• United States



by David Braue

SecurIT 2019: Being a CSO is like Game of Thrones

Jun 14, 20194 mins
Access ControlBackup and RecoveryBusiness Continuity

With the threat climate continuing unabated, the impact of increasing volumes of attacks – and increasing pressure to stop them – has taken its own toll on CSOs who, iOOF Holdings head of cybersecurity and technology risk Ashutosh Kaps? noted, suffer from high burnout rates, job-related physical and mental health issues, loss of a sense of purpose, and constant fears for their jobs.

Two-thirds of CSOs don’t last more than three years in their positions, he said, likening the constant pressure of the CSO role to Game of Thrones – which he illustrated with a montage of the biggest, and most brutal, surprise murders throughout the series’ run.

Like the show’s many ill-fated characters, CSOs often never saw their threats coming – but live in constant fear of the day their number is up.

“CSOs have the sole responsibility for security in a constantly shifting landscape,” he said. “It is expected we are around 24×7 – and every time the SOC escalates something and says the Rapid Response Team needs your attention on this particular issue, my heart drops.”

Despite knowing the important response is ‘don’t panic’, Kaps? said, “it still happens.”

There are strategies for managing this stress, however, and Kaps? offered the audience a few – including proactively updating the board about company exposure to high-profile security vulnerabilities, and boosting the prominence of cybersecurity by tracking and sharing key metrics around patching status, employees’ phishing susceptibility, and so on.

“This is technical information, but in the long run they are indicators of governance,” he said. “Don’t go in to talk with the board and assume you can’t put in anything technical; over time, I have educated the board and made them aware of what they need to look at.”

“Don’t be afraid to give information, as long as you can couch that in terms of the impact on risk management and governance.”

Greater visibility of key metrics had generated strong follow-on benefits: patching practices, for example, improved dramatically once the security team realised their relatively low numbers were being surfaced for everyone to see.

Kaps? also flagged networking as crucial to helping CSOs distribute the pressure of cybersecurity – encouraging both mentorship and the maintenance of a “circle of trusted CSOs”.

“You can learn from them and they learn from you,” he said. “When you share and understand what other people are doing, you get a bit of relief.”

Facing the automation threat

As if the cybersecurity climate wasn’t already causing enough problems, increasingly sophisticated automation techniques are helping hackers breach and exploit victim organisations while they sleep.

Ty Miller, a security expert and founder of consultancy Threat Intelligence, was on hand to highlight the dangers of automation as an adjunct to conventional, manual cybercriminal techniques. “At the moment we tend to allocate our security budgets to pieces of work,” he said.

“As you go through the year, that doesn’t necessarily play out: if you suffer a security breach halfway through the year, it suddenly needs a big injection of funds into incident response to be able to contain the breach and get it back under control. That potentially soaks up funds from your security budget, which means the rest of the funds you’ve still got to perform throughout the year no longer have funding.”

Much has been made of automation tools that allow cybercriminals to design, improve and execute attacks with increasing severity – and companies’ natural response, to increase their use of security automation tools for tasks like developer security, penetration testing, procedural responses to breaches and collection of details about a breach, was helping relieve the burden on overworked security staff.

Yet increasing automation, Miller warned, creates risks as well as reducing them.

Automated incident response tools might, for example, respond to a detected security event by disconnecting an endpoint device and collecting detailed evidence to trace the indicators of the compromise. However, automatically shutting down a core infrastructure component could create other problems for the business – which is why, Miller said, humans need to maintain final say over the actions of their own automation tools.

Many security practitioners were adding this human element by embracing ChatSecOps, a security-focused spinoff of ChatOps – a practice that links automated tools with live chat platforms like Slack.

“To be able to prevent [mistakes] you need to be able to add context into some of the decisions,” Miller said, “and sometimes you can only get that from your people. ChatSecOps helps to streamline security resources and maximise their security budgets.”