Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

The CISO Research Report: CISOs thrive on being Guardians of the Business and maybe even the Galaxy

Written by Joseph Carson

February 18th, 2020

Is Data the new Oil?

Some people maintain that “Data is the new oil”. Tech companies around the world are now ranking among the largest global companies. A number of them have values that exceed some countries’ GDP.  Tesla, some would argue, is a tech company that builds cars. It now has a market value that is bigger than both GM and Ford combined making it the most valuable car company in the USA.

CISOs Research Report - Car

Many of those companies collect and process huge amounts of data. They can use that data to create new products focused on making our lives better. But some would say that we ourselves are becoming the product and in doing so we are sacrificing both our privacy and freedom.

The holders of the data hold the value. And for many companies data is becoming extremely critical to business success.  With technology and data now being so important, and people and businesses worldwide connecting faster and more efficiently than ever—think Internet of Things, 5G, etc.—the value of data is accelerating as never before.

In fact, humans are the new oil—we are providing the ‘value’ and data is the commodity that makes the product possible

With this in mind, I disagree that data is the new oil.

In fact people are the new oil. People are providing the data that delivers the real value, and data is the commodity that makes the product possible in the first place. In return for inexpensive products we are giving up our data. With a camera in our hands and a sensor in our pocket, our data is being collected and transacted for free services.

CISO Report - under the lens

A cyber-attack is more likely to bring a company down than any other type of incident

Because companies are so heavily dependent on technology, they are exposed to cyber threats which can occur at any moment and come from anywhere.  A cyber-attack is more likely to bring a company down than any other type of incident. According to the World Economic Report the cyber-attack is a top-5 risk to world economies and stability. It’s slightly behind risks such as natural disasters, failure to mitigate climate change, and extreme weather.

Modern cyber-threat landscape is challenging today’s businesses, executive boards and CISOs

Given that data and people are critical to business success, it stands to reason that cyber-attacks that target data and people have accelerated. Attackers hold companies to ransom, threaten to release sensitive data to the public, or prevent employees from doing their jobs thereby impacting the company’s productivity.  Yes indeed, people are the victims and data is the loot.

Some security companies want you to fear nation state cyber-attacks. However, looking back at the 2019 Verizon Data Breach Investigations Report we see that most cyber-attacks are financially motivated. This means a company is more likely to fall victim to a ransomware attack than find a nation state APT (Advanced Persistent Threat) team sifting through their network stealing data. Though that’s more likely in some industries than others.  The motives for most nation state cyber-attacks are:

  1. Intelligence gathering & espionage
  2. Economic advantage such as IP theft
  3. Cyber war combined with traditional kinetic war
  4. Retaliation driven by political motives

In previous security incidents most cyber-attack costs have been incurred as a result of:

  1. Ransomware Attacks
  2. Data Loss
  3. Incident Response
  4. Regulation and Compliance Fines
  5. Default Credentials and Password Re-Use

Every company has a “Dave” who will happily click on everything that arrives in his email inbox

Ransomware is just one click away every single day. An innocent looking email containing a malicious link or attachment can lock your computers and data up and hold your business and employees to ransom until you cough up your bitcoins. In return the cyber criminals will give you a key to unlock your data and get you back to business.

CISOs Research Report - File Encrypted

Regulation and compliance fines can be a significant cost in a data breach. To reduce this risk, make sure you’re doing everything to comply with your industry’s compliance best practices. This will likely include Privileged Access Management, but might also include:

  • Multi-Factor Authentication
  • Data Encryption
  • De-Risk Data
  • Security by Design
  • Cyber Awareness Training
  • Business Continuity Plan
  • A strong Incident Response Program.

Default credentials and password re-use is the riskiest employee behavior.  Employees practice poor password hygiene and re-use passwords for email, corporate AD, social media and even their bank accounts.  Cyber fatigue is still a huge challenge. So we have find to ways to make cybersecurity easier, and deploy cybersecurity solutions that are good for employees and good for the business. In other words, we must continue on our path to designing people-centric cybersecurity solutions.

Related Reading: See my article in Forbes – Why You Should Make Cybersecurity A Company Culture And How To Do It

The CISO’s role and how it’s evolving

In the past the CISO’s role—if the company even defined one—was largely focused on technology. But as digital transformations progressed and employees became the primary target of cyber-attacks, the focus shifted significantly to a balance between technology and people.

