The topics of resiliency and investment dominate the list of questions members of Protocol's Braintrust suggested.
Jameeka Green Aaron
CISO, customer identity at Okta
How do we make it harder for attackers to access our apps, but not for our users?
For every organization, in every industry, digital business is just business now. User authentication is both the gateway to services, and the biggest attack vector. As a result, we are now seeing more than 50,000 breached passwords a day on our platform.
CEOs should be asking their CISOs, “How do we make it harder for attackers to access our apps, but not for our users?” With the economic environment changing, this is really a question of revenue. Organizations have to be able to acquire and retain customers without taking security shortcuts that could make them a target for attacks. From a CISO perspective, credential stuffing and multi-factor authentication bypass are two of the most critical to protect against.
Balancing security and usability is often presented as a zero-sum game, and that’s just not true anymore. We have anti-phishing technologies like passkeys and FastPass that provide additional layers of security without adding friction for users. Identity threat detection can help us spot malicious behavior and reduce bot attacks by as much as 79%.
As organizations continue to transform digitally and move apps to the cloud, they are taking an identity-first approach to security. Put another way: They are treating the login box and people as the new perimeter. We are seeing first hand with these tools — eliminating passwords, and threat detection and response — it’s possible to keep users safe, and increase engagement and loyalty at the same time.
SVP, strategic engagements and threat at Darktrace
How are we lowering our cyber risk to become a harder target for attackers, whilst driving efficiency in our cyber security program?
Today, CEOs are recognizing that the CISO’s role includes revenue protection, brand resilience, and employee security. Cyber is an operational and existential risk for a business. We’ve moved beyond the standard questioning following a high-profile attack (could that happen to us? Would we have stopped that?) and beyond the basic need to be compliant. Both insurance and compliance have long been viewed as ways of ticking the "protection" checkbox without achieving true operational assurance, and we need look no further than Colonial Pipeline to see that insurance cannot compensate for long-term business disruption and reputational damage.
With growing economic uncertainty, organizations are being forced to make tough decisions as they plan 2023 budgets. In order to maximize ROI in the face of budget cuts, CISOs will need to demonstrate investment into proactive tools and capabilities that continuously improve their cyber resilience. CISOs don’t lack to-do lists – they require technology which integrates with existing solutions and stitches together an evolving picture of the digital estate, prioritizing risks and continuously feeding that learning into hardening the organization’s defenses. This maximizes human resources on the team, enabling them to work on higher level tasks. Maturity models and end-to-end solutions will also be critical, as well as frank communication between CISOs and the board about the efficacy of continuously testing defenses in the background.
Dr. Robert Blumofe
EVP and chief technology officer at Akamai
What are you doing to ensure that if malware does get in, that it cannot get to our critical assets?
Given the rise in cybercrime and ransomware-as-a-service tools, it is imperative to focus on preventing the spread of malware. The question I would ask is: What are you doing to ensure that if malware does get in, that it cannot get to our critical assets? At some point, an employee will click on a phishing link or malware will gain access to a corporate device through some other means. The assumption that your organization will at some point be compromised must be a given. And the technology to prevent such breaches is important, but it’s not foolproof. The real question is, what then? What happens once the malware gets in? And the answer needs to be a heck of a lot better than traditional internal firewalls, regular patching, and malware scanning.
If I were answering this question, I would lean into technologies that improve a Zero Trust posture by focusing on the principle of least privilege and strongly identifying all users and devices. So even if an employee clicks on a comprised link, it is not a given the organization will be compromised. As security leaders, we must prepare for the worst — and this is where microsegmentation becomes critical. If malware does successfully get into the network, it's immediately contained so high-value assets are protected.
Worldwide cloud foundations partner lead for security-MSSP/identity/ops/management at AWS
How are we making security a part of everyone’s job next year?
Assuming the organization has already implemented table-stakes user and application security mechanisms such as multi-factor authentication and least privilege access, creating a culture of security among employees is a great way to increase the company’s resilience to bad actors. Creating a culture of security begins with education and awareness to all levels and all roles within a company on what security policies and controls exist, how each department/team directly interacts with them, and training to empower individuals with methods to detect the common tricks bad actors use in a social engineering attack.
For example, phishing attacks rely on methods to trick users into providing information and/or installing software that is actually malicious, bringing a new threat into the organization that could lead to malware activity such as elevated privileges, communication with command and control destinations, and various exploit attempts. All employees should receive regular phishing education and even company-sponsored benign phishing campaigns can be implemented to further test a user community’s degree of preparedness. Leadership must carry the message to the company that security is not a burden intended to slow anyone down, but rather set the tone on how specific security policies and procedures support various corporate goals and thereby aligning to teams' and individuals’ goals. A culture of security starts with regular education, leadership reinforcement, and ultimately individual ownership.
CEO at Absolute
What more can we get out of what we already have?
Coming into 2023, every CEO and boardroom are talking about the "macro" — whether it affects them directly or not. And yet, the risk landscape has never been more concerning — from global political shifts, to distributed workforce and fragmentation of tools and data. The beginning of a new year is usually the time to ask the question "what more can we do?" But 2023 will be the year for CEOs to ask their CISO "what more can we get out of what we already have?" Maximizing the coverage and protection of your existing tools and team and not letting your guard down must be the focus as we enter this new year. Even further, this prepares leadership for times of uncertainty, knowing just how far your investments can take you.
