A very simple analogy that I use with the boardroom when you’re talking about cybersecurity and defense is a baseball game. I’ve got to pitch a perfect game every time. [Adversaries] only have to get one single. It doesn’t even need to be a bad apple that gets in. It can simply be somebody set up a server and missed a step. The reality in cybersecurity, if you’re on the defense, you have to pitch a perfect game every time. That’s not going to happen.
SVP/EVP, Professional Services Company
Poor Amos. His wife murders her lover in cold blood and claims doing so in self-defense against the man she says is an “unknown” intruder. Amos dutifully stands by her side, even after discovering the ugly truth of the affair. Everywhere Amos goes, he is a shadow in the background of his wife’s lurid story, practically invisible to all around him.
I’m speaking of the character Amos in the award-winning musical Chicago. His character laments just how overlooked he is in his solo number of the production aptly titled, “Mister Cellophane”:
Many of us can relate to Amos in sometimes feeling like we are invisible. It’s usually not a great feeling, typically accompanied by that of being underestimated or underappreciated. And it’s no fun being outright misunderstood.
For too long, chief information security officers (CISOs) have been the metaphorical Mr./Ms. Cellophanes of our organizations, destined to toil in virtual anonymity as they relentlessly focus on the yeoman’s work of security. They’ve lived in the shadows of those they protect. Indeed, if they emerge from their cloak of invisibility, there’s bound to be trouble on all sides.
As employees, we don’t want to be bothered with CISOs or their department. We simply expect them to keep us safe. And we want them to do it while staying out of our way. In fact, CISOs got their start in the back office of our organizations, literally out of sight and out of mind. If they dare hit our radar and become visible with annoying security patches that slow our performance, we vent. Worse yet, if they attempt to block us outright from accessing our favorite service or device, we’ll simply bypass them.
Case in point: McAfee reports the average organization has around 2,000 cloud services in use at any given time. What does its IT team think it has? Closer to 30.1 That chasm between perception and reality can at least partly be blamed on shadow IT—a phenomenon where employees go rogue and use cloud services without the knowledge of, let alone authorization from, their IT department.
What’s worse than a CISO becoming visible to employees? Becoming visible to the board. Historically, boards have wanted as little to do with cybersecurity as employees. If the board called a CISO into a meeting, it typically wasn’t to give a strategic update on the state of cybersecurity in the company or to receive a heartfelt “thanks” for his work. It was more than likely to answer tough questions about a breach.
Deloitte,2 the global professional services network, does a regular study of boards of directors, in which it surveys hundreds of public companies. As recently as 2014, a mere 5 percent of the very largest companies had standing committees of the board relating to the combined topic of “cybersecurity and IT.”3
So the CISO has largely accepted the role of Amos in our metaphorical musical—devoted to offering protection for those who don’t appreciate it and destined to remain in the shadows.
But bad actors intent on inflicting harm are rewriting this musical. Hardly a day passes without a headline (or company) announcing the next breach. The mood of the board is changing. Many are realizing that relegating the CISO to the shadows is at their own risk. When Deloitte repeated its board study in 2016, cybersecurity had risen to the number one risk earning board focus, with 25 percent of companies experiencing a breach in the past two years.4 Mr. and Ms. Cellophane are finding themselves freed from the back corner of the back office, and even seeing an occasional invitation to board meetings as a result.
However, just because hackers have put the limelight on CISOs doesn’t solve the cybersecurity challenge. It’s heartening that boards are taking notice of the problem, but simply acknowledging it is only the first step. Improving a company’s cybersecurity posture requires these parties—the technical CISO and the strategic board executive—to learn each other’s language.
Let’s start by attempting to relate to what I submit is the most misunderstood role of the C-suite, the CISO. The edification benefits not only board members, but all employees alike. CISOs profit by finally emerging from the shadows.
Corporations, and the functional disciplines that comprise them, have been around over hundreds of years. Banks and manufacturing firms were among the earliest corporations, so it should come as no surprise that many major public companies today have deep competency in finance or operations—the initial disciplines that served as the foundation for our corporate ancestors.
