What are the biggest challenges that a CISO faces today?
The role of Chief Information Security Officer or CISO has been around for 25 years, pioneered Steve Katz 1995, but only seems to have gained traction more broadly over the past 5 - 7 years.
The role has now firmly established itself as an integral part of the corporate hierarchy as enterprises have begun to take security concerns more seriously. Which is understandable as according to the IBM Security Cost of Data Breach Report; the Average cost of a data breach in 2020 was a staggering $3.86 Million.
Some of the key challenges faced by CISO’s and those responsible for a company’s security capability include, but are of course not limited to;
Hackers and Adversarial AI
Very likely near the top spot. Coming from multiple vectors, times and styles. The ol’ game of cat and mouse.
There is a lot a CISO can do to mitigate risk and reduce the possibility of data breaches and system compromise. But that all gets thrown out of the window when an employee unknowingly falls for a phishing scam, clicks on ransomware, introduces Shadow IT etc
Tick box security
Probably the most challenging of all. When a company hires someone to focus on its security capability but isn’t really invested in it, but need to be seen to do something.
In reality in many cases this is down to the board, owners etc not understanding the importance and or impact of security.
Does the CISO join for the challenge and try to manage upwards, educate and make a difference? Or bang your head against the wall and leave like others have in the past.
Lack of Developed Security Professionals
When faced with threats from multiple vectors, a well-developed cybersecurity team poses the most reliable defence to hackers. But Identifying, sourcing, building and retaining that crack commando unit is no easy feat. There is a chronic skills shortage of the very best cyber talent in the industry. The top 25- 30% of talent in the industry have their head down and are well looked after. Combine that with the fact that the traditional methods that most internal talent teams and external recruiters use do not consistently attract this talent in a buoyant market, yet alone in the strange times we find our self in #2020, and it is no surprise that companies struggle and often fail to attract the very best talent .
Since the beginning of the IT services profession, budget allocation, constraints and reductions have always been a challenge. Allocating a budget into something where there is no obvious return can be a hard pill for a board to swallow. But in the case of security- no news is very much good news. Unless of course you have been breached and don’t know it.
Thoughts from an expert:
Robert Rodger, CISO at Butterfield Group.
Security is a team sport.
Often security teams fail as they try to own everything, the we can do it best mentality it creates animosity, is costly, does not scale and will fail. Security is a team game where everyone in an organisation needs to play their part. Enable teams to do their job securely, as a example; provide developers with the tools, knowledge and support to deliver security code and test it themselves. Do the same with the front-line business team, infrastructure folks. Do that and you have delivered one method of scaling security and making it culturally embedded not just a bolt on process.
Alex Radford, CISO at Global Processing Services Ltd
It sounds cheesy, but security really is everyone’s responsibility. It would be great if common sense was common but unfortunately it isn’t. One of the aims today, is to make security as simple as possible for the users to comply with, which means focusing on the core pieces of security such as good access control processes and simplifying the requirements on the users. Mistakes will still happen, and they are an opportunity to learn, but when they do happen having the correct controls to ensure impact is small is helpful for the business.
Good security is not just how many compliance standards have you passed, it needs to be pervasive and ongoing. Achieving standards is a demonstration that the right things are being done, but being secure is more than just the minimum to meet a standard.
Elliot Rose, Member of PA's Management Group
In the current challenging COVID19 conditions we are seeing an increase in attacks as organisations around the world have been forced to divert resources and adopt more porous operating modes. Organisations and employees are working out of habit and employee’s defences can be down, as they adjust to the new ways of working and are having to make significant personal adjustments to daily life in order to operate safely. Increasingly organisations are experiencing a greater number of attempts to ‘socially engineer’ an attack in order to elicit sensitive information. CISOs are under pressure to provide employees with secure collaboration tools and messaging facilities. Communication is also key and business leaders (not just the CISO) need to ensure that employees are fully aware of the increase security risks.
