In my last blog I talked a lot about the changes CISOs are seeing today. In this one, I look a little further out…
A critical part of the role of the future CISO will likely be to play the long game when it comes to technology. A good CISO will need to keep a finger on the pulse of technological change, opportunities and risks, helping guide an organization through rapid transformation and almost continuous marketplace disruption. In a digital future, it’s not enough to talk about technology ’enabling’ enterprise, or technology being ’integrated’ into business processes - technology is the enterprise; it is the business process, and discussing it any other way limits our ability to fully grasp it.
We frequently discuss the growing skills gap and the need to recruit more talent as one of the primary challenges of our day; but future CISOs may be working with a security team significantly diminished in size. Most repetitive security and infrastructure processes, such as patching, vulnerability scanning, configuration management and firewall review, may yield to automation, with human security teams acting in a supervisory capacity. Even SecOps, traditionally a reactive function, may find a friend in automation, which could allow them to transition to an active defence model with sophisticated process orchestration. Automated tooling could generate intelligence on attacker groups and malware to assist targeted strikes. Incident response could become incident prevention, through big-data driven ecosystem monitoring and pre-emptive, analytic fraud prevention.
So I am still learning about security – the principles don’t change, but their application certainly does. Part of being a CISO is being humble and recognizing that we are always learning and adapting, so what’s coming up next?
I think we are in for a fascinating decade. Two trends really interest me – the first is Artificial Intelligence (AI) starting with basics for industrial automation and the second is the explosion in connected devices.
As AI becomes more infused into business or customer-facing decision making, I suspect CISOs may find themselves assisting privacy and legal functions, or perhaps a Chief Data Officer (CDO) or equivalent, on the ethics of trusting AI decision making. While the CDO may concern themselves with how to protect AI from unintentionally introduced biases through machine learning, the CISO will need to think about how to defend against external, deliberate corruptions of datasets or decision making processes by malicious actors. Once AI matures as a field, consumer trust may depend on how easily a company can show that key decision engines are shielded from external influence.
Attacks themselves are evolving, and are targeting systems that control the physical activity of real infrastructure - operational technology (OT). In a connected world where the line between OT and IT is blurred, CISOs may have to contend with malware that puts physical health and safety at risk, not just data. For critical industries such as financial services, transport, healthcare, energy and utilities, CISOs may expect to see their domain of responsibility expand oversight to physical infrastructure, employee IoT systems and consumer IoT devices that may inadvertently allow fraud or abuse. It may become, for example, part of a CISO’s spectrum to decide how interconnected their physical office space is with the local smart city infrastructure and power grid, or to sign off on a policy dictating which IoT-enabled microwaves are suitable for the office space.
For me, I also care a lot about how the threat may evolve, and just how we counter that threat at speed. CISOs may find themselves talking less about network security and more about networked security. The nature of a CISO’s relationships with regulators and competitors in their network will evolve. By coordinating between peers and law enforcement, the new playbooks for SecOps will likely include intelligence sharing, active threat hunting, active defence and takedown action to eradicate malicious actors and groups.
But the most notable additions to the CISO’s network will be consumers and ecosystem partners. As expectations of security grow, more and more of the market will rest on trust (PDF 2.2 MB), with the enterprise becoming defined by its brand, its intellectual property and its agility in responding to market opportunities. As a result the CISO may have a hand in marketing, communications and public relations, and will likely be a key stakeholder in protecting the enterprise against ruthless, rational and entrepreneurial criminal competitors.
The view of the forward-facing CISO is a holistic, business-oriented and outward looking role, making decisions that tie not just into technical controls and security processes, but into ethics and independence, consumer trust and loyalty, physical health and safety, and even national resilience and economic security.
And we should ask ourselves the bigger questions – what will my job look like in 10 years, and what team will I be working with? Of the challenges we face, which ones will last into a digital future, and which ones are only part of the transition to it?
But most of all, how do I help my business really protect its future?