Intelligent CISO Issue 22 | Page 34

P RE D I C T I V E I NTELLIGEN CE  properly map out a deployment plan that very much sounds like a ‘no’. What many people don’t understand is just how difficult the CISO’s job has become over the last decade. Everything has gone digital, proliferating technology and systems that produce and manage critical business data. Traditional security boundaries have vanished and they are operating with network complexities that would have been previously unimaginable. Internationally dispersed, mobile workforces and outsourcing have become commonplace within many organisations, creating countless connections that span multiple continents. The number of regulatory mandates that the CISO has to navigate is dizzying. Complexity is the CISO’s number one problem – it’s only natural that they may seem resistant to anything that may further compound this issue. CISOs lack necessary network visibility But pushback from the CISO and their security team doesn’t just happen because they’re worried about their workloads. Many are also concerned because they know that they’re not in the best position to secure any additions to their security environment. If they don’t already have visibility over their hybrid estate, they can’t picture their security status as it is now, let alone how it would look with any number of innovations tacked on. When they put their hands up to say, ‘stop’ or ‘slow down’, it’s because they know just how dangerous new third- party apps, or virtualised networks, or IIoT devices can be to their already fragile risk posture. In most organisations, a lack of network visibility combined with inconsistent security measures tied to new technology deployments are the root cause of security being seen as ‘The Department of No.’ 34 The CISO has an image problem. If this perception is going to change, then the CISO needs to ensure that they can gain full network visibility and predictive modelling capabilities. If they’re able to see everything that needs to be protected, plus analyse and predict where risks and vulnerabilities may arise, they will be more confident in their team’s abilities to deploy and protect new network elements. It’s the first step to security becoming ‘The Department of Yes.’ The danger of saying no Progress waits for no man. While security teams may find themselves at a stalemate, organisations are still charging full speed ahead with their Digital Transformation initiatives. They don’t have time to navigate any impasse; they know that they need to innovate to become more efficient and to maintain a competitive edge. This results in security being overlooked. If it isn’t ignored completely, it’s relegated to an insufficient checkbox exercise during DevSecOps processes. When properly embedded, security underpins the success of any innovation. But when security is sidelined, it’s possible that an organisation’s Digital Transformation initiatives could bring the business to its knees. Disconnected processes often lie behind the execution of poor security. The likelihood of process disconnect only increases in hybrid environments. One of the main reasons behind this is the separation of teams responsible for different portions of the network. In hybrid environments, not only can there be separation between the security and operations teams, the growing DevOps/ DevSecOps team also adds yet another layer of departmental complexity. The CISO needs to make sure that process disconnect doesn’t impact the delivery of effective security. They need to ensure that they don’t operate within silos and that they have the oversight needed to ensure that all processes are fully aligned. One example of how misalignment harms organisations is when cloud services are misconfigured. Many organisations work with an assumption that cloud services are secure, but if their access points aren’t properly configured then they could end up ushering in any number of new threats. Insufficient cloud security protocols and a lack of testing are leaving many businesses exposed and this trend will continue to gather pace if cloud deployments aren’t fully within the purview of the CISO. Issue 22 | www.intelligentciso.com