Today, cybersecurity is an essential component to take into account in a risk management perspective. In its latest risk barometer, Allianz, the leading general insurance brand, underlines the drastic increase of the risk linked to cybersecurity in recent years, obtaining the first place on the podium of risks, even ahead of the risks of interruption of the company’s activities, those of economic market fluctuations or those linked to the environment.
Targeted operations or on the contrary massive and indiscriminate, seeking discretion or complete paralysis, the cyber threat is protean. The objective is numerous : to destabilize the company through financial cybercrime; to damage the image or reputation of the company (offensive economic intelligence); to spy on economic or industrial activities or to organize cyber sabotage operations.
In this highly contentious landscape, the CISO plays a decisive role as the Information Systems Security Manager. He or she must take into consideration numerous technological, human and regulatory perspectives, which are also increasingly evolving. Given the evolution of his role and the cyber threat, can a CISO still focus on the same indicators as before in a logic of efficient risk assessment and management?
The CISO function, at the very origin of cyber risk management:
The treatment of cybersecurity within an organization is no longer the same as it was a few years ago. The perspective is very different from a perimeter posture where it was above all a matter of protecting a particular object and putting a security “wall” around it so that it could not be reached. Today, cybersecurity is part of a collective security process and a proactive approach, as shown by the multifaceted role of the CISO.
Indeed, well beyond the barbaric term of C-I-S-O giving a primarily technical aspect to this function, the latter has a broad and transversal role at the same time operational, legal, technical, organizational and strategic. He or she acts as an advisor, a policy maker, but also as an agent of change within the organization, sometimes with a managerial posture in order to optimize the efficiency of the projects carried out, always in a broad conception of cyber risk and resilience.
Navigating through the different departments of the company or administration (sales, marketing, communication, technical, maintenance, management, etc.), the CISO is able to transpose the technical issues to each component of the organization, so that each actor is aware of the cyber risk and thus has access to quality and adapted information concerning this risk. The CISO will thus be able to instill different adaptation logics per service in a perspective of efficiency and continuous protection, guaranteeing a defense in depth. By identifying the appropriate information needs, the measures and procedures put in place will only be more beneficial. A CISO is therefore also a strategist, as he or she can give a certain vision to the company’s activities, while aligning with a cyber risk management strategy. And this, of course, without forgetting the strong technical dimension. Indeed, a CISO must master the current topics concerning the cyber ecosystem but also the different evolutions of current and emerging technologies.
Today, the CISO has an essential and growing role within companies. The latest Gartner report even states that 40% of boards of directors will have a committee in charge of cybersecurity by 2025, or at least one of their members will be in charge of overseeing cyber activities, proof that cybersecurity and the CISO function are indeed at the heart of a company’s strategic activities.
Essential indicators for CISO:
In order to carry out his mission, the CISO refers to several tools, and is guided by the ISO 27000 standard. A real bedside book for CISOs as it defines the main requirements for the implementation of a relevant information security management system (ISMS).
However, this diversified and growing role of the CISO implies de facto a perpetual consideration of new elements, as shown by the recurrent evolutions and adaptations of reference models such as the NIST, listing the best practices to be established for a CISO. Of course, given the wealth of the market, a CISO has a wide choice of technologies to meet his needs. But he must pay more and more attention to certain key steps, as well as to the human factor, at the heart of each step of the cyber security process.
Identification the spearhead of CISO:
The identification of the risk is the first step in any CISO action. It is by having a precise knowledge of the risk that is incumbent upon him that a CISO will be able to best adapt his strategy. But he must also identify all the resources he has at his disposal to be able to respond to it. Indeed, how to ensure the proper security of an IS if all the resources, both tangible and intangible, are not correctly identified? Identifying all the resources of an IS allows the CISO to qualitatively measure the latter in order to have a clear understanding of the functioning of the organization in question, faced with an identified cyber risk.
Understanding the company’s architecture, its resources and also its risks will enable a CISO to effectively manage the security of its IS by prioritizing its efforts, in accordance with its respective needs and its initial strategy.
