CISOs Lean on More Than Just Technical Skills As They Face New Threats: An Interview with Ian Thornton-Trump
(This is the second installment of our new CISO Interview series. Read the first one here.)
Becoming a Chief Information Security Officer (CISO) is usually the result of a long journey for a cybersecurity professional. Most C-Level technologists started their careers at the strictly technical end of the spectrum. In some cases, they never imagined that they would move into a managerial position with little involvement in the hands-on operations from where they started.
We spoke with Ian Thornton-Trump, CISO at Cyjax Limited in London, England, about what it’s like to be in this high-level position. Is the CISO job a step away from the passion and curiosity that first attracted him to technology? What are the challenges and triumphs that come with the job?
How would you describe your path to becoming a CISO?
Ian: The passion for cybersecurity becomes a lifestyle. Then, the lifestyle becomes an obsession. What’s interesting is that when you become a CISO, it starts as a thing you do, and then it stays with you. It’s sort of like those certifications that never expire, or that have expired, but you still put the initials behind your name because you’ve achieved them. The journey in cybersecurity and then into the CISO role is a decision that you’re going to be more interested in business and the management of people than in technical work.
The CISO position is the crossover into recognizing that it will not be technical anymore. It is the point where you decide that you want to learn how business works, how the strategy works, and understand how to make budgets work. It is also about forming good teams with often very strong-willed people. Those are some of the challenges for CISOs. You have to align expectations and capabilities with funding and a shared desire just to make it a bit better the next day. Businesses are always seeking ways to become more efficient by leveraging what they have to build profitability into the business. These are conversations that the CISO has to be involved in because one of the biggest spends that we have right now is on technology.
One way that I like to grow my teams is by exposing them to other aspects of the job. For example, red teamers should become blue teamers, and the blue teamers should become red teamers. Governance, risk, and compliance people should spend a day at the help desk. There are so many ways that we can build a more cohesive and understanding caring output of making sure people know and appreciate other people’s roles within the organization.
The essential skills of a CISO include leadership, and team building. It also requires the ability to take complex problems and apply solutions that executive team members can understand. Your job is to be that interface. The CISO position had grown from the days of when it was just a cyber-failure fall guy to now being far more strategic and looking over the horizon and aligning the organization’s technology package with the business’ overall objectives. What we’ve found is that to not do it that way just ends up causing incremental costs to spiral out of control to the point where businesses are now in the territory of either getting rid of their IT department and completely outsourcing it in the perception that they might be able to save money that way.
The CISO is more supported than they were back then because of all the changes in the regulatory landscape. This is also a result of the expectations around data privacy and data security, not just for customers, but also for employees. A CISO needs awareness of all the different components that make the business work.
How are cyberattacks changing, and what are the biggest threats that companies need to be aware of right now?
Ian: An important point to draw out here is that just because you have outsourced a business function doesn’t mean you can outsource your responsibility. This raises the issue of supply chain awareness and due diligence at the time of signing contracts, and terms and conditions, or master service agreements. I anticipate that due to the heavy cloud adoption that has occurred, we are going to see a small decrease in cyberattacks, and a huge increase in fraud. Whether that fraud appears as cyber-enabled crime, such as a fraudulent change of banking information, to gaining access to a software-as-a-service system. For example, a compromised payroll system, where a bunch of fake employees are added just before a payroll run, and having that money deposited into a foreign bank. I see the cybercrime landscape becoming more populated with cyber-enabled crime.
The big success factor that we’ve seen in the last couple of years has been our ability to defeat cyberattacks at the perimeter. The malicious emails aren’t landing with as much efficiency as they used to. We understand the dangers, and everyone now is acutely aware of the risks. However, that doesn’t necessarily mean that even though fraud’s going to increase, you can ignore ransomware as a service.
