senior management personnel when it comes to incident reporting. Those in breach could face personal fines, a ban or being discharged from managerial office. However, the move is also expected to provide some beneficial outcomes, such as better reporting and the sharing of information between the C-suite who will now need to be on the same page and speak the same language. Consequently, it could well see a change CISOs have wanted to see for a long time – board member personnel with cyber security experience, with Gartner predicting 70% of boards will include at least one member that meets this criteria by 2026.
Economic uncertainty is also making it challenging to keep the wheels in motion, with many businesses opting to make cutbacks to the security function. The ISC2 Cybersecurity Workforce Study 2023 reveals that 53pc have delayed purchasing or implementing new technology and 24pc have not renewed cyber software licenses, a short term win that prevents the security team from using technology to help automate processes and leads to long term issues such as lower morale and productivity. It is a situation exacerbated by the cybersecurity skills gap. There is a deficit of close to 4m vacancies making it highly problematic for the CISOs to hire the talent they need. This will lead to over half of significant cyber incidents being attributable to a lack of talent or human failure by next year, according to Gartner.
How threats are changing
The ISC2 report also reveals that 75 per cent view the current threat landscape as the most challenging it has ever been during the last five years. The tactics, techniques and procedures being used by attackers are constantly shifting, making it imperative that CISOs ensure they have the threat detection and incident response (TDIR) capabilities they need. For example, threats expected to escalate include session hijacking as more organisations move to passwordless access management ie. from passwords to MFA; malware and APTs with attackers leveraging AI and ML to evade detection and analysis; and phishing attacks will use generative AI to create convincing and personalized messages that can bypass traditional security measures as well as leveraging voice chatbots, VR/MR headsets, and QR codes to deliver malware or steal sensitive data.
Ransomware, too, will continue to be a major threat, with more groups launching new variants and campaigns. Attackers will use AI to generate more unique encryption keys, attempt to avoid detection by security tools by applying Living-Off-The-Land (LOTL) techniques and extort victims with multiple extortion techniques. As evident in the case of the MoveIt and Papercut attacks, adversaries are swiftly transitioning to data exfiltration after initial access, a trend that is expected to continue, obviating the need to progress to ransomware.
Rationalising defences
The cumulative effect of all these pressures is that the organisation will be forced into a defensive stance, wrestling with the grim reality that it is a prime target for cybercriminals. The CISO will need to understand how well-protected the business is, the changes in attacks and motivations, and how to shut down security incidents with less workforce and resources. This will require a consolidation of the cybersecurity stack to reduce complexity and the onus on the security team to monitor multiple solutions. Instead, there will be a push for greater visibility which will enable TDIR to be faster and more effective.
A bastion of the security stable, the SIEM will be central to fulfilling this remit. Next generation SIEM can now be combined with technologies such as SOAR to provide the playbooks necessary to keep on top of emerging threats and the automated incident response needed to prioritise response and alleviate staff workloads. User Behaviour and Entity Analytics (UEBA) can be used in conjunction with both to apply parameters that determine acceptable behaviours and flag those that warrant investigation. And endpoint detection can be applied to enrich SIEM and SOAR events to rapidly detect issues such as malware.
What this means for the CISO
Having this single pane of glass will enable the CISO to be better informed and more responsive. Armed with technology that automates detection, investigation, and response processes, guides the limited security staff in the right direction, and collects and analyses data to demonstrate compliance, CISOs can stay on top. But they can also turn the tumultuous events mentioned above to their advantage.
Faced with the fear of reputational damage, financial losses, and legal consequences, boards will have to make battle test systems and processes to bolster defences and prove due diligence. This will provide the CISO with the perfect opportunity to demonstrate the need for more investment and to build the business case for focused investment in digital defences. As a consequence, we will see the status of the CISO become elevated and better supported with security no longer seen as a loss leader but a key way to protect the business from attack, regulatory scrutiny and harm.