Indeed, according to Deloitte’s 2016 Board Practices Report, other than the CEO and general counsel, the members of management most likely to regularly attend board meetings are the CFO (chief financial officer) (cited by up to 99 percent of companies surveyed) and the head of a business unit (cited by up to 47 percent). What about the CISO? He only makes a regular appearance in board meetings for up to 11 percent of companies, by comparison.5
It should come as no surprise that CISOs are still clawing their way into these closed-door sessions. After all, with other functional disciplines spanning centuries, if not millennia (lawyers can claim their functional roots all the way back to ancient Egypt), the CISO’s role goes back only decades. Back then, we didn’t even call it “cybersecurity.” These early pioneers claimed their profession as “Information Security,” consistent with their field’s beginnings in “Information Technology.”
It’s critical we take a brief, but important, journey into the origins of cybersecurity for us to understand the relatively new role of the CISO. Back in the day, physical security and information security were largely one and the same. I remember, not that long ago, if I wanted to access my company’s network, I did so through a stationary desktop, connected to a physical Ethernet cable that took me to a local area network. The desktop and the Ethernet technology connecting it resided on my company’s premises. So the only way to access the corporate network was to physically enter the company itself—and that required a tangible security clearance, like my employee badge. I connected physical and information security inextricably in mindset and in practice.
I’m amazed at how much work has changed in just my lifetime. Work is no longer a place I go; it’s a thing I do. I increasingly work outside the safe, physical perimeters of my employer. I blend my professional and personal lives seamlessly—responding to email over my mobile device, connecting just about anywhere I can find WiFi, and accessing myriad cloud services that make my life easier.
I’m not the only one embracing work as a tetherless experience. Let’s consider how our relatively new work behaviors pose exponentially greater pressure on the CISOs who must defend us and our companies. At any given time, our CISO is balancing one or more of three strategic efforts:
Every adoption of a technology, be it mobility, cloud, or the Internet of Things (IoT) subjects a company to greater risk. That’s because the safe perimeter of the enterprise continues to erode in the process.
Case in point: Who “owns” the Internet? That’s a byzantine maze of complexity that would make the heads of the most technical among us spin.
Who “owns” the infrastructure of public clouds, like those provided by Amazon, Google, and Microsoft? That’s at least an easier question to answer—those companies are responsible for the physical security of those cloud environments. But that’s the equivalent of saying they own securing the physical access to those massive data centers, much the same way our companies own protecting the buildings in which we work. Cloud theft isn’t typically the result of resourceful thieves breaking into the physical data centers of major web companies. It’s the outcome of cybercriminals finding a way to hack the data residing in or traversing through said data centers.
Who ultimately “owns” responsibility for that data? That’s the easiest and clearest answer of all: your company—and your company alone—is responsible for securing its own data, regardless of where it resides—be it on servers located on your employer’s premises or those rented through a public cloud marketplace.
The cloud is just one example of the CISO’s receding control over the infrastructure used to store or transmit her company’s data. The bring-your-own-device (BYOD) movement is here to stay, meaning company-issued mobile devices may soon be relics of the past. There’s a good reason so many companies are rushing headlong to allow their employees to work on whatever mobile device(s) they choose. According to Frost & Sullivan, using smartphones for work saves employees close to an hour per day, while increasing productivity by 34 percent.6
To make the goal of transformation even more difficult to accomplish, old technologies have a very long shelf life. Even with business units rushing to deploy cloud services (with or without the formalized consent of IT), there’s still a long tail of on-premises infrastructure that must be maintained. Consider USB thumb drives as one example. In 2017, researchers at Ben-Gurion University documented 29 known attack vectors to compromise USBs.7 And Apricorn, a manufacturer of software-free, hardware-encrypted USB drives, reported in 2017 that while 90 percent of employees used USBs, only 20 percent did so with encryption.8
Since long-tail legacy technology infrastructure rarely goes away and never does so quickly, these transformation pursuits entail risky expansions of scope and responsibility.