Wherever we see massive economic shifts that impact the workforce, we see confusion which increases risk. During the pandemic we saw bad actors take advantage of uncertainty and as a result phishing, and ransomware skyrocketed. Where we saw layoffs or unprepared users sent to work from home ... we saw them taking valuable data with them. We should not be surprised that 2023 will be more of the same. Organizations cannot afford to let their guard down, and CEOs must huddle with their CISOs to better understand what their coverage is, do they have the right tools, and are they working to protect their employees and their data.
CEO at Kudelski Security
How does our security posture and security investment compare to our peers?
There are actually a few questions we should really be asking the CISO this year.
- How does our security posture and security investment compare to our peers? This is an important question to understand relative investment. No CEO wants to be less protected than their peers — making it crucial to understand other companies and their security practices.
- Where are we not sufficiently protected? What keeps you up at night? The CEO should understand the weakest link in order to accurately and efficiently address it.
- How can we increase our security maturity fastest and for the lowest cost? Budgets are a big concern for everyone this year, so identifying ways that our teams can see better security for the least spend is a top priority.
- Where are you being blocked by the business from improving our security maturity? Oftentimes there are obstacles that as a CEO you can’t see easily. Take the time to connect with your CISO and see how you can step in to address those challenges.
- What is our plan to respond when we are attacked and to mitigate the damage? It sounds obvious, but having a game plan for responding to incidents needs to be a major focus with attacks on the rise.
Beyond what we should be discussing as a security team, there is also a question that we don’t have to ask:
- Are we secure? The answer to this is always no.
CEO at Claroty
What is our highest risk, and what are the actions we need to take to reduce it to a level that we can live with?
The truth is that achieving a risk level of zero is not realistic for any organization. But by focusing resources on the risks that have the biggest potential impact on business continuity, CEOs and CISOs can achieve cyber and operational resilience.
CEO at vArmour
How can we partner to create a proactive framework for security and resilience, designed for impact?
The truth is, most CISOs believe their organization is falling short in addressing cyber risks. Digital acceleration dramatically changed the state of security, and today's organizations depend on an interconnected tangle of apps, services, workloads, devices, clouds and users. If businesses aren't careful, the increase in new assets can be directly proportional to the increased risk of cyberattack or data breach.
To change that, CEOs should aim to become partners to their CISOs in endorsing, investing in and enforcing proactive frameworks for data and organizational security. While it might seem expensive in the moment, waiting to act until a breach has occurred is dramatically more costly. Each hour lost after a malware attack or data breach endangers business operations, jeopardizes customer trust, and opens the door to legal liability.
In contrast, proactive security frameworks can give CEOs and security teams alike a roadmap to find and patch vulnerabilities, as well as a clear playbook for how to respond and recover when a breach inevitably occurs. Organizations cannot protect what they cannot see, and CEOs should investigate how they can support their CISO in creating the strategic and technological frameworks to get this visibility. By doing so, CEOs confirm their dedication to effectively setting up their CISO — and by extension, their entire organization — to stay ahead of security risks.
CISO at (ISC)²
What areas of the business are the most at risk, and what areas have the greatest opportunity to utilize security as a business improvement and differentiator?
As the threat landscape becomes increasingly complex, the CISO and CEO must work together as congruent leaders for their organization. Cyber threats are not going away anytime soon — and the CEO must understand the fundamental value that cybersecurity solutions offer their organization and customers. To help CEOs understand the importance of security and, in turn, encourage buy-in, they need to ask, “How can I, as CEO, help you, as the CISO, protect the organization in the coming year?” The CEO must voice support for security needs while also providing the necessary resources to ensure the highest level of security. While this question is nothing out of the ordinary, the modern CISO role must have a strong working relationship with the CEO.
Additionally, a CEO must ask the CISO, “What areas of the business are the most at risk, and what areas have the greatest opportunity to utilize security as a business improvement and differentiator?” When answering this question, CISOs must communicate the areas of concern with little technical jargon and share what is needed to improve. More importantly, CISOs need to convey the business value that security measures are essential.
Director of AppSec product marketing at Dynatrace
Do our cyber-insurance policies incentivize better risk management and cross-functional responsibility to deliver secure innovation?
According to recent Dynatrace research, 80% of CISOs agree that security must be a shared responsibility across the software delivery cycle, from development to production.
It is imperative to treat security as a shared responsibility that falls on everyone involved in innovation. In 2023, organizations taking out cyber-insurance policies will be required to demonstrate all innovators can manage risk, and CEOs should ask their CISOs, “Do our cyber-insurance policies incentivize better risk management and cross-functional responsibility to deliver secure innovation?”
Asking this question will enable their teams to focus on building out a holistic BizDevSecOps approach that leverages advanced monitoring solutions like observability platforms to support cross-departmental processes and ensure all teams have the insights needed to conduct due diligence and manage the risk associated with their actions.
CSO at Druva
How can we reduce our cyber risk in 2023?
When organizations piecemeal solutions or keep security and data protection in silos, they can unknowingly make themselves more vulnerable to threats and less able to recover. As attacks become more sophisticated, security and IT leaders must focus on finding holistic solutions that bring together security and data protection. By taking a more integrated approach, organizations are able to increase their ability to assess risks and move beyond data recoverability to proactively prepare for threats.
Kevin McAllister ( @k__mcallister) is a Research Editor at Protocol, leading the development of Braintrust. Prior to joining the team, he was a rankings data reporter at The Wall Street Journal, where he oversaw structured data projects for the Journal's strategy team.
More from Braintrust