Tag Archives: CISOs

How CISOs’ Roles – and Security Operations – Will Change in 2024

Post Syndicated from Jaya Baloo original https://blog.rapid7.com/2024/01/18/how-cisos-roles-and-security-operations-will-change-in-2024/

How CISOs’ Roles – and Security Operations – Will Change in 2024

It’s fair to say that 2023 was a turning point for the cybersecurity industry, and no one felt it more than the CISO. From the onslaught of ransomware and zero-day attacks, to the SEC’s new reporting rules, and added to technological innovation and sprawl, CISOs have never been under more pressure to get security right.

When you boil down a CISO’s job description to what it is we really do, predicting the unpredictable comes out at the top of the list. We must stay on top of our organization’s unique risk profile so that we can oversee the people, technologies, and processes that will keep threat actors out.

At the same time, our role at the executive level and our ability to affect change across the business is also top of mind. This is not what I or any of the fellow CISOs I speak with view as an “optional” part of our role; rather, being valued as a strategic contributor to the organization’s success is an imperative.

Without a doubt, 2024 is going to be a challenging year for those of us in the CISO role. Looking ahead, I expect the role itself to transform in several ways and, by default,  security operations will also undergo change. Read on for my top predictions of what will occur this year.

Prediction 1: CISOs will either have a seat at the table or they’ll be on the menu

For years, CISOs have been expected to do security in a vacuum regardless of what the rest of the company is doing. Irrespective of the decisions being made by the rest of the organization, the CISO is expected to figure it all out and make it secure regardless! They’re not just in charge of security, they’re in charge of potentially (bad) decision making by others around security.

Regulations such as SEC disclosure, NIS2, changes to Fedramp, and new executive orders around security mean there is more of a focus around structural-operational cadence with security in 2024. Therefore, the biggest question for most CISOs is going to be: how am I — and, indeed, how is my work — viewed by the business? The CISO is either going to be figuring out the solution with the business, or they will be an isolated person expected to figure out the solution based on a business decision that they’ve played no part in making.

Ultimately, CISOs will have a seat at the table or they will be the scapegoat when things inevitably go wrong. There is no in between. So, it’s essential that CISOs are able to demonstrate the value they provide and in a way that non-technical executives understand.

To demonstrate their value, CISOs must show how their security asks are tied to business imperatives, and the financial benefit or risk that each ask presents. Showing demonstrable improvements in security — as well as being able to easily adapt when environments change — helps executive boards see that CISOs and the security programs they develop and deploy are inherent enablers of business growth.

Prediction 2: Compliance will be top of mind for CISOs

We’re in a new era when it comes to reporting cyberattacks. CISOs are in a ‘butt-clenching’ phase trying to figure out how to comply and how to report cyber incidents when they occur. The new SEC rules make it clear that CISOs now need to think more carefully about how they talk about security and governance publicly and to regulators, when in the past they didn’t think about it by de facto.

This year, CISOs are going to be on a path of self-scrutiny. When claims are made that multi-factor authentication (MFA) is enabled across the enterprise and vulnerabilities are remediated immediately, for example, CISOs need to be checking that such actions are being done to avoid potential false claims and associated consequences.

There will be an immediate need for greater focus on compliance packs by CISOs, not just this year but over the next couple of years. Just having an ISO certification or a NIST framework doesn’t mean that operations are completely aligned.

A certification is merely a moment in time. However, CISOs need to be confident that operations are compliant beyond that piece of paper. Even the tiniest of siloes, migrations, and changes create risks such as misconfigurations, vulnerabilities, and exposures; therefore, it’s essential to have a SOC team that has complete coverage of environments and can easily adapt when environments change. CISOs also must continue to ensure they’re employing the continuous assessment and validation process that aligns with their organization’s compliance requirements.

Prediction 3: CISOs will increase their emphasis on consolidation

No one will be surprised by my saying that businesses want more bang for their buck in 2024. Every business wants simplicity, not complexity, in their security stack! Just look at third-party risk management, for example. Funnily enough, CISOs don’t want to have to manage 500 third parties; they only want to have to manage five or so.