What’s our CISO to do? Frivolously support an all-access, anything-goes environment and he leaves his organization open to increasing risk. Become the department of “no” to contain the potential threat and he’ll likely be disintermediated by the very employees he must protect (remember those nearly 2,000 cloud services in use unbeknownst to IT professionals in the average company?).
The CISO is in an unenviable position. He must simultaneously protect his company’s most precious digital assets while advancing its transformation agenda. Unfortunately, those imperatives couldn’t be at greater odds with one another.
Cybercrime is big business—to be exact, a $600 billion business in 2017, up $100 billion from 2014.9 In terms of global impact, cybercrime ranks third as an economic scourge, behind government corruption and narcotics.
How did we get here? There was a time when cybersecurity was relatively “simple.” Not only was security contained to the physical, as already mentioned, but addressing a threat was significantly easier. In 2006, McAfee detected 25 new threats per day. Ten years later, that figure had jumped to 500,000—more than five new threats per second!
Volume is only part of the challenge. Spotting a threat used to be straightforward. Threats came in the form of malware—software designed by bad guys to wreak havoc on their victims. The cybersecurity industry talks of “traditional” malware, including those pesky viruses you’ve come to know and hate. Malware once only came with a static string of code that allowed the industry to identify it as such. Think of it as a software fingerprint of sorts—what the cybersecurity industry calls a signature. Much like law enforcement relies on a national registry to identify criminals based on fingerprints, the cybersecurity industry looks for software signatures to load known malware into its own database. If the signature is found on a file, the file is blocked and the threat contained.
How times have changed. The most insidious threats no longer come conspicuously donning a known and readily identifiable fingerprint. Bad actors have grown much smarter. When you read this, the latest cybersecurity threat is almost certainly not listed here, but as I write this, my industry is fixated on “fileless” attacks. These threats surreptitiously exploit trusted technology within your organization, like sanctioned tools and applications. Then they do their damage, typically by gaining access to your company’s larger network and pilfering its data.
I say “typically” because data exfiltration is no longer the only tactic online adversaries execute. Ransomware is another topic du jour of cybersecurity, where adversaries won’t bother exfiltrating data to sell it on the Dark Web. They’ll shortcut their path to profit by locking (or encrypting) their victim’s files and demanding ransom for the key (or decryption) before permanently destroying them.
Or perhaps data and money aren’t the end pursuits at all. An adversary may be more inclined to wreak havoc by shutting down access to a victim’s critical systems, bringing the company to its knees in the process. Or hackers may practice information warfare, where data itself is weaponized to create chaos (just think of the volumes of data your company generates each day and how the tiniest manipulations to it could cause your employer considerable harm and confusion). Or perhaps it’s your company’s reputation the hacker is after, as McAfee learned the hard way with our social media exploit.
You get the picture. Not only are threats exponentially greater, but they’re significantly more complex and insidious. And the volume, variety, and vigor of threats translate to more risk.
How can CISOs be expected to explain this convoluted reality to their boards, many of which meet less than six times per year for four hours, on average, according to Deloitte? That’s 24 hours per year for the average board to cover topics ranging from company strategy to financial performance to sensitive M&A activities and everything in between. Is it any wonder that cybersecurity as a topic, with its highly technical and complex nature, gets short shrift by most boards?
But it doesn’t have to be this way. Cybersecurity is indeed highly technical. But it’s also very straightforward at its core. It’s fundamentally about risk management—a language in which most board members are naturally fluent.
CISOs are continually walking a tightrope in mitigating risk. They must strike the right balance between addressing high-volume threats that likely won’t cause catastrophic impact and low-volume, highly targeted attacks that can take a company down.
