As the cyber threat intensifies, the challenges for Chief Information Security Officers (CISOs) become more numerous in their attempts to control the associated risks.
Business focus vs. Cyber risk management
Unlike the CIO, whose primary mission is to be a “business enabler” by providing the company’s various functions with the digital tools best suited to their missions, the CISO’s role is to control risks.
Indeed, for the third year in a row, cyber risk is the number one risk feared by companies (according to the Allianz Global Corporate & Specialty Corporate Risk Barometer). The prevention of cyber risks is therefore becoming a central issue in corporate governance.
Of course, the deployment of cybersecurity solutions requires the two functions to work hand in hand. There is then a necessary sharing of information system security tasks, highlighting the need for the independence of the CISO, who is both a prescriber and the controller of the proper implementation of security policies.
- Measures risks and threats
- Specifies security policies
- Checks that these policies are applied
- Manages cybersecurity solutions
- Detects and responds to attacks
- Implements the technical aspects of security policies
- Secures the information system
- Ensures that the IS is maintained securely
The CISO also needs to be independent from the CIO in order to allow for the proper ranking of priorities in terms of cyber-investment. Indeed, the impact of a serious cybersecurity incident is such that it inevitably imposes a cost upon the company, which can sometimes reach several hundred million euros. It requires investment decisions to be handed over to the management committee, and is not simply an adjustment variable for the IT department’s budget.
Defence in depth and zero trust: protect at all levels, and trust no one!
A few years ago, in the field of cybersecurity, only perimeter security (firewalls, DMZ, VPN, IDS/IPS, etc.) was implemented. This is no longer sufficient, and must be supported by physical security (badges, surveillance, cameras, etc.), network security (network segmentation, encryption, probes, etc.), equipment and servers (patching, hardening, ACL, monitoring/AV/EDR, etc.), applications (IAM, ACL, MFA, updates, vulnerability management, DevSecOps, etc.), data (crypto at rest, DLP, etc.) and through policies and procedures (threat management, standards, training, awareness, etc.).
This defence in depth is all the more necessary given that the multi-vector nature of threats allows physical access to be opened through means such as a cyberattack, and vice versa. So everything has to be taken into account in every data item and application, at every level, and everything has to be continuously maintained.
Defence in depth is now complemented by the concept of zero-trust security, an approach in which any concept of trust disappears completely. The mantra is simple: be suspicious of everything, all the time, and never grant trust without constant control. This applies to rights, to the legitimacy of a flow, of a login, of the attachments of an e-mail, etc.; everything must be checked.
Identity Access Management: learning to control the uncontrollable
Identity, access and rights management (IAM) is an increasingly complex organisational and technical issue. This is no longer just a problem of the minimum length of passwords in the Active Directory (company directory), but instead of the management over time of identities and associated rights, acquired progressively for a multitude of tools.
And this is where the real challenge lies for the CISO: controlling the life cycles of rights, access and identities. Very often, the reason why these life cycles are not controlled is because we do not know how to track the relevance and the underlying issues behind the associated usage practices: is such and such an account that has existed for X years, providing access to such and such tools and information, still being used today? How many people have access to it? If we delete an account linked to an industrial system that no longer meets the standards, are we not at risk of compromising ongoing operational activities, sometimes linked to huge financial stakes? These difficulties illustrate the CISO’s inevitable task of balancing of risk, in order to limit the impacts and be able to manage them.
Too few companies have yet achieved maturity in this area, yet a professional attitude towards IAM has become essential because poor access management or poor segmentation of authorisations is involved in most attacks. Before achieving this final objective, the CISO will first have to gradually build a more integrated and focused system. This will first and foremost have to rely on a well-structured Active Directory, manage privileged accounts (accounts that have more extensive permissions than usual) with tools and procedures, and then extend the identity and access life cycle management process to all of the company’s users and IT systems. This iterative process requires in-depth organisational, technical and training changes, and is usually carried out over several years.
Protecting the cloud: a new imperative
More and more data is hosted in the Cloud, with no control over the security of the infrastructure, and with more complex and high-level off-the-shelf services. This new technological reality is prompting the emergence of specific protection methods (WAF, CASB, data security, access management, etc.). Few staff are trained in cloud protection, and this is where another challenge lies: reversing the trend and recruiting such experienced staff.
DevSecOps or SecDevSecOpsSec? End-to-end security
DevSecOps refers to the fact that the software development cycle integrates security aspects (securing the development chain and the deliverable). Everyone talks about it; but in reality, few development teams have any real maturity on the subject, and so too few projects in the field completely take account of the notion of security.
There is therefore a very strong need for support and training for developers and system architects in this area (and in particular on attacks and solutions to protect against them), in order to limit and eventually eliminate the integration of security flaws in their codes.
Too often, developers see security as an issue that affects the development framework or even the infrastructure teams: “DevSecOps must become a matter of culture for the groups concerned,” says Laurent Vromman. He adds, “Personally, I would even call it a SecDevSecOpsSec culture, so as not to suggest that security is only managed between development and deployment, but rather from start to finish: throughout the software life cycle, from the architecture stage and even during its operational life, because new vulnerabilities are constantly emerging and you have to learn how to protect yourself against them on an ongoing basis.
Investment, support, training, tools… these are the assets that the CISO will have to leverage to initiate change both inside and outside the company in order to understand and control the cyber risk.
“It’s a real game of cat and mouse, with hackers becoming more professional at a speed that matches the pace at which companies are countering their threats; cybersecurity will continue to be a fascinating topic, and the coming months will be packed with learning experiences and great advances in this field,”, Laurent Vromman concludes.