Every time there is an incident, CISOs and their security teams need to go to each third party, figure out what they’ve been doing, and keep following up with them. This is where the tool sprawl has huge consequences. If there are 500 parties to manage, that’s a killer for overstretched and under-resourced security teams.

As CISOs, we understand that throwing more money around doesn’t solve your security problem. Implementing various point solutions within the SOC won’t end bottlenecks, inefficiencies, and negative ROI. The real value for CISOs is when the SOC team is able to do more focused tasks without costs spiraling out of control.

Therefore, CISOs will be looking to consolidate and streamline this year, allowing for better manageability, efficiency, and — ultimately — security efficacy.

The CISO Community Coming Together

While I can’t be entirely sure how my role will look at the end of the year, one thing that does make me hopeful is the wonderful network of people that I’m a part of. It’s so important for the security industry to collaborate, and the connectivity of CISOs is critical to our achieving success both professionally and on behalf of the organizations we serve.

Security is a team sport, and the security community has a unique ability to come together to solve complex challenges. I’m looking forward to knowledge sharing with my peers and the greater industry as we prepare for and adapt to innovations in artificial intelligence (AI), quantum, and other exponential technologies.

For more thoughts from the Rapid7 team on what 2024 could bring, watch the Top Cybersecurity Predictions webinar on-demand.

4 Questions for CISOs to Reduce Threat Exposure Risk

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/01/11/4-questions-for-cisos-to-reduce-threat-exposure-risk/

4 Questions for CISOs to Reduce Threat Exposure Risk

In an ongoing effort to help security organizations gain greater visibility into threat exposure risk, we have determined four key questions every CISO should be considering based on our understanding of the recommendations of a new report from Gartner®. The report, 2024 Strategic Roadmap for Managing Threat Exposure, can help CISOs and other top executives steer away from risk by analyzing their attack surfaces for gaps.

Question #1: What Do You Already Know?

What are the business-driven events that have already been or are currently being scoped and planned for? In analyzing threat exposure for specific events along the course of the year, a security organization will have the power to better tailor their risk mitigation approaches.

“It’s crucial to scope risk in relation to threat exposure, as this is one of the key outputs that will benefit the wider business. To do so, senior leaders must understand the exposure facing the organization, in direct relation to the impact that an exploitation of said exposure would have. Together, with this information, executives can make informed decisions to either remediate, mitigate or accept the perceived risks. Without impact context, the exposures may be addressed in isolation, leading to uncoordinated fixes relegated to individual departments exacerbating the current problems associated with most vulnerability management programs.” says the Gartner report.

Post-risk scoping, it’s a good idea to then consider if there are any measures that can be taken to better protect certain business-driven events if they have been found to have a greater chance of threat-actor exploitability.

Question #2: How Visible Are Your Critical Systems?

It is also incredibly valuable to take inventory of the most critical and exposed systems in the network, along with each system’s level of visibility and its location. Having a thorough catalog of the points that are or could be the most vulnerable is a must. Just because an exploitable asset might not be considered a remediation priority, there is always the possibility it could be exploited down the line.

Within the context of the report, Gartner details a visibility framework that can aid with vulnerability prioritization:

“Coupled with accessibility is the visibility of the exploitable service, port, or asset. These technologies implement configuration to ensure that details of exploitable elements are not revealed to potential attackers, but not directly removing the possibility of their exploitation.”

Therefore, it becomes necessary to leverage technologies that can provide insights into the visibility of an asset so that – if there is currently a low likelihood of exploitability – remediation efforts can be focused elsewhere and efficiences can be gained within the security organization.

Question #3: Who “Owns” IT Systems?

Identifying who is responsible for the deployment and management of critical IT systems is key if the security organization is to get interdepartmental buy-in for an effective plan to manage threat exposure. Sometimes there isn’t just one person responsible for a certain aspect of network management, which is important to keep in mind as efforts to mitigate threat exposure are built out.

Security personnel, as with so many business operations in which they take part, also must keep in mind that there could be pushback or slow buy-in to a plan that is perceived to lack context. To this point, the research states:

“Without impact context, the exposures may be addressed in isolation, leading to uncoordinated fixes relegated to individual departments exacerbating the current problems associated with most vulnerability management programs.”

Question #4: Who is Responsible for Risk?

