Traditionally, CISOs have borne the brunt of blame for cyber events that affect an organization. Because CISOs are the leaders in charge of data security, any breach has been seen as a mistake on their part and consequences doled out accordingly. However, as companies' understanding of cybersecurity has evolved, this is starting to change in fundamental ways; today's CISO faces an unprecedented opportunity to be hailed as a hero, rather than condemned as a villain, in the aftermath of a cyberattack.
Case in point: A few years ago, a security event erupted inside a security vendor's own internal network. The internal security team was using the company's own products, and the CISO had been granted access and permissions to modify the products' code locally along with other resources to adapt them to his own use. When the attack occurred, the modifications he and his team had made were the difference between a large-scale, publicly reportable event and a significantly smaller incident that was entirely manageable.
During the incident, the security teams responded alongside product development teams and explained to developers how the attack worked, along with the modifications they'd made that helped stop the attack. In tandem, the CISO was briefing the C-suite and board regularly, including how the depth and breadth of product modifications made by the security team made a difference. Specifically, he explained how the company's products were modified to block attacker communications and how the products were made to interface with security products from other companies to enhance the speed off the blocks.
Rather than blame, second-guess, or threaten the CISO with his job, development executives praised the security team's product innovations to those in the C-suite, who then pulled the CISO into a larger product development role that ultimately increased business.
While this template may not necessarily be repeatable across industry sectors, it helps illustrate some important shifts in how companies behave after a major security incident
With new attacks forming faster than the technologies to fight them, holding CISOs to an entirely unrealistic standard doesn’t actually serve anyone. The truth is that no matter how many technologies are deployed or how good the security posture is, 100% protection from cyberattacks is simply not possible. Perhaps senior leadership and boards of directors are finally starting to acknowledge this fact, or perhaps they're starting to realize that a successful response to an attack, along with actions by other parts of the organization, contribute to the ultimate scale and scope of the event.
CISOs are uniquely capable of gauging cyber-risk and how to reduce it. Experienced CISOs understand the threats their companies face and know how to deploy the optimal mix of people, processes, and technologies, weighed against threats, to provide the best possible level of protection. Organizations that understand this are leading the charge in shifting the perception of the CISO from technical manager to strategic risk leader.
Given this shift in industry and perception, it's only a matter of time before CISOs' skills and expertise — along with their well-managed team — will be needed to prevent disaster. When that moment occurs, however, the difference between success and failure lies in the degree to which they've been empowered by the organization to take the necessary steps — before, during, and after an attack.
First, they have strong social support within their organizations. They are involved in decision-making that affects overall security across the enterprise.
Second, they have authority over the cyber-risk management budget, including insurance, as well as overseeing response and recovery efforts. CISOs typically have to coordinate many parties when an attack hits, including outside counsel, insurance providers, incident response contractors, and infrastructure recovery contractors. Having responsibility without budget or authority is a recipe for failure at a critical time.
Finally, the board and senior leadership recognize that no solution for cyber threats is perfect, and an increase in attack frequency means that eventually one will succeed. They understand that blaming the CISO after a cyber incident is unfair and deprives the organization of an opportunity to learn from the experience, with a professional who is best positioned to make the company safer in the future.
As the tide of perception continues to shift in favor of today's CISO, it's important to remember that empowering the role with support, authority, and resources can make all the difference to your organization's unsung CISO hero.
Mike Convertino is the chief security officer at Resilience Insurance, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading technology companies, including Microsoft, Crowdstrike, F5 Networks and Twitter. His expertise includes cybersecurity technologies, network and endpoint security, digital forensic investigations, machine learning, intrusion detection and mitigation, and risk analysis.
In his role at Resilience, Mike applies his expertise to protect the company's technology assets as well as develop strategies for cybersecurity and risk professionals to make organizations more resilient. Before he joined Resilience in 2020, Convertino was the chief information security officer (CISO) at Twitter, where he protected the platform from sophisticated threats. Prior to that, he was vice president and CISO and later, chief technology officer (CTO) of security products at F5 Networks.