The constant changes happening not only from a legislative point of view but also from a threat perspective makes the Chief Information Security Officer (CISO) role more challenging now than it has been in the past. Ben Smith, Field Chief Technology Officer at NetWitness spoke to the obstacles faced by those in the CISO role today along with what can be done to improve organizations safety and while remaining compliant with the new reporting regulations put into law.
“[CISO] is an umbrella term, in smaller organizations that particular role tends to be very IT focused, which is a great place to start,” Smith said. “A lot of the CISO’s day job revolves around technology, whether it’s defensive technology or in some cases, offensive technology. One of the big challenges I think a lot of CISOs have today is where should that role be set in the organizations.”
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
A CISO’s place in the organization chart
Smith says that in more traditional setups those in CISO roles are placed underneath the Chief Information Officer, but companies that are more forward-thinking have begun placing its information security chief directly under the Chief Executive Officer. This allows for a greater influence when it comes to making impactful decisions.
“When I joined [NetWitness], I was having a high percentage, maybe more than 50% of conversations with CISO’s who just couldn’t couldn’t even get in front of the board,” Smith said. “Fast forward 12 years and that’s not really a problem these days. In fact, if you’re a CISO and you don’t have board access, that should be a big red flag not just for you and your organization, but potentially for your career. In 2022, CISO should have access to the board. The board should be asking the CEO about the CISO and what his or her role is.”
Smith goes on to add that there is still room for improvement in the access afforded to those within the CISO role, namely meshing the business and technical requirements necessary to keep businesses safe while still letting the information officer have the right amount of input in decision making.
“The disconnect is that even though the CISO as classically defined tends to be a tech focused individual in the organization, the CISO is an executive at the end of the day,” he says. “There is a dichotomy or there’s a split if you will, between the business requirements that the CISO needs to bring to the table and the technical requirements or aptitude that the same individual needs to have.”
Confronting reporting and security concerns
As ransomware attacks continue to balloon in numbers, Smith says that workers in this role should be aware of both from a security standpoint but also abiding by the new legislation put into place. The strategy for CISOs to best protect the organization from external threats while remaining compliant with the ransomware reporting requirements recently put into law should be at the top of these workers’ priority lists.
From a regulatory standpoint the question of feasibility has been put into question with the tight reporting deadlines outlined in the Strengthening American Cybersecurity Act. This requires critical infrastructure organizations to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a substantial cyberattack. In addition, the organizations making ransomware payments would be required to report an incident to the CISA within 24 hours.
“When businesses talk about feasibility, that’s a code word for: We’ve got a process to vet this information before it’s publicized and 24 or 72 hours doesn’t fit into our process,” Smith said. “Twenty-four hours is an uncomfortable amount of time to try and pull all that together. But I think a lot of organizations felt when [General Data Protection Regulation] came out and there were some quick notification requirements, a lot of organizations shook their heads and said, ‘this is really going to be tough’, but they figured it out. I think that if we look at this rationally, if you have been exposed to ransomware and you decide to pay it off, how many more steps do you need in order to notify the government after that? Really you can probably do them at the same time.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Smith says that while the new cybersecurity law will require IT departments to have open communication with the government on attacks and ransom payments, CISOs should already be making inroads with the organizations’ insurers in the event of a security breach.
“I think an executive needs to be thinking about the fact that there is going to be not only a regulatory burden but also a legal burden. That’s only gonna get heavier from now on,” Smith said. “Some organizations have started that conversation very productively because cyber insurers care about that as well. A good CISO in my book is somebody who has already had a conversation with the company that is providing the cyber insurance policy. That’s a very important line of contact and connectivity that you want to already have in place so that when the ransomware hits, you know exactly who to talk to to get their recommended next steps.”