- Table of contents
From Techie To Business Leader: The CISO’s New Threat
*This is the second part of our three-part series on C-Suite executives and how their roles are influenced by the growing risks in cybersecurity.
Read the first part, “5 Reasons Why Every CEO Must Be Cyber Secure”, that was published last week.
For enterprise and large organizations worldwide, the nature of the CISO position is evolving into a more leadership based role.
In practice, this makes new demands on CISOs, demands which they have yet to face in their comprehensive career paths.
What was once foreign to CISOs, is now becoming one of the first lines of their job description: collaborative leadership within the company. This includes, but isn’t limited to — leading (and managing) the security efforts that are demanded by every and any change that takes placewithin an organization’s infrastructure.
The CISO must also guarantee that all employees in his team are aligned and competent with the security needs of their organization.
Essentially, the role of the CISO has spiraled far beyond a technological link in a chain of leader executives. He is now juggling two parallel universes — all within one sphere. He must communicate the severity of security threats to his colleagues and employees, all the while managing (and executing) a concrete security strategy within the company.
Above all, this balancing act must always be enveloped within an unquestionable level of cyber knowledge that evolves in accordance to all developments within the threat landscape.
The Challenges in Each Industry
Cyberint focuses on three key core verticals within our client base: the finance industry, the telecommunications industry, and the gaming industry.
As expected, a CISO in each of these industries is faced with operational and managerial difficulties that stem from the dynamic and intricate field of cybersecurity, and with its complex interaction with the niche criteria of the CISO’s specific industry.
Once the CISOs challenges are assessed per his specific industry, the newly assumed leadership role is only one of several difficulties that cause the CISO position to be a trying pair of shoes to fill.
A CISO’s key responsibility in a financial institution, namely banks, is to support the bank’s digitalization process, all the while preserving the bank’s security posture. The CISO’s agenda exists in parallel to the bank’s CRO, who is responsible for integrating risk management procedures into the business model and its operations.
Collectively, the overall security and risk prevention objectives are shared by the bank’s CISO and its CRO together.
Ultimately, the most pressing difficulty which affects both of these executives is the pressure to manage every existing cyber risk that threatens their bank, within an erratic, dynamic cyber threat environment.
In a larger financial organization, CISO’s are assumed the ability to control which data enters the company’s system, and where it is transferred to, and ultimately, how to protect the data at every stage; from collection, processing, distribution, and so on.
Threatening Supply Chains
Many times, an organization will work with suppliers and subcontractors that provide their financial institution with the array of services and technologies that they need to provide for their customers.
The nature of third party interactions is such that their resources exist and are manufactured outside the organization’s supervision, which automatically limits the security provisions that the CISO can enforce within his company.
Supply chain threats tend to exist on two fronts (among others):
Because all CPUs, hardware, and apps are developed outside the company, their entrance into the company’s system means none of these items’ security factors can be accounted for.
Supply chains and contractors have access to the same system, which can also be exploited, either by the third parties themselves, or by those who attack them.
CISOs in the telecom industry are faced with challenges that are very specific to their business niche.
The telecom industry is built upon a highly unstable income and business model, where prices are continuously dropping, with resources being re-invented accordingly.
This creates a reality of constant changes in the industry’s technologies, which means cyber and information security risks are developing and reformulating on a constant basis simultaneously.
For the telecom CISO specifically, the challenge is to support innovation of his product/business model, yet without compromising the company’s security. The latter, however, is a particularly pressing challenge, as telecommunications is one of the most lucrative industries for cyber attacks
- Customers’ personal details
- Billing data
- Infrastructure (for DDoS)
Points of Weakness in Telecom Technologies
Because the 4G LTE network is IP based, this means that ‘IP Menace’ now has access to what used to be more controlled networks (such as 3G, etc.).
Because of the numerous vulnerabilities that exist among telecom technologies alone, hackers of all levels and capabilities are attracted to the telecom industry as as target — as companies like UK’s TalkTalk and Thailand’s CAT Telecom Pcl can attest to.
PwC, for example, considers the gaming industry to be a ‘high security risk’ industry, which therefore requires a security strategy which strongly recognizes the need for technologies, processes and governance structures in any gaming system’s security.
The most prevalent aspiration in any gaming company — for any of its employees or executives, is to master speed, innovation, and agile development.
As an industry, the gaming business model thrives on risk and opportunity of the moment, and security is not a priority.
The Dire Need for Cyber Resilience in Online Gaming
But the consequences of this potential negligence are far too critical for any CISO or IT employee to avoid, regardless of how rapidly his company’s gaming technology may be succeeding.
For example, online gaming sites are highly lucrative targets for DDoS activity, as these sites can become botnet dominated, giving hackers full access to every element of the gaming site’s server, and leaving the site owners and players with absolutely no access at all.
In 2013, the loss estimate that this would cost a business amounted to £150,000.
Where we are now, three years later, the numbers have only escalated, along with the severity of cyber threats.
The possible damage caused by a DDoS attack is unquantifiable: once a hacker overtakes a gambling site’s server — the ‘loot’ he can escape with is priceless: player credentials, player prize money, and possibly the most threatening — amount of money that players have bet on, but still haven’t needed to pay.
Not to mention, the damage that a gaming company can suffer on other fronts: the in-game economy, and their brand’s defacement.
Responsibility for Awareness of Trends
When a gaming company decides to prioritize their cybersecurity needs, it’s often only possible because the head IT professional abruptly took the initiative to invest in the company’s cybersecurity needs.
Up until his effort, the company probably never dealt with security needs before, and the CEO may very well have needed a lot of convincing until he agreed to allocate security needs into the budget.
This is actually an especially dangerous state of preparedness (or lackthereof) for a gaming company to find itself in.
When an online gaming company’s CEO does cooperate with his CISO, his consent to allocate a chunk of the company budget to cybersecurity may (or more accurately, should) often be around the time of major sporting events — as this is the most lucrative time for hackers to attack a gaming site.
When people are hyped up about their sport team’s opponents losing a playoff, they easily lose sight of financial management — and that is exactly why hackers know to step in.
Given the unfortunate prosperity of the cyber threat landscape, CISOs of any industry have their fair share of challenges, each of which fuel their efforts to protect their organization from falling victim to an attack.
A further question is — are there CISOs in certain industries that have to work less or more than CISOs in other, ‘more lucrative’ fields?