All of us, board members or otherwise, can relate to the CISO on the challenge of risk management, since we walk the same fine line in our own lives. We have bathmats in our bathrooms to prevent the risk of falls (a relatively minor risk for most under a certain age). We use smoke alarms in our homes and purchase insurance policies to mitigate more catastrophic risks, like fire. And while other truly cataclysmic risks, such as being struck by a meteorite can happen (and, yes, this really did happen for one poor unfortunate soul in 195410 ), we safely ignore these risks given their infinitesimal probability.
CISOs must categorize risks in much the same way for their companies. The challenge for our CISO is to simplify the topic of cybersecurity, without making it simplistic in the process. The onus for board members? Leaning in to the discussion, realizing the morass of complexity beneath the surface will rarely, if ever, yield a clear-cut decision. War doesn’t lend itself to clarity. Neither does cybersecurity.
“Doing more with less” is an annoying cliché of the modern enterprise. It’s also the CISO’s unfortunate mandate. Not only does the volume of threats show no sign of abating, but the demand for cybersecurity professionals far exceeds the supply of talent in the labor market. According to Cybersecurity Ventures, more than 3.5 million cybersecurity jobs will be unfilled by 202111 —that’s enough to fill 50 NFL stadiums!
And the problem is only growing worse. In 2014, the cybersecurity industry estimated it would be short one million professionals worldwide. By 2015, the gap had crept up to 1.5 million openings. In 2016, forecasters thought the cybersecurity talent shortage would be 2 million professionals in 2019.12 Just as threats continue to increase, so does the gap for qualified cybersecurity professionals.
Given there aren’t enough people to throw at the problem, CISOs have resorted to a cavalcade of products from a vast battalion of cybersecurity vendors vying for cybersecurity dollars to fill the void. In stark contrast to the shortage in the labor market, there’s an overwhelming surplus of cybersecurity products vying for the CISO’s limited dollar. As of this writing, there are 3,500 cybersecurity vendors13 courting CISOs. Each vendor offers one or more defensive technologies, many promising to solve a small (if not large) portion of the cybersecurity challenge.
There can be too much of a good thing. And the abundance of cybersecurity technologies available to the CISO is illustrative of this axiom. CISOs, attempting to demonstrate value and anticipate the next threat, have historically rushed to adopt the latest defensive technology for their arsenal against the adversary.
But they’ve gotten the short end of the stick in executing this strategy. That’s because the fragmented vendor landscape that competes for every dollar is itself a complex quagmire of technologies that, for the most part, don’t work well together. Too often, this technology is promoted, purchased, and put on the shelf. Budgets are spent, “shelfware” grows, and organizations are no more secure for the innovations, intentions, or investment. Even if the technology makes its way off the shelf and into deployment, chances are it’s not integrated with the rest of the organization’s defenses.
Imagine going to war with a cluttered mess of artillery in your inventory. Picture being inconsistent in deploying this weaponry to cover your bases against your enemy sufficiently. Now envision your fighters not being able to communicate with one another to share information about the threats they encounter to collectively bolster your coordinated defense.
You likely don’t have to imagine it. If your company has one, just visit its security operations center (SOC), the nerve center where your cybersecurity colleagues stand as first responders between your company and unending attacks. These front-line cybersecurity professionals have often inherited a patchwork of technologies and tools acquired over the years, usually adopted over multiple CISO regimes in their companies. Many of these products do not share threat intelligence, let alone make the jobs of cybersecurity professionals any easier. All too often, you’ll find your cybersecurity colleagues working for their tools, rather than their tools working for them.
Enterprise Strategy Group (ESG), an independent industry analyst that studies the cybersecurity market, reports that 40 percent of organizations have more than 25 cybersecurity tools deployed. Roughly the same percent admit to manually collecting intelligence feeds. And 27 percent believe the security team spends most of its time fighting fires, rather than working on strategic projects,14 leading to staff burnout and turnover—disastrous consequences for a CISO confronting a global talent shortage crisis.
As if that weren’t enough, there’s a dirty, unavoidable secret inherent in the cybersecurity industry. It’s this: no one product can defeat cybercrime. You may not find this surprising. After all, it would be the equivalent of going into a sustained war with just one weapon in your arsenal. You wouldn’t do it and expect to last long.
