TL;DR: According to CNBC, the first CISO was appointed in the 1990s. With more constant and more expensive security threats, CISOs are now challenged like never before. Read the top three ways CISO-level roles have evolved, and what CISOs should focus on in 2020 and beyond.
Chief information security officers (CISOs) are relatively new players on the tech scene. In fact, according to CNBC, the title “CISO” didn’t even exist until the mid-1990s, when Citibank invented the role to combat cyberattacks from a specific Russian hacker.
Since then, a lot has changed. The internet has exploded, and devices to access the web have become necessities. Both individuals and corporations use technology every day for a wide variety of purposes, ranging from the benign and mundane to the nefarious and highly dangerous. The proliferation of mobile devices and technology in general has opened up new security risks, and not just from the outside. According to the 2019 Verizon Data Breach Investigations Report (DBIR), 34% of incidents include an internal actor, with some industries experiencing higher levels of Insider Threats.
The role of the CISO has also changed in response. The Wall Street Journal recently reported: “CISOs Emerge From CIOs’ Shadow.” According to Forrester survey data referenced by the reporter, CISOs are now increasingly reporting to CEOs and presidents, rather than CIOs. The survey data showed that 35% of CISOs reported to a chief information officer (CIO) in 2019, down from 38% the year before. On the other side of the equation, 18% reported to a chief executive officer (CEO) or president in 2019, up from 16% in 2018. While these numbers may not be eye-popping, they are part of a larger shift in the role of CISOs.
As we look to the next decade, it’s worth taking a moment to reflect on the progress we’ve made when it comes to treating security as a top-level concern. Here are three ways CISO role has evolved since it came about in the 1990s:
1. The Internet is Everywhere
iPhones. Smartwatches. Internet of Things (IoT). These days, the internet is everywhere—and so, too, is the threat of a security breach.
While CISOs may have, at first, had technology like dial-up internet and phone fraud to combat, threats today are overwhelmingly digital. They’re also happening on all fronts. As work has become more mobile, the borders of the office and the network have disappeared. Employees switch between business email and personal email on mobile phones and computers. Companies store data in the cloud. USB devices fit gigabytes of data in a pocket or wallet. Software can be downloaded online with the click of a mouse.
The proliferation of internet-connected devices and the rise in mobile workplaces are not just here to stay — they’re accelerating. In Verizon’s 2019 Mobile Security Index report, 33% of organizations experienced an incident related to mobile phones. In that same report, 54% of organizations agreed that employees are the biggest risk in mobile security.
Security threats now happen across multiple channels and at an unprecedented pace and frequency. CISOs today must create a wide-ranging, integrated security strategy that covers all vectors of attack.
2. The Threats Are Coming From Inside
While it’s true that attacks can come from outsiders, around a third (34%) of incidents include an internal actor, per the 2019 DBIR.
Insider Threats from a company’s own employees, contractors, or vendors are a growing risk, and can have serious financial and data loss repercussions even if the behavior isn’t intentional. No one is immune, either: from Trend Micro’s breach, to JetBlue’s ticket fraud, and beyond, every kind of business suffers from Insider-caused incidents.
This is why every CISO today needs to consider building a dedicated Insider Threat management program.
Some Insider Threat best practices CISOs should consider implementing in 2020 include:
- Prioritize contextual intelligence
- Build complete Insider Threat management programs
- Balance privacy vs. security
- Understand root causes
- Begin to measure key statistics
Combining people, technology, and process, security programs today must be vigilant for the threats coming from within—not just without.
3. The Costs of Breaches Add Up
Increasingly, CISOs have a direct line to the CEO and the boardroom. Why? In part, it’s because the cost of breaches can be astronomically high.
Ponemon Institute’s 2020 Cost of Insider Threat Report: Global (forthcoming) found Insider Threat incidents have increased by 47% since 2018, while the overall cost of incidents has risen by 31% to a whopping $11.45M.
Security strategy must also be more tightly integrated with business strategy. In a 2017 Ponemon Institute report on the role of the CISO, 58% of survey respondents felt that IT security stood apart from other elements of business. When you consider how expensive data breaches and other security incidents have become for companies, it’s clear that IT security should be aligned and integrated with other business functions 100% of the time.
For example, a company’s legal department should have a voice in establishing policies around Insider Threats, including guidelines around user monitoring and how to comply with laws such as GDPR after breaches occur. HR teams should also be looped in, as they can provide warnings when an employee’s termination or other delicate personnel event could potentially lead to an Insider Threat.
While the CISO role is a relatively new one, it has evolved rapidly alongside technology. As the Wall Street Journal article shows, CISOs are increasingly valued and senior members of the C-suite, and their decisions have a serious impact on the bottom line, corporate liability, and financial risk. Insider Threats are one of the most important risks that CISOs need to take seriously in 2020 and beyond.
Visit us at RSA 2020 to Learn More
Drop by booth #6445 to meet the ObserveIT | Proofpoint team