Another hidden threat is due to global climate change. For example, if you have a hybrid system model where you have a data center and your front end or backend is in the cloud, or your analytics are being pushed to the cloud and you don’t have a generator in case the power goes out during a winter storm, that could be devastating. Something as simple as having your on-premises branch office servers in the basement in a floodplain can be equally damaging to the business.
If you were to give advice to other CISOs, what would you place as the most important aspects of an incident response program?
Ian: Communication is key. The first thing is to determine if you are actually in a bona fide incident. Along with that, you need to work with subject matter experts. The CISO does not work alone. It’s a team effort. Whether you are in the containment, eradication, or the return to normal operations mode, this needs to be communicated effectively across the organization, as every VP will want to know when the systems will be up and running again. Even though IT and IT security might own Disaster Recovery / Business Continuity Plan, it’s owned by the business.
What are some of the best practices that organizations can put in place to make sure they’re prepared for or to make sure that they don’t fall afoul of any supply chain problems?
Ian: A lot of it actually rests in procurement and the terms and conditions that you’re using to engage your vendors. The spirit of those contracts should include the ability to work collaboratively and to get access to various systems and systems artifacts in the event of a major incident. Treat it as a risk management exercise and not “business as usual” operations. In a crisis or a major event, everyone has to come together and be able to work on the problem.
What would you describe as a CISO’s main challenges right now?
Ian: You really need to start looking at the fundamental foundations that your business is built upon and start addressing those from a zero-trust perspective. The biggest win that you can do in your organization is to take the zero trust framework and focus on two things.
The first is identity and access management. It’s critical for you to know who is an employee and who’s not. Anything that links the payroll system to provisioning, such as Role-Based and Rule-Based Access Control needs to be in place.
The other piece of it is asset management. The more work you can do on asset and identity management is probably the most beneficial thing you can work on. Adopting a zero-trust architecture is an opportunity to undo the sins of the past and really make the business case for the idea that – that was then, and this is now – the threat landscape has entirely changed.
As a CISO, how do you measure success? What sort of metrics do you put in place that you can relay back to the rest of the organization?
Ian: I have reframed “vulnerability,” preferring to call it the attack surface analysis of the number of assets, what their exposure is, what the compensating controls are, and what their correct state is. Reports that address those metrics are critical for assuring the business that you have visibility on the problem. Another area to report on is the gaps in your perimeter. These should all be treated similarly to your remediation plans for any findings in a pen test. You have to take the mindset that everything you’re actually doing in cybersecurity is about building a business case and providing assurance to the stakeholders.
What do you look for in a good Network Detection and Response (NDR) solution or a Managed Network and Detection and Response (MNDR) solution?
Ian: This is an area that has tremendous value. But, it really needs to be comprehensive, and what I mean by that is it has to be able to cover all the different types of assets that you might have in your organization. This is due to the extraordinary complexity of a lot of organizations’ networks. It’s really a powerful offering in the marketplace right now, but it doesn’t absolve you of adhering to the best practices, like identity and access and asset management. In order to derive the maximum benefit from any security technology work, you have to have the fundamentals in place first.
NDR gives a 360-degree view of the entity’s behavior. If it sees something at the network layer that’s unexplainable by the assets themselves, it can hunt down what that anomaly is. When you put machine learning algorithms in front of it to anticipate the fact that you’ve got the early stages of a malware attack going on in your organization, it can detect this anomalous behavior before it turns into a full- blown ransomware with data exfiltration event.
Ian’s story shows that, even though a CISO may not be “turning the dials” on a security product or programming the next security application, the job is as vital to security success as any hands-on position. The CISO needs to be aware of more than just the technological aspects of cybersecurity, making sure that the direction aligns with the organization’s vision and goals.
The CISO role is not a step away from the original passion; it is just a new direction with equally unique challenges and rewards. One thing that is certain is that success depends on collaboration and building strong partnerships with the right organizations to keep your company safe.
An internationally known cybersecurity content creator, Joe developed the popular IT security blog, Information Security Buzz. He is now managing editor at Tripwire's award-winning blog, The State of Security.