The CISO has one of the most difficult and challenging jobs in any business today. They often operate in the background, working vigorously with their security and operations teams to keep critical systems and sensitive data protected from bad actors. They keep systems updated, patch around the clock, deliver cybersecurity awareness training to employees, control and secure privileged access and much more. And all while tackling the ever-growing compliance laws and regulations the business must meet.

The need for security to be business focused and people friendly has now become one of the top priorities for the CISO.

It’s time for the CISO to stop talking cybersecurity and focus on reducing business risk

Today’s CISO must listen to the executive board and business peers to understand what they measure to gauge success. The CISO’s job is not to simply put technology in place for the sake of security but to put technology in place for the sake of business: technology that helps the business succeed while ensuring that cyber risks are either reduced or eliminated.

Communication is key for the CISO’s Success

Cybersecurity has an image problem that can be traced back to a lack of understanding and communication at all levels of the company. Despite the increased exposure of recent years, security is still seen by many as a complex field full of unfathomable technical jargon. Combined with the tendency to focus on risks and threats, it’s easy to see why laymen tend to regard cybersecurity as something hostile and best given a wide berth.

The key to overcoming this lack of communication is to start at the top. Security teams will find it extremely difficult to get the majority of personnel on their side if the senior management have not bought into the importance of security.  The vast majority of security professionals believe their boards listen to them and consider their input, though many still have difficulty convincing them of the business case for security investments.

CISOs are perhaps the most important individuals in bridging this gap and establishing a good dialogue with the board of executives. They can act as a Rosetta Stone, translating security issues from jargon-laden technical talk into familiar and business-centric language. Among their various other skills it’s vital for a CISO to be a strong communicator. A business-first approach is essential, and by focusing on the company’s objectives and backing up their points with evidence, CISOs can help the board to understand how cybersecurity impacts the company’s bottom line and ability to innovate and grow. This includes related fields such as compliance and regulatory demands around security and data privacy. Taking a business first approach will reposition security away from being a negative expense and towards being a positive enabler.

Thycotic reached out to IT leaders around the world to find out how they measure success, what motivates their employees, how to be successful at getting security budget, and most importantly how to avoid the stress that leads to CISO burnout. Over 500 leaders contributed to our research out of a need to find balance, determine what works and what does not work, and help one another find a path to success.

CISOs thrive on being Guardians of the Business

From our CISO and IT Leader research we found that CISO’s are quickly becoming the “Chief Revenue Protection Officer”. CISOs and their cybersecurity teams must ask questions such as “What is driving revenue in our business?” and “What do our customers expect from our business when it comes to cybersecurity?” That means seeking out and querying those who generate the business revenue, including the sales and marketing staff. Ask “Where does the sensitive data reside? What would happen if this data were compromised or not available? How would that impact our revenue?”

By taking a revenue-centric approach, the CISO can convey the value of cybersecurity in terms that nearly any executive or employee can understand. Articulating and giving numbers to how cybersecurity influences business revenue serves as powerful value indicators.

Being the Business Bodyguard is what gets the CISO and IT Leaders out of bed in the morning

We asked CISO’s and IT Security leaders what motivates them. 29% said they see themselves as the business bodyguards, protecting the business from cyber-attacks. 25% see themselves as the upholder of ethics, protecting sensitive data and the privacy of those who have entrusted them with sensitive information.

What motivates CISOs?

The good news is that CISOs and IT Leaders relish their jobs and responsibilities. In spite of operating in an extremely stressful environment 24% are positively motivated by what they do. This is an encouraging result which can hopefully attract more talent into the industry. We consistently hear about the millions of unfilled jobs available and feel it’s important that we continue to get more and new diverse talent into the security industry.

What motivates a CISO to work

Most CISOs’ measure of success is around adding value to the business and meeting performance targets set by the board.  The security team is determined to be an enabler of the business rather than just being an obligation, and this means it’s becoming more important that security is aligned to overall business goals.

Good communication is urgently needed to find the right balance and define a common language between the CISO and the executive board.

Here are 14 Tips To Help Tech Leaders Nail Their Q1 Goals from CISO’s around the world to help you get started on the path to success.

Are CISO’s the Guardians of your Business?

To find out how to lead your cybersecurity team to success and be the guardian of your business—and maybe even the galaxy—download a copy of our latest CISO Research Report here.

Cyber Security Teams' Guide to Success

Have you read our other 2 CISO Reports?

The CISO Research Report: Why are security and business goals at odds with each other?
The CISO Research Report: IT Security Performance impacts the Boardroom