But there’s more to this reality. It’s not just that there isn’t a proverbial silver-bullet defense that inoculates all threats. It’s that every defensive technology is most effective when it is first deployed in the market. This is completely opposite from what we’ve learned as conventional wisdom in IT.
Think about it. When a new IT technology comes to market, most companies are reluctant to be an early adopter. After all, why be a guinea pig for an unproven technology? Let other companies go first, work out the bugs, and make the technology better (and cheaper). Then, follow fast in deploying it. That seems like a much smarter playbook for deploying your garden-variety IT technology.
But cybersecurity technology is fundamentally different. When an IT organization is deploying the latest fill-in-the-blank IT technology, there isn’t an adversary on the other side actively working against its success. Not so with cybersecurity. When enough of the market deploys a defensive technology that is highly effective against a threat, adversaries go back to their own product labs to develop countermeasures against it. They ultimately find a way to circumvent the defensive technology, if not make it less effective over time. (It’s at that time that cybersecurity vendors, like McAfee, return to our labs and develop countermeasures against the countermeasures, and the race continues.)
Time matters in cybersecurity. Being early to market with a new defensive technology especially matters. That’s because said technology will deliver maximum efficacy for the earliest of its adopters.
So let’s try to square this circle by thinking like a CISO:
Who wants that challenge? Not many. It’s why cybersecurity professionals truly are the unsung heroes of our companies. They stand in the fight for us. They sit in the shadows, invisible and largely unappreciated for their efforts.
Bringing us back to our CISO, “doing more than less” is so much more than a trope. It’s essential. She must find a way to automate as much of her environment as possible, to allow her scarcest asset, her employees, to hunt for the most sophisticated attacks. And she must aggressively deploy new cybersecurity technologies while not compromising her overall cybersecurity posture with nonintegrated defenses.
You now understand what your CISO is up against and can put yourself in her shoes:
Everyone reading this book is either part of the cybersecurity problem or part of its solution for his company. The CEO and board member are no exceptions. There are multiple ways to finally notice the Mr./Ms. Cellophanes among us and give them the credit and support of which they are so rightfully deserving.
First, cybersecurity should not be a random or sporadic topic to board agendas. Even more, it’s not a topic that can be outright ignored until the inevitable breach occurs. Boards must make cybersecurity a regular topic. I’m not so naïve as to believe that cybersecurity will ever earn the same amount of time or attention as financial performance, for example. But if boards are at all concerned about mitigating risk (and I’m confident most are), then give cybersecurity reasonable time on your agenda.
How much time should you allocate? It depends on how well your board already understands this topic. If you haven’t started by having your CISO give a meaningful view of your current cybersecurity posture, allocate at least 90 minutes to the topic. In that time, your CISO should cover the assets that are most critical to the overall company.
This requires significant consultation with business unit leaders. The right answer may not be so obvious. Customer data, for example, may not be your organization’s most prized asset (although it will likely rank very high on the list). If you’re in the business of running major manufacturing facilities, these sites may be your most strategic asset (and, yes, with connected devices permeating just about every facet of business, motivated hackers can, more often than not, compromise [if not shut down] these facilities).
Your CISO should provide the current vulnerability state for each asset, listed in priority order of the asset’s strategic value. Without oversimplifying the task, you can imagine a 2x2 quadrant, with vulnerability state and strategic priority plotted on each axis. Those assets that are both highly strategic and highly vulnerable deserve immediate budget reallocation.
On the point of budget allocation, while that may seem like an obvious output of this exercise, most boards are inclined to loosen purse strings only in the event of a breach—and even that’s a tall ask. In 2017, EY’s Global Information Security Survey found 76 percent of executives admitting that the allocation of additional cybersecurity resources would only be triggered in the case of a breach that did actual damage. A breach with no damage? Nearly two-thirds said it would not compel additional spending.15
Having sufficient cybersecurity knowledge to provide effective oversight of cyber risks is essential. And yet, less than 40 percent of boards have it.16
Once your board and CISO have aligned, make your CISO a regular attendee at board meetings. Cybersecurity changes at a dizzying pace. Your adversaries are highly motivated to do you harm. They don’t take a day off. You shouldn’t either.
