What Your CISO Isn’t Telling You

Has this article’s title piqued your interest?

As an executive in your organization, would you state that you’re aware of everything that’s going on within the company that is being handled by the security team? And more importantly, should you care about the inner workings of cybersecurity??

Experienced CISOs know that there are times when we are under a legal obligation not to disclose information regarding a situation, event, incident or potential litigation, but what about providing the total number of metrics about the cyber landscape of the company? CISOs are also aware that showing everything that’s happening behind the scenes can cause misperceptions of the resiliency of the organization, as metrics without context leads to confusion. For the majority of the inner workings, CISOs communicate on a need-to-know basis and detailed information isn’t shared broadly.

To someone that has never worked in cyber, what happens behind the scenes can range from absolutely absurd to downright terrifying. The cyber team is involved in a firefight every-single-day and how the message is provided may not be in the best interests of everyone. Over the years, I can personally admit that there are things that I just can’t ‘unsee’ in the middle of the night. Try explaining these things to an untrained person and the conversation may not go well.

A misconception that many CISOs have is that we believe the executive team and the board should see what occurs in our shops at a very detailed level, but this couldn’t be farther from the truth. The CISO is responsible for taking care of the details and exposing only the information that is needed for a small number of individuals that need to understand potential and tangible impacts to the company. Our ultimate goal is to limit the liability of the board, the executive team, and the enterprise.?

For those of us that are used to fighting cybercriminals, it’s just another routine day. Our competitive nature is to stop these criminals and their attack before they infiltrate the organization and the tools that we use to identify and defend against cyberattacks help us in this quest. For those that haven’t been involved in our daily slugfest, the actual number of attacks that we defend against would cause the executive team to grow concerned; especially with a belief that the CISO’s role is to make sure that the company is not at risk.

The CISO cannot ward off the sheer number of attacks that occur, but when they have a solid cyber program, the number of attacks doesn’t matter – the only thing that does matter is how many attacks got away from us. Risk does not equate to a low number of cyberattacks, it equals a material breach and how much data was taken. It’s not that CISOs don’t want to disclose information about our programs, but the package and message needs to be in a format that can be understood.

Our resources require dedication and commitment to keep their eye on the proverbial ball and to keep a close watch on our environments and it’s not just production – it’s for all environments, as anyone could make a mistake, misconfiguration or leave a door (port) open in our marketing, IT, product development or test platforms. And it doesn’t matter if your environment is in the cloud or at your local data center. Many CISOs are also involved in physical security, which includes employee safety.

Can you see why having context is key when creating cyber metrics? ?Let’s try to break down the details to gain a better understanding of what happens behind the scenes.

Security Operations is a critical component of a cybersecurity department. These talented individuals chase alerts each and every day. The tools that they use provide insights into where the alerts are coming from, the severity of them and if an attack is occurring. Cybercriminals are referred to as nation-state actors, are worldwide and love to attack companies ‘after hours’, when they believe we are not watching their attempts. Depending on the size of the company, alerts can be in the millions, if not tens-of-millions on a monthly basis.

Our IT teams are typically responsible for monitoring the network and our emails. This area too sees many alerts throughout the day. The IT team works hand in hand along with the Security Operations team, as they pass alerts between their technology to gain a broader view of the attack surface and landscape. Cybercriminals love to start at the network and email level, as it’s an easy way into any company through direct attacks, spam or phishing exercises. With the introduction of AI technology, the number of malicious emails sent to a company continues to increase and have become more sophisticated and harder to spot.

The CISO works with Human Resources and Finance on security needs – both physical and cyber related.? There are employees who have the best of intentions and without noticing, are compromised when a fraudulent activity occurs, or they may be going through a personal issue that impacts their safety. CISOs would be brought into situations when the CEO’s credit card has been hacked or when a sales rep’s laptop has been stolen. CISOs are involved in different types of events that are worked in the background with the legal team or public authorities and these confidential issues would never make it onto an executive report.

With so many confidential situations that pass through the CISO for advice and forensics, it’s important to approach the executive team with meaningful information that remains confidential. ?My best advice is to provide the executives with a small chart with limited data – only when the information has been requested and to prepare a monthly operational view into the threat types and the number of attacks for the technical teams – specifically in the areas that impact their work or environments.

?

? 2024. All Rights Reserved.

Sue Bergamo is a Global CISO, CIO and executive advisor at BTE Partners. She can be reached at [email protected] .The content within this article are the sole opinions of the author.

For more information on becoming a CISO, find me on Amazon: https://a.co/d/cEbRLlI