I’ve just begun a research project on CISO priorities in 2018. What I’m finding so far is that CISOs are increasing their focus in several areas including the following:
- Business risk. Yes, CISOs have always been employed to protect critical business assets but in the past, this was really executed with a bottom-up perspective – from IT and security infrastructure up to business processes. Fast forward to 2018 and CISOs are moving to a top down view from business processes down to the technology. This broadens their view of risk and mandates that security controls work collectively to protect ALL the technologies used to accomplish business processes. This is a profound change that challenges even the best CISOs and security organizations.
- The cyber supply chain. Most organization have customers, suppliers, and business partners with round-the-clock access to their networks. As the old security adage goes, ‘the security chain is only as strong as its weakest link,’ and the OMB and Target breaches demonstrate that third-parties often represent the weakest link in the chain. As part of their focus on business risk, CISOs are spending much more time on areas like cyber supply chain security and vendor risk management.
- Cyber-adversaries. In the past, organizations really thought of malware and hackers in generic terms. The goal was simple – block bad things from happening regardless of what those bad things were. While basic prevention is still important, organizations realize that there are individuals and groups living in Odessa, Rio, or Teheran who are committed to breaking into their networks and stealing valuable data assets. In response, CISOs want to know all they can about these folks – who they are, where they are, their motivations, and the tactics, techniques, and procedures (TTPs) they use to exploit them. Armed with this knowledge, they can alert executives on pending risks and invest in the right countermeasures. As Sun Tzu stated, ‘If you know the enemy and know yourself, you need not fear the results of a hundred battles.’
- Data security. I believe this focus area is related to three things: Cloud computing, mobility, and regulations like GDPR. Sensitive data is moving to the cloud and being accessed by mobile users over public networks. In this scenario, the security perimeters must center on specific control points like identity and data security. As a result, CISOs want to know where the sensitive data resides, who can access it, and how well it's protected. Oh, and data security priorities are only exacerbated by the impending GDPR deadline in May.
- Security awareness training. This is nothing new but security awareness training was often treated as a checkbox exercise in the past. Rather than simply meeting corporate governance goals, CISOs are now trying to create cybersecurity education programs that deliver measurable results.
This is the tip of the iceberg but I’m already seeing patterns. Happy to chat with any CISO who can help educate me on what else is changing in their world.