Spend at least 30 minutes in each board meeting discussing the topic of cybersecurity. If the average board meets six times a year for four hours each time, I’m asking for less than 15 percent of your time on this important topic. Deloitte reports that less than 20 percent of boards feature cybersecurity as a regular board agenda.17 If Deloitte has it right, and cybersecurity is also the top risk for most boards, spending three hours per year regularly discussing it seems more than reasonable.
Have the CISO update your risk assessment in these sessions. He should be prepared to discuss how the vulnerability landscape of your assets has shifted. He will know this information based on giving you output from what the cybersecurity industry calls red-teaming exercises or penetration testing. Insist on these exercises as a discipline. These are simulated attacks your CISO will coordinate against your company to test its defenses. He’ll organize two teams—a red team (the attackers) and a blue team (the defenders). The red team, typically comprised of experts from external entities, tries to breach the blue team (the company). Through this exercise, the company is finding where it had previously unknown vulnerabilities.
Know this: The red team always wins. And that’s a good thing. You want to discover your company’s vulnerabilities before hackers do. Compensating external agencies to discover your cybersecurity weaknesses is a lot more cost-effective than paying off adversaries (and regulators) in the event of an actual breach.
Finally, consider appointing a board member with cybersecurity expertise. This individual will bring a unique perspective to the table. As a steward for cybersecurity, he will ensure your board doesn’t regress in putting the function back in the shadows. It seems we have work to do on this front. Deloitte reports that more than 80 percent of companies have not added anyone to their boards with cybersecurity expertise in the past two years.18
The CISO is an indispensable, often underestimated, member of the executive team. While cybersecurity is everyone’s responsibility, boards and the CEO must set the right tone from the top of the organization. You must play your part in elevating cybersecurity to the role it has earned at your table.
One of my favorite movie quotes comes from The Usual Suspects: “The greatest trick the devil ever pulled was convincing the world he didn’t exist.” Your adversaries want nothing more than for you to keep your Mr./Ms. Cellophane neatly tucked away in the shadows. They’re hoping that, if you do, you’ll also ignore them—the increasing legion of hackers seeking to do your organization harm. These bad actors want you to deprioritize cybersecurity as a nonstrategic investment. Don’t give them that power.
If you fail on this point, you risk losing one of the most valuable members of your executive team: Mr./Ms. Cellophane. And that cybersecurity talent shortage I mentioned will prove very difficult for you to hire a replacement anytime soon.
CISOs have a relatively short tenure at their companies, as low as 24 months by some industry benchmarks. ESG sought to find out why the life expectancy of a CISO is so short. The cybersecurity labor market is a seller’s market for now and the foreseeable future (thanks to that talent shortage). But ESG found that there’s far more than compensation in play when a CISO hangs it up and joins another company:
There’s a lot the CEO and board can do to be a part of the cybersecurity solution, including giving your CISO a voice. Beyond giving her access to the conversation, offer her a forum to argue her case for more resources (given what I’ve shared with you, her case for more dollars is likely more legitimate than not). All that said, treat her as an executive member and inspect her arguments by asking salient questions. To do this, you must first enrich your understanding of the cybersecurity problem—a pursuit I hope this chapter supported.
The true stuff of a CISO is made of anything but fragile cellophane. She has a backbone of steel in the stiff winds of transformation; iron fists to pound through an unending onslaught of attacks; and a jaw of concrete to take the blows of blame that would incapacitate otherwise weaker individuals. When you finally recognize and appreciate the grit and determination that make up the most misunderstood member of the executive team, you bring cybersecurity out of the shadows, along with adversaries who would love nothing more than to remain there.