Indeed, each organization has different resources with a relative importance depending on the organization. In order for asset management to be strategic, it must therefore be adapted according to the devices, applications, communications, data flows and human resources mobilized. Correctly mapping the company’s global environment, but also that of its partners and its supply chain, is an essential component of this risk identification process in its entirety.
Once the risk has been identified according to the technologies used, it can then be qualified and quantitatively evaluated in order to implement protection procedures.
Protection, an essential element for CISO:
Protection is at the very heart of the CISO’s job. Indeed, when the organizational architecture is fully mapped and mastered by the CISO, the latter’s mission will be to develop and implement appropriate safeguards to ensure, first and foremost, the provision of the organization’s essential critical services, and at best, all of its services. A CISO must keep in mind that he cannot prevent every attack. The goal is to contain the impact of a possible cybersecurity event, and therefore to limit its propagation and guarantee a form of resilience.
To ensure the protection of the IS, the CISO can put in place technical processes focused on identity management, access control, data security and backup, or on the implementation of procedures for the protection of information and technologies, relying on certain duly chosen protection technologies. But the work does not stop there. We must go beyond the simple use of technical tools. Protection is above all based on the human factor, which remains one of the main causes of cybersecurity breaches today.
The CISO therefore has a fundamental role to play in raising awareness and training staff concerning these challenges. Without taking the human factor into account, protection cannot be optimal.
Threat detection, a key issue:
This protection must be continuous in order to ensure the permanent security of the IS. To do this, the CISO must implement appropriate means and activities to detect the occurrence of these cybersecurity events as quickly as possible. Indeed, the time factor is a priority in the management of a cyber incident: the earlier an incident is detected, the more effective the response can be.
A CISO should therefore focus his attention on specific anomalies or events highlighted by the detection solutions. Indeed, the CISO will be able to rely on precise technologies allowing to perform a continuous monitoring of the network security by detecting all types of threats, from the most classical to the most advanced.
A complete detection process must therefore be defined in order to automate this detection as much as possible. In the context of detecting targeted APT, for example, having a tool that automatically performs these infrastructure detection tasks would mark a real evolution in the ability to detect targeted threats.
The response, at the heart of the CISO function:
Given the context of persistent attacks on target sectors, a CISO will likely face a cybersecurity event at some point. If the priority steps of identification, protection and detection are properly performed, the effects will likely be lower. Anticipation is the key to ensuring an appropriate response in an event of crisis. Because a cybersecurity event cannot be predicted. It’s not a matter of knowing when, but how to respond.
The CISO plays a key role in this response and crisis management. Responsible for training and keeping all employees alert to cyber risks, and structuring the decision chain in this specific case (governance), he/she participates in the implementation of a short-term crisis management strategy in the event of a cybersecurity incident. And then, he participates in the recovery and relaunch of the company’s activity afterwards.
The CISO is not only present in the case of a crisis. He is the security pillar of an organization, attached to cybersecurity at every phase: on a daily basis, through analysis, maintenance and prevention measures; during a crisis, through crisis management measures; and post-crisis, through recovery and re-implementation measures.
Beyond the simple correction of vulnerabilities as it was done in the 1990s, the CISO has a new role. It requires him to take into consideration more and more technical and human tools, with identification, protection and detection at the heart of his logic. The diversification of its role will tend to continue in the years to come, due to the evolution of the cyber ecosystem and threats. Considering the transformation of the latter, a CISO will have to keep in mind, for example, the growing environmental concerns, and the potential European or international legislations. He will also be able to remain alert to new forms of emerging threats, particularly those linked to the arrival of quantum technology, for example. In short, the CISO should not be disappointed, many subjects await him!
Making cybersecurity a real asset for the organization, he participates in its continuous improvement thanks to his long-term work. However, this work is still subject to strong constraints, particularly in terms of budget and autonomy, although changes are underway in certain sectors that are highly aware of cybersecurity issues.
Author : Benoit Triolo – Gatewatcher CISO