The Toughest Job In Corporate America: Chief Security Officer
Earlier this week, I was at RSA, one of the biggest security conferences of the year which went ahead despite “corona concerns”. Wing hosted an event for Chief Security Officers (CSOs), and it reminded me why this is the toughest job in corporate America.
Take a moment, and put yourself in the shoes of a CSO. Nobody has any idea if you are doing a good job (maybe you have been breached and just don’t know it). A career-ending disaster could occur at any moment, day or night. This could be an attack (Sony), data leakage (Equifax), rogue employees (CapitalOne), somebody giving up credentials to phishing (every company), and so on. There are no objective benchmarks to show effectiveness when reporting to the board. You have all the budget you need, but it’s impossible to hire enough qualified people. You are bombarded by so many security vendors that your head spins, making it hard to know where to focus.
To guide the discussion, we asked several experts to share their experiences. Most were board members who had lived through headline-grabbing breaches. One was the person you call when things go wrong (the board members referred to him as "Mr. Wolf”). Unsurprisingly, none of them want their names or companies shared publicly.
Learnings for CSOs
The experts shared a few key points for Chief Security Officers to keep in mind:
- Take ownership: it doesn’t matter who was breached -- it matters if it’s your data. Board members lamented how second-tier vendors or consultants had caused the problem. But that doesn’t matter if it’s your data. Given how connected enterprise apps are becoming through APIs, it speaks to the need for vendor certifications and, possibly, ways of tracking data through different applications.
- No single approach wins: There’s an over-reliance on the perimeter, fragmented approaches to secrets management, and poor network segmentation. Response-planning is also an issue. One board member described his company’s plan as someone walking down the street, seeing a building on fire and pointing to a fire hydrant saying, “we have a solution”. Significant gaps still exist. They pointed to the need for multi-layered approaches.
- Look to the military: The best approach is to run training drills like the military. Create a “red team” and test the 5-10 main points of vulnerability. This is something boards can understand much better than the five-point scales made up by audit firms to “quantify” security. It also keeps the security team sharp.
Learnings For Security Start-Ups
More than anything, have empathy for your customer. CSOs are looking to do a great job, but also to make life easier for their over-stretched teams. They have to check all the boxes demanded by compliance, want better visibility, and need more leverage from automation. They'd like the ability to explain their work more easily.
The best startups will map their solution to one or more of these basic needs.
Cyber Innovator | Consigliere | Builder
4 年Amazing insight, and I have said this time and again too - have empathy for the customer. While your product works, it takes a few headcounts, budget approvals, and major process changes to achieve the desired result. There is not easy button!
Co-Founder and CTO at DigiTrans Technologies and Innovation and CareNX (SindiColpo) Innovation Pvt. Ltd , Driving Digital Innovation with Strategic Leadership, EX-VP @ RIL. Asp. Independent Director
4 年Great insights
Vice President and Chief Information Security Officer | FBI CISO Academy Alumnus | Board-certified Qualified Technology Executive | CCISO | CISM
4 年Thanks, Aaref Hilaly! Good to see you there and I appreciate the title of the article. Rajeev Chand - Excellent job moderating the panel and I think it was one of the best security discussions I’ve ever seen.
CEO/Founder - Airgap Networks (Acquired by Zscaler)
4 年Fully agree. Great writeup.
Aaref- Great post. We should talk.