S P E C I A L R E P O R T

Paul Colwell, CISO, Wavenet

I visit a lot of Wavenet customers and attend and speak at a number of CISO events, and I believe the answer to this question changes depending on the size of the customer.

Most CISOs or senior technical leaders I speak to within enterprise organisations feel under pressure because the business has invested heavily in cybersecurity and is often regulated. This can lead business leaders to feel a sense of security, when in reality, the larger the organisation, the greater the complexity and risk.

Most enterprises will have invested in, or built, Security Operations Centres( SOCs), but they often overestimate their visibility and effectiveness. In addition, controls may have been rolled out, but these are rarely consistent across the organisation due to M & A activity, legacy systems, or VIP exceptions. On top of this, the mix of on-premise and cloud infrastructure makes it increasingly difficult to maintain visibility of assets and vulnerabilities as the organisation grows.

In contrast, within smaller businesses, many still believe cybersecurity is solely an IT issue. Business owners often place too much reliance on their IT manager or MSP and do not fully understand or take responsibility for the broader, nontechnical implications of a breach.

Although less common than it once was, the belief that small businesses are too small to be targeted still persists. Many smaller organisations, particularly those under financial pressure, view cybersecurity as a cost rather than a business risk. As a result, they tend to do the bare minimum and fail to recognise the link between a cyberattack and business survival until it is too late.

Rex Booth, CISO, SailPoint

Many business leaders still see cybersecurity as a pure technology problem. A problem that’ s solvable with the right tools and the right funding. And, yes, cyber is founded in technology, but neither the problem nor the solution exist without the human element.

On the offensive side, cyber doesn’ t stand on its own – it’ s a tool used by humans to pursue their goals. Those goals vary widely from revenue generation to industrial espionage to offensive activism. Business leaders need to understand the various motivations of attackers and their business’ appeal as a target. Does the business process funds? Seem ripe for a ransom? House sensitive secrets? Answers to those questions should inform your cybersecurity strategy. That’ s fundamentally a human dimension.

On the defensive side, tools and technical capabilities alone won’ t secure a business. People – and the permissions that accompany their digital identities – are a prime target for attackers. Does your business culture allow employees to question suspicious requests from senior executives, or are they expected to simply salute and execute? Do they accept security as their responsibility, or is it seen as somebody else’ s problem? Imbuing your employees with a healthy dose of suspicion and empowerment extends your defences to all corners of the organisation.

Cyber exists in the digital domain, yes, but the solution is not only bits and bytes. The human element is just as critical to secure.

Sergiu Zaharia, PhD, CISO, Pentest-Tools. com

I keep running into the same pattern, 25 years into working across military intelligence, telecoms, and strategic consulting: business leaders delegate cybersecurity entirely to their technical teams, approve a budget for tools and infrastructure, and consider the problem handled. The issue isn’ t that they don’ t care about security because most of them do. It’ s that they genuinely believe their job ends at allocating resources and delegating responsibility.

Incidents that most clearly prove this isn’ t true are not the ones involving sophisticated zero-days or nation-state attackers. They’ re the ones involving a civil servant sharing credentials in plain text via email, or a single admin account with access to 1.2 million bank records and no anomaly detection on query volume. The technical controls existed. The leadership understanding of what those controls needed to protect did not.

When I facilitated crisis simulations for organisations in regulated sectors, the most common finding wasn’ t technical. It was decisional. Who has authority to take a production system offline? How and when to communicate about the incident we have? Is it ok to pay the ransom? When does legal counsel need to be in the room? Teams who’ ve never practiced answering these questions under pressure don’ t answer them well. And a CISO working in isolation from the rest of the executive team can’ t answer them at all.

Organisations that handle incidents well don’ t necessarily have the most mature technical controls. They’ re the ones where the CEO, the General Counsel, and the CISO have had an uncomfortable conversation( or more) in a controlled environment and know how each other thinks and acts under pressure. Cybersecurity becomes a competitive advantage only when leadership treats it as a strategic discipline and this principle isn’ t part of the status quo yet.

WWW. INTELLIGENTCISO. COM 53