Sometimes your best intentions are thwarted by technology. That was the case when Thom Langford and I attempted to do a Q&A session after our webinar “Modern Skills for Modern CISOs.” Unfortunately, the session ended before we got the chance to answer the questions that the audience had submitted. The silver lining is that we had the chance to write our answers thoughtfully instead of answering them on the spot. In doing so, I found there were a couple of questions for which I wanted to provide longer answers. For context, you can see the whole webcast here: https://www.youtube.com/watch?v=qLrBme_N1Ns
Who should the CISO report to in order to be successful?
My default answer to this question is that the CISO should report to the CEO or equivalent. I say this because I firmly believe that information security needs an equivalent seat at the executive table. One of the reasons I like this question, though, is that it doesn’t just ask who the CISO should report to but adds the element of ‘to be successful.’ That phrasing forces me to consider whether this is the only reporting structure in which a CISO can succeed. In other words, if you’re a CISO and you don’t report to the CEO, are you destined for failure? Not really. In other words, the reporting structure doesn’t determine a CISO's success. What does the data say these reporting structures look like today. IDG’s “2018 Global State of Information Security Survey” asked this question and found that 40% of CISOs or equivalent reported to the CEO, 27% directly to the board of directors and 24% to a CIO. The evolution of the CISO from an IT function to board-level visibility has been driven by changes in the impact of cybersecurity incidents. The resignation of Target’s CEO in the wake of a significant breach was a watershed moment for the industry because it forced executives and boards to consider how an incident might impact them personally. This is, however, elevation for the wrong reasons. You don’t want to report directly to the CEO just so you can be fired instead of them. The key component in the reporting structure that determines a CISO’s success is the ability to positively impact the business. Both Thom and I talked about the CISO’s changing role, and this was key. It’s not always easy to determine from the outside if a CISO position will have the access and influence to make meaningful contributions to the business. Reporting structure is one of the clearest indicators, however. If the reporting structure doesn’t seem right, then you have to dig deeper into the position. https://www.youtube.com/watch?v=LcsOOiJEzDA
The CISO’s Threat Landscape is Changing Constantly
Alright, that’s not a question. It was actually a comment in response to the comparison of the CISO and the CFO roles; it was specifically saying that the CFO’s accounting/financial landscape doesn’t change the way that a CISO’s threat landscape does. And it’s true that the threat landscape changes, but it changes less than we might think. There’s a whole industry focused on generating income from the newest, shiniest, most threatening threats possible. If you spend some time comparing what’s publicized in the media vs. what organizations are actually dealing with, you’ll find a Venn diagram that doesn’t perfectly overlap. In other words, there are some meaningful changes in the threat landscape that have occurred but probably not as many as you would think by just reading headlines. One way to see how the threat landscape has evolved is to compare data from the Verizon Data Breach Investigations Report (DBIR). In this case, I took a look at the 2019 report and the 2009 report because 10 years is a nice round number. Let’s look at the attackers (“who is behind data breaches”):
2009 vs.2019
There are clearly some differences. In 2009, there was little concern for nation-state threat actors. Organized criminal groups aren’t called out separately in 2009, but the text alongside these statistics points out that “91 percent of all compromised records were linked to organized criminal groups.” Despite these changes, the top two results are still outsiders and insiders, in that order. You could reasonably say that organized crime as a source has decreased while nation-state threat actors have increased. There’s plenty to talk about here, but if you ask yourself if the threat landscape has fundamentally changed, I think the answer is ‘not really.’ We can also compare the tactics used between the two time periods:
2019 vs. 2009
Here we see what looks like a more meaningful change. The percentage of breaches involving errors has dropped significantly (67% to 21%), falling from the top spot to number four. Hacking remains a top cause, but Social Attacks is entirely new. Interestingly, Malware has actually decreased as a tactic from 38% to 28% over the 10 years. Again, while the rise in Social Attacks as a tactic would represent a change in the threat landscape, all of the other categories have remained and simply shifted in significance. There’s obviously more that we could compare between the two reports, but you can start to mentally fill in the Venn diagram I’m talking about. A CISO in 2009 is largely concerned with the same types of threats as a CISO in 2019, with some variation. While our impression might be that CISOs have to handle a rapidly changing (daily, weekly) threat landscape, the reality is that it’s not changing as much as we might think.