Potential friction could also lie in the effort to convince a system owner that there is real action required – and that it could upend that team’s workflow. Effective communication will be imperative here, as will the ability to provide the visibility needed to quickly convince stakeholders that action is, indeed, needed and worth the potential interruption. The report drives home the need for allying with those responsible for risk decisions:

“From the perspective of the organization’s business risk owner, it’s important to recognize that the security team’s role is to support risk management in such a way that the owner can make informed data-driven decisions.”

The CISO Says It All

It will ultimately be up to the CISO to manage and connect separate plans to both limit and eliminate threat exposure along attack surfaces. Through this effort, the CISO can demonstrate the benefits of implementing platforms to manage the growing risk of threat exposure. They’ll also be able to prove the worth of the security operations center (SOC) as both key partners in the effort to keep business secure.

We’re pleased to continually offer leading research to help you gain clarity into managing the risk of threat exposure. Read the Gartner report to better understand how a broad set of exposures can impact the workloads of a security organization – and how important it becomes to prioritize properly and communicate effectively.

Gartner, 2024 Strategic Roadmap for Managing Threat Exposure, Pete Shoard, 8 November 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Be Empathetic and Hug Your CISO More!

Post Syndicated from Owen Holland original https://blog.rapid7.com/2023/11/10/be-empathetic-and-hug-your-ciso-more/

Be Empathetic and Hug Your CISO More!

In the rapidly evolving landscape of cloud computing, the adoption of multi-cloud environments has become a prevailing trend. Organizations increasingly turn to multiple cloud providers to harness diverse features, prevent vendor lock-in, and optimize costs. The multi-cloud approach offers unparalleled agility, scalability, and flexibility, but it has its complexities and CISOs need your support.

In the final episode of the Cloud Security Webinar Series, Rapid7’s Chief Security Officer Jaya Baloo and other experts share their thoughts on the cloud strategies to support security leaders as they move into 2024 and beyond.

These webinars can now be viewed on-demand, giving security professionals greater insight into how to safeguard their cloud environments and set themselves up for success. A summary of the key discussion points are listed below.

Nurturing Comprehension and Collaboration

Multi-cloud environments present a complex tapestry woven with equal parts opportunity and complexity. Governance, security, and cost optimization are paramount concerns often exacerbated by the absence of centralized visibility and with the threat of misconfigurations and potential compliance issues looming in the background.

So, in the face of these challenges, collaborative unity among security teams becomes not just a nicety but a necessity. It is through the sharing of knowledge and experiences that the security community effectively grapples with these evolving challenges.

Striving for Collective Success

There are several simple strategies security teams can adopt to support a more robust defense:

  1. Centralized visibility: Embrace cloud management tools to unveil a comprehensive view of the multi-cloud landscapes. In doing so, we foster collaboration and unity. This provides a single pane of glass for security teams to gain comprehensive insights into their digital assets, compliance status, and ongoing security threats.
  2. Automation: Leveraging automation is key to efficiently managing multi-cloud landscapes. Automate asset discovery, security policy enforcement, and threat response. Automation not only streamlines these processes but also reduces the risk of human error.
  3. Security governance framework: Develop a comprehensive security governance framework that encompasses all aspects of multi-cloud security, including identity and access management, data protection, and threat detection. This framework should be flexible enough to accommodate the nuances of each cloud platform.
  4. Resource optimization: Regularly evaluate resource utilization across different cloud providers. Ensure that resources are allocated efficiently to minimize costs. Implement scaling and resource allocation strategies to adapt to changing workload requirements.
  5. Enhanced staff training: Invest in the skills and knowledge of security and IT teams, along with opportunities for cross-training and knowledge sharing.

As organizations continue to embrace multi-cloud environments, mastering the complexities of diverse cloud platforms is crucial for enhanced security, governance, and cost optimization. By gaining a deep understanding of the multi-cloud landscape, addressing key challenges head-on, and implementing efficient management strategies, security professionals can navigate the intricate web of multi-cloud and ensure seamless operations in the cloud-native era.

Cultivating Unity for a More Resilient Future

The evolving nature of cybersecurity demands organizations stand together to share experiences, strategies, and best practices. By cultivating unity and empathy across the security community and the wider business, organizations can collectively navigate the shifting threat landscape more easily.

