Whenever I get the chance to talk with CISOs, particularly those who are leading efforts to expand and evolve their security programs, I jump at it. It’s an area of practice that is still very young, and it’s changing constantly in response to changing threats and the changing platforms and applications that it’s meant to protect.
On November 18, I joined Eric Aslaksen, the CTO at iVision and someone I know to be well-versed in security, to talk with a group of iVision client CISOs. We got together to talk about their objectives and insights as they reacted to the events of 2020 and planned to secure their organizations in 2021.
There’s a lot more to security planning in today’s environment than a couple of percentage points increase in budget to keep steady on track. The environment is so dynamic, and the vectors for threat so varied, that it was fun and energizing to get some new perspectives.
To start, there are the technical impacts associated with the increased presence and emphasis on remote workers. With it come challenges of visibility, heterogeneity and an overall reduction in control of the threat surface. In addition, the same pandemic that is keeping people out of the office is creating a revenue drag in some industries. Increasing threat surface, increasing complexity and less available cash? Navigating these waters will take skill, and these folks are looking to share their own experiences.
That experience includes influencing and supporting their organizations’ overall technical strategies. We’ve seen virtualization and cloud-based service adoption accelerate with the deterioration of on-premises infrastructure, and these new enablers don’t have the same security touchstones as older, physical systems. In the cloud, so much is transient and different that legacy security tools just can’t keep up. These CISOs are leading teams that are quickly getting up to speed or getting help in order to maintain their existing level of protection in these new environments with the accompanying new tooling.
One of the CISOs captured a different angle on the impact of these new pressures. The dynamism of 2020, in combination with an accelerated move to the cloud, has put resolve into his organization’s plans for zero trust and a new emphasis on integrating identity more quickly to his security planning as the corporate system/network protections became less relevant. As a result of increased remote workers and remote systems, he felt that the organization was moving to a “cloud-first” implementation more quickly across their platforms.
All of this is leading to changing strategies to ensure continued security effectiveness in 2021. The combined pressures of changing threats in an increasingly diverse environment is going to lead to some serious discussions about responding quickly while controlling costs. The complexity of the resulting portfolio is creating a new need for consistent measures and reporting cadences that will keep these leaders informed.
Another CISO talked through his strategies for increasing visibility and security at the endpoint to better understand and protect the activities of employees and contractors now contributing remotely. In his industry, there is constant reaffirmation of the importance of client privacy and data confidentiality, so, as they evolve to delivering their services from these multiple remote locations, their strategy has to include protections that maintains this high level of diligence.
Clearly, all of this points to the need for more expertise and capabilities at a manageable cost, so we’ll also be talking about partnering. How do these organizations balance their partner and security portfolio strategy, and what are their criteria for deciding what to keep in-house and what to achieve with partners? Those questions and criteria are a huge part of controlling exposure and budget, and they reflect the realities of a security industry that is still woefully short-handed and reliant on too few experts.
One of the iVision client CISOs, whose organization was sponsored by the board of directors, still emphasized the cost pressures on the security team. He talked about finding ways to lower costs through shared services and other means while maintaining commitment to the security outcomes he was required to deliver.
Maybe the most fun part of the conversation was looking ahead 12 months. I was interested in where these CISOs see their organizations and our industry down the road because I have my own thoughts, but I’m not fighting their fight every day in their shops. Aside from strategic thinking of areas for investment, one of the CISOs, who had come into the job just prior to COVID, had a great quote that I’ll share here:
I told my entire security department, “Look – you know security is a business. Security is going to have a face here and it’s going to be a smiling face.”
Further, he talked about the fact that going forward, his team has to have solid relationships across the company and work with everyone; more than IT, more than execs, more than other security teams. That, I think, was the most impactful outcome from this iVision CISO session. In our new and highly interconnected, heterogeneous, home-based work environment, the security team has to reach out and understand their organizations more than ever before. As an industry, we’ve done more preaching than listening, and I think that I’m seeing these leaders adopt a strategic focus that will make their security better and their roles more stable as a result.
Thanks to all for the insights, and to Eric and iVision for bringing me along.