We are also seeing secure remote as a business enabler, driving greater take up of digitisation and reducing costly office overheads. Many organisations are already looking ahead and planning how they can make the most of their investment in secure remote working to grow their business further. That means CISOs need to properly understand the changes in the business that are planned, identifying where cyber security can underpin the changes in a way that is supportive to the business.
David King, RISO at OmnicomMediaGroup
“The Boy that cried Wolf”
We are (or perhaps ‘were’) often accused of being that boy… the one that cried wolf… and we all know how that ended! There is often a disconnect between what we, as security professional, say and what our customers, clients or users expect or hear. In the same way, we are often accused of scare mongering. The GDPR was an example of that “If you don’t do as we say you’ll end up with a massive fine”. We need to get better at telling impactful stories. Why we want the company to part with cash, why people need to do their training, why we need to install more agents on the machines and why we need to monitor the network. Telling the right kinds of stories helps people understand and appreciate what we are doing and why. It’s another way of building trust, and trust is key when you’re trying to develop a culture of security.
- IAM Consultant
- Upto €85000 plus benefits
An Identity & Access Management Consultant is needed for an expanding IT Security consultancy, based in France. (Remote role with monthly office meet-ups) The Identity & Access Management Consultant will be responsible for the technical design and implementation of Identity & Access Management/IAM products for a wide variety of clients. Deliver bespoke end-to-end consultancy service to our clients, from gathering requirements through to implementation. Work in a close team designing, developing, and implementing first-class IAM solutions. Manage client relationships, working closely with key stakeholders to continually evaluate business requirements and ensure the highest quality solution delivery. If you are interested we are looking for an individual with Previous experience working within the IAM or CIAM field is essential, Strong knowledge with SAML and Oauth and ideally OpenID Previous experience from any of these technologies: One Identity, SailPoint, Saviynt, Ubisecure, Ping Identity, would be advantageous
- Ping Identity Support Consultant- IAM Support
- upto €60,000 plus benefits
As the Ping Support specialist, you would be part of a team focused on Single Sign On (SSO) / Federation and Multifactor authentication, protecting our clients from unauthorized access and cyberattacks. The position is to provide 2nd/ 3rd line support, for the following tech. SSO, Federation, Reverse Proxy infrastructure, Apache servers, and its associated components and applications To be responsible for the day to day operational support, performance, tactical lifecycle management, and continuous improvement of the respective IT infrastructure. We are looking for someone with strong SAML and OAuth Knowledge as well as experience supporting the Ping portfolio of solutions Identity, Access, Federate
- IAM Architect Ping Identity, Access Federate
- Up to €110,000 plus benefits
An experienced Ping Identity Architect is needed for this global brand who are looking for someone who wants to join a growing Cyber Security team. We are looking for a senior Architect who can be responsible for the full IAM portfolio, including overseeing all BAU work as well as being responsible for the future strategy and development of the IAM portfolio further development and strategy You will be responsible for ensuring all architectures and best practices within the architecture framework are maintained and developed We are looking for someone with a strong Ping background, in Ping identity, federate, and Access, you will have worked as a senior consultant or architect in previous roles and ideally have some team-leading experience You will have good knowledge of architectural principles and patterns and their implementation into system and software design Experience in handling container technologies, cloud technologies, CI/CD (DevOps) and LDAP
- Security Engineer Contract £600 pd Outside IR35- SIEM, Vulnerability Management, DevSecOps
- United Kingdom
- £600 pd Outside IR35
Security Engineer Contract £600 pd Outside IR35 SIEM, Vulnerability Management, DevSecOps 6 month Contract Hybrid – some travel to London Google Chronicle – SIEM Crowdstike Spotlight – Vulnerability Management Google Cloud Platform - GCP Application security Core areas; Oversight of alerts with any improvement, fine tuning, enriching / use cases. Proactive vulnerability management – Prioritising and engaging with internal teams to remediate Advising / consulting within internal development teams to focus on, embed and evolve security as part of ongoing software / platform development. Push and enhance technical aspects of security forward. Beneficial experience Automation of security / data enrichment Looking to interview and engage ASAP