Ultimately, uniting the cybersecurity community is not merely a virtue but an imperative. To find out more, watch the on-demand cloud security series now.

This CISO Isn’t Real, but His Problems Sure Are

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2022/02/22/this-ciso-isnt-real-but-his-problems-sure-are/

This CISO Isn’t Real, but His Problems Sure Are

In 2021, data breaches soared past 2020 levels. This year, it’s expected to be worse. The odds are stacked against this poor guy (and you) now – but a unified extended detection and response (XDR) and SIEM restacks them in your favor.

Take a few minutes to check out this CISO’s day, and you’ll see how.

Go to this resource-rich page for smart, fast information, and a few minutes of fun too. Don’t miss it.

This CISO Isn’t Real, but His Problems Sure Are

Still here on this page reading? Fine, let’s talk about you.

Most CISOs like adrenaline, but c’mon

Cybersecurity isn’t for the fragile foam flowers among us, people who require shade and soft breezes. A little chaos is fun. Adrenaline and cortisol? They give you heightened physical and mental capacity. But it becomes problematic when it doesn’t stop, when you don’t remember your last 40-hour week, or when weekends and holidays are wrecked.

Work-life balance programs are funny, right?

A lot of your co-workers may be happy, but life in the SOC is its own thing. CISOs average about two years in their jobs. And 40% admit job stress has affected their relationships with their partners and/or children.

Many of your peers agree: Unified SIEM and XDR changes everything

A whopping 88% of Rapid7 customers say their detection and response has improved since they started using InsightIDR. And 93% say our unified SIEM and XDR has helped them level up and advance security programs.

You have the power to change your day. See how this guy did.

2022 Planning: A First-Year CISO Shares Her Point of View

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2021/11/19/2022-planning-a-first-year-ciso-shares-her-point-of-view/

2022 Planning: A First-Year CISO Shares Her Point of View

When you’re planning for the year ahead in cybersecurity, there’s always part of you that’s trying to play fortune-teller. You know what risks matter now, and the processes and resources you need to respond to them, but what threats might emerge over the coming 12 months — or 12 weeks, for that matter? What if the landscape changes before you have a chance to react?

Now, imagine you’re doing that crystal-ball-peering exercise while still in your first 6 months in a leadership role. That’s the situation a first-year CISO finds themselves in — and while it’s a little precarious, it’s equally ripe with opportunity.

On Thursday, November 17, Rapid7’s Chief Security Data Scientist Bob Rudis sat down with Katie Ledoux, Chief Information Security Officer at SMS marketing startup Attentive, to dive into how she’s tackling the challenges of planning for her security team’s needs in 2022 while navigating her new role.

Freedom to build from the ground up

At just 4 months into her tenure at Attentive as of November 2021, Katie has found a sense of freedom and clarity in being able to start from square one.

“Getting to build a program from scratch is actually kind of amazing… especially because I’ve made so many mistakes before,” she said. It was the process of learning from those mistakes in less high-stakes roles — including a 5-year stint at Rapid7 — and building back more effectively that helped her understand what to prioritize as a new CISO. Now, she has the opportunity start with the things she knows she and her first few hires can do well, addressing lower-complexity, higher-risk areas and seeing progress quickly.

“I’m starting off as very trusted — and I won’t lose that trust unless I screw up,” she quipped.

The importance of mentorship

For Katie, her own experience is only one part of keeping leadership’s trust and avoiding unforced errors. Getting the insights and expertise of others is essential.

“I have the most amazing mentor,” she said, going on to note that she cold-LinkedIn-messaged him after hearing him speak on a cybersecurity podcast. He responded, they connected, and the rest is history. He was particularly instrumental in helping her navigate the executive planning process as she ramped into her new role. While she wasn’t as well-versed in this area when she started, she leaned on the advice of her mentor and her teammates where she needed to.

“I consider my willingness to very loudly share things that I don’t know how to do to be one of my greatest strengths,” Katie said. “I’m constantly, constantly asking for help, which I think leads to better outcomes,” she continued.

Creating alignment on risk — and budget — priorities

One of the first things Katie’s mentor told her was to rethink the way she went about determining top-priority risks.

