What Makes An Elite CISO?

Security Myths, Free Resources & Cloud Vulnerabilities

October 03, 2023

Good morning!

In today’s line up:

  • How to be a top CISO

  • 5 security myths to avoid

  • Useful resources and reading

  • The latest on cloud security vulnerabilities

  • PLUS, a job-hunting tip to help you understand the game better

How To Be A Top CISO

A Chief Information Security Officer (CISO) is the top-level professional executive in an organisation responsible for all things security.

There are many routes that people take to the top of pyramid, leveraging both technical and managerial skills.

A CISO is responsible for managing and coordinating capabilities across every domain to protect an organisation – which is no easy feat. This often means strategising how best to leverage budgets to increase the performance and maturity of capabilities.

I have never been a CISO, but I know one thing for sure… it’s really, really hard.

Think about:

  • All the data your company has

  • All the third party and vendors it works with

  • All the emails and data exchanges happening every day

  • All the endpoints and devices being used by employees

  • All the legal and regulatory requirements you must align with

  • All the incidents, events, and vulnerabilities your teams are facing

  • All the evolving threat vectors popping up every day

Now consider the fact that one weakness amongst all of that could cause a significant breach disclosing millions of records, impacting the reputation of the company, and costing a significant amount to not only remediate, but pay in fines.

Will leadership support the CISO, will they push a cover up, will the CISO be held liable for the breach? This is what CISOs sign up for and is why around 50% of global CISOs return to their previous role after two years or less.

I’ve spoken with CISOs from all over the world and the top performers have these 4 things in common:

  1. An ability to manage large teams on a global scale (potentially 200+ people)

  2. Next-level attention to detail - meticulous in nature.

  3. They execute on plans (they get sh*t done) – there is too much talking sometimes and we need more doers.

  4. They are communication pros that adapt to the needs of the audience and drive progress.

  5. They put the business first – they tie all activities back to creating value for the business.

CISOs may not been in the weeds reviewing policies in Azure Policy, coding, or reviewing SOC reports, but they are laser focused on driving the business and security capability forward.

The best operators leave their ego at the door, listen to the expertise of their teams and make decisions to drive business outcomes.

They focus on what they can control.

Avoid These 5 Security Myths

When you’re in the early years of your cyber security career, there are many myths and misconceptions that can undermine the effectiveness of your work.

Myth 1: Security is only an IT issue

Security is a thread that runs throughout the whole business. There are technical IT related challenges, but there are also data privacy matters, legal issues, strategic decisions, HR implications, and many more. The security puzzle requires a collaborative effort from all business units. We all have different roles to play, but we’re all working towards the same goal.

Myth 2: Security is a one-time project

Many people still view security as a one-time thing for them to complete and get the green light for their project, following which they’ll never look back again. In reality, security is an ongoing process that requires constant monitoring, updating, and testing. Security is not a static state, but a dynamic one, as it depends on the changing needs, goals, and risks of your organisation.

Myth 3: Security is too expensive

A third common myth is that security is too expensive and is not worth investing in. A security professional’s responsibility is to help the business understand that security is a benefit to their work and will protect them from potential losses, damages, and liabilities. Furthermore, security is not a fixed expense, but a variable one, as it can be tailored to your budget, priorities, and resources.

Myth 4: Security needs to be 100%

We don’t guarantee 100% protection, nor do we seek it. We seek to achieve the greatest level of protection we can provide within the constraints of the budget and business requirements – our goal is to help the business achieve its objectives, not simply get green results next to compliance assessments.

Myth 5: Security is the same for everyone

Security is the same for everyone and can be applied uniformly across Security is not a generalisation, but a specification, as it needs to be adapted to the context, scope, and scale of each information system.

Useful Resources & Reading

  1. How financial institutions protect their cloud environments. Link.

  2. Cyber Security Breach Report Collection: A collection of companies that disclose adversary TTPs after they have been breached. Useful for analysis of intrusions launched by adversaries with measurable effects and impact. Link.

  3. Day-1 Skills That Cybersecurity Hiring Managers Are Looking For by Dan Miessler. Link.

  4. Essential Guide to Cyber Security Compliance. Link.

Cloud Vulnerabilities Up 200%

IBM tracked 632 new cloud-related vulnerabilities (CVEs) between June 2022 and June 2023, a 194% increase from the previous year.

  • Over 40% of the CVEs discovered during the current reporting period could allow an attacker to obtain information (21%) or gain access (20%).

  • The top initial access vector for cloud compromise during the period was the use of valid credentials by threat actors. This happened in 36% of real-world cloud incidents, with credentials either discovered during an attack or stolen prior to targeting a specific victim.

  • Plaintext credentials were found located on user endpoints in a third (33%) of engagements involving cloud environments, many were overprivileged. Excessively privileged users can be defined as those who have more permissions than they need to do their job or task.

  • In joint second place as the next most common access vectors were exploitation of public-facing applications and phishing and spear phishing, which accounted for 14% each of engagements.

  • Although all regions suffered cloud-based attacks, Europe accounted for the vast majority (64%) followed by North America at 29%.

  • Red Hat Insights data supported these findings, revealing that European organisations accounted for 87% of malware scans, followed by North America at 12%.

Job Hunting Tip – Consider Others’ Perspectives

When you’re applying for security roles, you’re going to speak to hiring managers and recruiters with different perspectives.

Two people can read the same CV you submit and reach two entirely different conclusions based on their own personal experiences and biases.

For example, I know someone who was looking for a new role after 12 months in his existing role – he had spent 10+ years with a company before this one.

  • Recruiter 1 perceived this short time frame as an indication of a potential lack of loyalty, despite having spent 10+ years working at another company prior.

  • Recruiter 2 perceived those initial 10+ years as a sign that he was perhaps inflexible and uncomfortable with change. Despite evidence of continuous learning, certifications and skills development.

Two recruiters, two different concerns, two different outcomes – one CV.

This serves as a reminder that despite our best efforts, we don’t control how others perceive them.

The main lesson here is to consider different perspectives, prepare responses to put their minds at ease and roll with the punches.

Job searching comes with all kinds of twists and turns, but in the end, you’ll land where you’re meant to be. Stick with it.

Wisdom

“Focus on what you can control.”

Unknown

For those working in security, there are many things out of your control, such as the opinions of others, your past performance, and to an extent, what your future holds.

How stressful your job is depends on a crazy amount of factors, such as the financial performance of the company, people leaving, training and development, the soft skills of your team etc.

For those working to break into security, you can’t control how many roles are available in the market, how many people apply for a role, where the role is located, and many more factors.

The only things within our control are:

  • How we respond to adversity

  • Where we focus our attention (never stop learning and growing)

  • How we treat others (this has a huge impact on job satisfaction)