Agility is not a word one associates with chief information security officers (CISOs).
For a long while, they were seen as hurdles to business agility and innovation. As realists hell-bent on keeping malware and intruders out, they set up controls and fenced their infrastructure — often to the expense of business agility.
The pandemic shifted this castle-and-moat thinking.
For one, all employees no longer worked within a security perimeter. “Starting January 2020, we ‘simply’ moved out all of the humans! The new workforce is no longer inside our perimeter,” said Shane Read, a CISO at a major group that sources and supplies raw materials in Asia.
Being outside of it meant that they were fresh meat for hackers and ransomware “enthusiasts” who bombarded them with relentless phishing emails.
Next, the data is no longer safely guarded in a data center. It now resides everywhere, from the cloud to the mobile device. CISOs had to protect the data wherever they were while keeping track of its movements.
Lastly, employees needed remote access to mission-critical applications and data. With entire workforces under lockdown, it was a matter of business survival.
While chief digital officers, chief technology officers, and chief information officers shaped the new infrastructure, it fell to the CISO to ensure that the new agile workplace is secure.
New security mandate begets fresh challenges
For Sean Duca, vice president, regional chief security officer (CSO) for Asia Pacific & Japan at Palo Alto Networks, the biggest challenge for CISOs is the need to get closer to the business.
“You need to know what the business is actually doing. The closer [CISOs] are aligned with the business, the better the outcome,” he said.
Lim Shih Hsien, a CSO for a leading power utility company based out of Singapore, agreed.
“Hence, the role may not necessarily be enlarged, but the responsibilities and expectations are. There is more pressure to work closely with IT and business colleagues to deliver results fast,” Lim added.
Read felt CISOs also need to work in a more complex environment where they would not have total control. For example, he felt the most significant pain point lies with governance, risk, and compliance (GRC).
“When we have 5 to 10% of the workforce remotely operating, we could still get away with the minimal risk of individuals laptops (BYOD) or conducting Workplace Suitability Assessment of home environments. Now that 100% of the workforce is performing their day-to-day duties in their lounge rooms, studies, backyards, and even beds, we no longer have full control of the technical narrative.”
Complexity creates other issues. For example, email compromises outside the security perimeter may become magnified and also run into privacy issues. “A simple business email compromise on a BYOD device that had malware installed on it turns into a harder problem to fix, especially when you don’t have the legal permission to touch that end user’s private device. Worse yet if that compromise then results in the encryption or deletion of that user’s personal photos or sensitive information.”
Understand why Sean Duca believes the cloud offers CISOs an opportunity to rethink.
While the needs of CISOs have grown, do not expect a bigger budget for it, said a senior chief information security officer working in Hong Kong’s healthcare industry.
“Expected budget cuts or zero increases have forced enterprises to review the IT investments and re-prioritize the investments to align with the changed business size. For CISOs, it could be the same or less budget to catch up to the increased threat landscape. The key question CISOs must answer is whether the investments are still valid due to the change of business models, business size, and threat landscape?”
Duca characterized this as the new balance. He believed that CISOs need to re-assess how they approach their security investments while working closely with the business on their needs.
Zero Trust awakens
One concept that is now seeing a re-emergence as a result of workplace agility is Zero Trust.
The concept already has a strong foothold in the U.S. and Europe. However, Forrester saw an increase in momentum in the Asia Pacific region, where the idea is still not ingrained.
According to a recent Forrester report “How to implement Zero Trust security in Asia Pacific,” both authors, Jinan Budge and Chase Cunningham, noted that part of the reason is the pandemic. The resulting cloud migration, remote working, new regulations, and increased focus on data privacy saw many CISOs accelerating Zero Trust adoption.
The problem with Zero Trust is not the definition but the implementation. The Hong Kong healthcare CISO noted that Zero Trust is “more a design principle like ‘layered-defense.’ “It is more subject to different interpretations among users and vendors; hence it is hard to see an implementation of Zero Trust.” He added that the concept still needs to be anchored to “identity-based ecosystems.”
To make it easier to adopt Zero Trust, Palo Alto Networks is embedding the concept in its platform-approach to security. “Zero Trust also requires a mindset change. And I think this is where people need to think about how to apply this around the organization.” Such an approach challenges users on their identities before granting access to data and applications.
Learn how Palo Alto Networks is creating a platform with Zero Trust in mind.
Read highlighted that the focus on Zero Trust has also evolved. “Pre-ransomware, the focus was on the Zero Trust Directory Services; then in the 00’s we changed the narrative to ‘set the expectation that your enterprise is compromised because it most probably is.’ And now with ransomware, if a network gets infected, you can see large network segments being removed from service within minutes.”
He noted that Zero Trust models require CISOs to structure their enterprise infrastructure to have the least impact from a compromise or ransom. “Where a single fallen system is isolated by its operating design, not after the incident has happened. This is critical.”
Security awareness, maturity, and collaboration with business teams are also essential for a successful Zero Trust. “Gone are the days where security is just an IT problem. Without a clear business analysis and management ownership, workflows and processors are left to be decided by the implementation team, i.e., the wrong person. Zero Trust from the perspective of user access control, including trusted third parties, needs to be owned by the business owners, system owners, human resources, legal, finance, and IT,” said Read.
In their report, dated Oct. 22, 2020, Forrester’s Budge and Cunningham agreed to what Read and Duca alluded to: the importance of having the right culture for Zero Trust.
They also advised companies not to be put off by its name. Some companies felt “Zero Trust implies that you should not trust your peers or employees. But Zero Trust is not about people; it is about packets. It is about eliminating dangerous trust assumptions of a technical nature in your security architecture. It is also about establishing a singular security strategy,” the authors wrote.
However, Asia Pacific faces another hurdle for Zero Trust models. Many corporate cultures are based on trust, and having a concept that challenges this unspoken trust can be difficult, said the Forrester report. But has Duca noted, it may be time for a “rethink of old notions.”
New CISO traits
The pandemic has shown the gaps in our current security approach. But it also unearthed opportunities for CISOs to widen their mandate.
CISOs can move away from being seen as gatekeepers to become business enablers. But for this to happen, they need to get closer to the business.
“I think fundamentally, we are at that point now where CISOs and security teams are actually trying to work closely with the business teams to understand what it is that they are trying to do and to do it securely,” said Duca.
Watch how Sean Duca describe the expanded CISO mandate.
Singapore-based Lim noted that his job scope now includes collaborating with the business. “You need to build good working relationships, credibility, and trust with peers and stakeholders. When a crisis hits, teamwork will come naturally. Empathy also helps to ensure that security is practical and not a checklist exercise. Finally, leadership demands objectivity, transparency, and authenticity in all communications and interactions.”
Read called for a business CISO, “not a technical CISO.” “The next generation of CISOs need this business trait to ensure they can talk the same language as the rest of the C-Suite because I can tell you even after 20 years in this game, this is one of my biggest challenges. You can’t stop the attacks as they will always be there, but you can build up and sell a solid business case for more funding, resources, and projects to best protect the enterprise data from falling into the wrong hands.”
Duca noted that everyone at the executive level and the board has a vested interest in cybersecurity. It is no longer just a CISO’s focus but a business imperative.
Why? “Because we’ve got a common adversary, or adversaries, that are all targeting us. We need to be working together. And that starts in our own organization. First and foremost.”
This article is part of a CDOTrends eGuide. You can download the entire copy here.
Image credit: iStockphoto/metamorworks. Video production: Pixel Gallery Pte Ltd.