“I actually don’t dictate what our top risks are,” Katie said. Instead, she leads and facilitates a security committee and insists on collaborative input.



2022 Planning: A First-Year CISO Shares Her Point of View

Head to our 2022 Planning series page for more – full replay available soon!

“You basically lay out the facts and let people decide what the company’s risk appetite is,” she explained. “They’re going to try to get you to tell them what the biggest risks are,” she went on to say. But if you simply dictate the risk priorities unilaterally, it’s easy to lose buy-in as the months go on.

“They don’t really feel ownership over that work,” Katie pointed out, “and as soon as other priorities get in the way — you know, the job description that they were hired to do — they drop the security and risk remediation work.”

One of the keys of this setup is to keep the committee small — 6 to 8 people, Katie recommended. The right stakeholders will do a better job of ranking risks than one individual ever could.

Plus, with collective buy-in, getting budget for your security priorities becomes easier. For example, at Attentive, Katie shares a budgeting bucket with the engineering team. If the head of engineering helps decide what the top risks are, that makes it a whole lot less likely that Katie will end up in a tug-of-war with them over resources.

A new CISO’s top 3 priorities for 2022

With a solid structure in place for collaborative risk prioritization, what core components should CISOs include in their 2022 plan? Katie highlighted 3 key areas to put center-stage.

1. Hiring

It’s no secret that there’s a cybersecurity skills shortage, and building a pipeline of talent is critical for the coming year. In Katie’s case, she came in with a map of functions to hire for, job descriptions, and requisitions to post on the website — only to realize she had to rethink her approach. Her mentor suggested she spend 25% of her time interviewing general security candidates, regardless of whether or not she had a specific job opening for them right now.

There are a few reasons why this approach makes sense. As Bob pointed out, when talent is tough to find, you might not be able to bring in people who are mature enough in their careers to fill a specific niche. Plus, at startups and other fast-moving companies, the problem you had in mind when you posted a job listing might be gone by the time you fill the position.

Now, Katie has several evergreen, general cybersecurity job postings that specifically call out that it’s not necessary to have all the skill sets listed. Instead, she prioritizes bringing on talented candidates who can help meaningfully in any of the key areas that matter to the organization.



2022 Planning: A First-Year CISO Shares Her Point of View

2. Compliance

While compliance has become something of a dirty word in some security circles, Katie believes it can provide a great floor for a security program. The key is to do it thoughtfully.

After all, working toward a compliance certification like SOC 2 provides a clear priority that you can act on and show progress toward. If you design the components and controls you’re using carefully around this framework — and steer clear of the companies that tell you they can get you SOC 2-compliant in a month — you’ll avoid having a bunch of check-boxes and instead build a solid base of accountability.

For example, are all your assets really encrypted at rest? If you’re touting SOC 2 compliance and actively controlling for those requirements, you’ll know — and be able to remediate quickly if needed.

3. Identifying your top risks

Let’s face it: If you’re a new CISO, you’re going to need to go a board meeting some time soon (if you haven’t already) and explain what your organization’s most urgent risks are — and what you’re doing to fix them.

Build an initial risk matrix, and take your findings to your security committee for input and prioritization. From there, you’ll have a solid foundation to work from that will help you show the board, leadership, and yourself how you and your team are progressing toward your 2022 priorities.

Measuring success

While others tend to favor quantitative metrics in charting their security plan’s progress, Katie suggested going a level above that. The scores and numbers that make sense to security pros might not resonate with the CTO or other leadership.

“The best way for me to measure progress is probably in looking at risk management,” she said. “It’s my job to mitigate risks at an acceptable level.”

The top risks you identify for 2022 should be improving over time — and by 2023, you should have new ones. If you’re able to leave last year’s risks behind and move onto new ones, that’s a good sign you’re making progress. And if you need help in charting that course, don’t be afraid to rely on others’ expertise.

“LinkedIn-message random people and be like, ‘How do I do my job?'” Katie recommended, only half-jokingly. “Don’t be shy,” she went on to insist. “No one knows everything.”

So far, the collaborative, advice-seeking strategy is working out for Katie. It won’t be long before her own LinkedIn inbox is full of first-year CISOs looking to learn how a seasoned pro gets it done.

