The Rise of the CISO
Today, the cyber security market surpasses nearly $75 billion annually and it is expected to be worth $170 billion by 2020. Most companies want cutting-edge security and know that they need security leaders. But it hasn't always been that way.
My first security job was in the year 2000 before mass mailing worms, web applications, virtualization and the cloud ever really existed. My role was mostly focused on securing physical infrastructures. “Security” was all about controlling the gateways into your environment. The significant difference between the security environments then and today is that now we are now also concerned with the traffic that is leaving our environments, instead of only being concerned with our inbound connections. As security professionals, we need to operate under the assumption that something that we care about has already been compromised; we have to assume that there is malware running in our environments. To make matters worse, company data is no longer on one corporate network. Businesses are housing their data outside of the environment, leveraging both SaaS services and cloud infrastructures. We need to make sure that every single disparate environment that a company’s data touches, is as secure as possible.
This is the reality in which we live. As a result, more and more security leaders are sitting on executive boards and playing a huge role in overall company strategy. Security has evolved into one of the most important functions for any company, impacting all aspects of a business. And with it, the role of the security professional has undergone a drastic transformation.
A New Necessity
It could be argued that the transformation of security into a significant business priority began with Google in 2009. The first real high-profile information security attack, Operation Aurora, lifted the veil on the true consequences of cyber attacks. Before Google was brave enough to admit compromise at the hands of Chinese hackers, publicly disclosing a breach was on par with admitting you had the plague.
There needs to be a crucial shift in how security departments interact with other company functions
Quickly following the Google Aurora event, companies were coming out left and right, admitting that they too had been hacked. This prompted a big shift in how security was perceived. Security professionals at major businesses began to break out of the IT function and operate their own departments. It was finally apparent that business’s use of technology had become far too complicated and necessitated experts whose job was to protect company assets. Unfortunately, this was still not enough for many to justify the expenditures and, more importantly, it was still not enough to shift industry perspectives and make security an essential business function at companies around the world.
Evolving into a Top Priority
Four years after Google’s Aurora event, Target’s infamous data breach further transformed industry perspectives about security leadership to where they are today. Many in the business community were forced to stop ignoring the obvious: Neglecting a security program can have a devastating impact. This was an attack where both the human side and technology side of a security program were broken, and the consequences shook one of the world’s best-known companies to the core.
For the first time on a large scale, it was clear that by not taking security seriously a company could suffer a massive hit to its credibility, customer trust, and ultimately–revenue. Some companies finally took a cue from Targets predicament and began to invest heavily in new security resources–including new security leaders. Some CISO and CSO level professionals were even being invited into the boardroom and were given the financial backing they needed to fully staff their teams and deploy modern security solutions.
Despite all of this, only a fraction of companies learned from Target and the subsequent breaches that impacted several of the world’s biggest companies. Many security leaders still lack the resources, team and influence that they require in order to make a substantial difference. As the costs for security technology continue to increase and threats continue to become more complicated, security leaders need to be allocated new resources and support. Unfortunately, navigating this from a business perspective can be difficult and many security departments continue to struggle. In fact, in a recent survey conducted by IBM, only 70 percent of CISOs said they strongly agree that they are receiving the organizational support they need to do their jobs effectively.
The Future of the CISO
While there’s still a lot of work to be done, demand for CISO and CSO level professionals is the highest it has ever been. Many of us are being brought on as consultants and the diverse nature of our responsibilities is exploding. In fact, the role of the CISO is now one of the most broadly scoped roles in any organization. Security leaders are tasked with assisting legal and human resources, product development, risk management, identity management, finance, business enablement, identity management, threat protection, business continuity, and so much more.
The question is, how can CISO and CSO professionals keep up and maintain a level of organization when thrown in to managing and working across so many different departments? And how can businesses, which now know that they need to invest strategically in security, best equip and empower their security leaders to succeed?
There needs to be a crucial shift in how security departments interact with other company functions. Traditionally, security has reported to IT. By flipping this on its head, and having IT report into security, all technology decisions within a company are made with a security mindset. At Malwarebytes, we have found this to be essential to making sure that all internal functions, solutions, customers, partnerships, and more are as secure and safe as they can possibly be.
As threats continue to evolve to impact more aspects of business, security leaders need to evolve with it. As a security professional your biggest asset is being able to show how impactful and beneficial your work is for a company’s bottom-line. And as a business community, it is everyone’s responsibility to pay attention to this message. We have come a long way, but there is still so much more work to be done, constantly striving to ensure that every consumer and every business is protected.