Want more 2022 planning tips from industry experts?

Sign up for our webinar series

The Cybersecurity Skills Gap Is Widening: New Study

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2021/08/27/the-cybersecurity-skills-gap-is-widening-new-study/

The Cybersecurity Skills Gap Is Widening: New Study

The era of COVID-19 has taught us all a few things about supply and demand. From the early days of toilet paper shortages to more recent used-car pricing shocks, the stress tests brought on by a global pandemic have revealed the extremely delicate balance of scarcity and surplus.

Another area seeing dramatic shortages? Cybersecurity skills. And just like those early lockdown days when we were frantically scouring picked-over supermarket shelves for the last pack of double-ply, it seems like security resources are growing scarcer just when we need them most.

A new study from the Information Systems Security Association (ISSA) reveals organizations are having serious trouble sourcing top-tier cybersecurity talent — despite their need to fill these roles growing more urgent by the day.

Mind the gap

The ISSA study paints a clear picture: Infosec teams are all too aware of the gap between the skills they need and resources they have on hand. Of the nearly 500 cybersecurity professionals surveyed in the study, a whopping 95% said the skills shortage in their field hasn’t improved in recent years.

Meanwhile, of course, cyber attacks have only grown more frequent in the era of COVID-19. And if more attacks are occurring while the skills shortage isn’t improving, there’s only one conclusion to make: The lack of cybersecurity know-how is getting worse, not better.

But despite almost universal acknowledgement of the problem, most organizations simply aren’t taking action to solve it. In fact, 59% of respondents to the ISSA study said their organizations could be doing more to address the lack of cybersecurity skills.

Room for improvement

Given the fact that the skills gap is so top-of-mind and widely felt across the industry, what factors are contributing to the lack of improvement on the issue? ISSA’s findings highlight some key areas where organizations are falling behind.

  • Getting talent in the door — For most organizations, finding the right people for the job is the root of the problem: 76% of respondents said hiring cybersecurity specialists is extremely or somewhat difficult.
  • Putting skin in the game — The top cause that ISSA survey respondents cited for their trouble attracting talent was compensation, with 38% reporting their organizations simply don’t offer enough pay to lure in cybersecurity experts.
  • Investing in long-term training — More than 4 out of 5 security pros surveyed said they have trouble finding time to keep their skills sharp and up-to-date while keeping up with the responsibilities of their current roles. Not surprisingly, increased investment in training was the No. 1 action respondents said their organizations should take to close the skills gap.
  • Alignment between business and security — Nearly a third of respondents said HR and cybersecurity teams aren’t on the same page when it comes to hiring priorities, and 28% said security pros and line-of-business leaders need to have stronger relationships.

For the ISSA researchers, the first step in addressing these shortcomings is a change in mindset, from thinking of security as a peripheral function to one that’s at the core of the business.

“There is a lack of understanding between the cyber professional side and the business side of organizations that is exacerbating the cyber-skills gap problem,” ISSA’s Board President Candy Alexander points out. She goes on to say, “Both sides need to re-evaluate the cybersecurity efforts to align with the organization’s business goals to provide the value that a strong cybersecurity program brings towards achieving the goals of keeping the business running.”

Time to catch up

The pace of innovation today is higher than ever before, as businesses roll out more and more new tech in an effort to create the best customer experiences and stay on the cutting edge of competition. But as this influx of tech hits the scene — from highly accessible cloud-based applications to IoT-connected devices — the number of risks these tools introduce to our lives and our business activities also grows. Meanwhile, attackers are only getting smarter, adjusting their techniques to the technologies that innovation-led businesses are bringing to market.

This is what we call the security achievement gap, and closing it raises some important questions. How can organizations bring on the best people when competition for talent is so high? What if your current budget simply doesn’t allow for the number of team members you really need to monitor your network against threats?

Cyber threats are becoming more frequent, network infrastructures are growing more complex — and unlike used cars, the surge in demand for cybersecurity know-how isn’t likely to let up any time soon. The time is now for organizations to ensure their cybersecurity teams have the skills, resources, and tools they need to think and act just as innovatively as other areas of the business.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.