文章要点:
- 弹性正在成为网络安全领域的新口头禅。
- 威胁比比皆是:勒索软件、零日漏洞、第三方和供应链攻击、网络钓鱼、网络钓鱼、深度伪造。
- 人工智能和量子计算将对首席信息官CIO和首席信息安全官CISO的工作方式产生深远的影响。
首席信息安全官CISO和首席信息官CIO在最高管理层中占据不同的席位,但他们都关心组织的IT基础架构。
“如果你看看CIO的角色,我们负责带来技术基础设施,保持公司引擎的运转,”基于云的客户关系管理公司FreshWorks的CIOPrasad Ramakrishnan说。“首席信息安全官CISO的章程是确保我们拥有治理、安全和控制……照顾我们的客户数据,照顾我们的员工数据,照顾隐私。
不出所料,首席信息安全官CISO和首席信息官CIO有一些共同的痛点。四位首席信息安全官CISO和两位首席信息官CIO在接受《信息周刊》采访时谈到了他们面临的一些最大挑战以及他们如何应对这些挑战。
一、遇到网络安全事件时将如何响应
弹性正在成为网络安全领域的新口头禅。弹性是关于组织在遇到网络安全事件时将如何响应。“作为首席信息安全官CISO,在我们的职业生涯中,我们都将经历至少一次(如果不是更多的话)肯定或潜在的重大网络安全事件,”网络安全公司Exabeam的首席信息安全官CISOTyler Farrar说。
一个组织会瘫痪几天还是几周?或者它会制定行动手册来响应并执行快速恢复运营?
对于首席信息官CIO和首席信息安全官CISO来说,实现运营弹性需要整个组织的战略规划、教育和一致性。
“成为一名优秀的首席信息安全官CISO是教育和实践的一部分,”金融服务和人寿保险公司Northwestern Mutual的首席信息安全官CISOLaura Deaner说。
首席信息官CIO和首席信息安全官CISO必须身兼数职,既是技术领导者,又是业务领导者。工作的技术方面对于运营和保护 IT 基础架构至关重要,但如果不提出令人信服的业务案例来确保最高管理层和董事会的支持,这些领导者就无法完成这部分工作。
“公司的文化也很重要,确保技术和安全目标与组织本身的使命和目标保持一致,”Deaner说。
二、不同的技术堆栈和向新系统的迁移所带来的运营和安全挑战
“每个人都在与庞大的技术堆栈作斗争,”网络安全公司Deep Instinct的首席信息官CIOCarl Froggett说。许多公司正在使用传统技术的组合,例如本地服务器以及新的云和SaaS系统。首席信息官CIO和首席信息安全官CISO面临着这种不同的技术堆栈和向新系统的迁移所带来的运营和安全挑战。
随着这种蔓延,数据治理的挑战也随之而来。公司拥有哪些数据?它驻留在哪里?如何保障?如果首席信息官CIO和首席信息安全官CISO无法回答前两个问题,他们甚至无法开始就保护组织数据的有效策略进行协作。
鉴于数据的激增,许多领导者感到不知所措也就不足为奇了; 根据云原生平台 Snow Software 发布的 60 年 IT 优先事项,2023% 的 IT 领导者表示他们对数据感到不知所措。
FreshWorks 首席信息官CISO Ramakrishnan 和他的团队定期练习应用程序合理化,以了解公司拥有哪些软件、实际使用什么以及这些工具的兼容性。
“我们会定期查看所有工具,以确保……我们在使用该工具吗?我们是否从该工具获得了所需的利用率水平?“他解释道。“这个工具是否与我们拥有的所有其他工具对话?这仍然是我们希望保留在企业中的工具吗?
如果一个工具没有在整个技术堆栈中被使用或工作,Ramakrishnan和他的团队会确定是否需要用新选项替换它,或者是否可以接管现有工具。然后,他们为退休做准备。
“我还需要查看所有工具的安全影响。拥有太多的工具,发生的事情是安全成为事后的想法,“Ramakrishnan说。“从 CIO 的角度来看,简化堆栈是首要考虑因素。”
三、不断变化的威胁和合规性要求
勒索软件、零日漏洞、第三方和供应链攻击、网络钓鱼、网络钓鱼、深度伪造:每天都会出现新的网络威胁。首席信息官CIO和首席信息安全官CISO面临的挑战是保持其组织的运营,并使数据远离威胁参与者。此外,不同州和国家/地区的监管格局继续扩大。
“每个行业都有其必须担心的特定领域,因为攻击媒介不同,然后数据类型也不同,”云安全服务公司Lacework的全球现场CISOTim Chase说。
IT领域确实提供了大量的资源,CIO和CISO可以利用这些资源相互协作和学习。像RSA和Black Hat这样的会议汇集了成千上万的专业人士。IT-ISAC 设有行业特定小组,用于共享有关威胁的信息。
“我觉得与其他行业相比,我们将走到一起是非常有趣的。我们将在销售战场上成为竞争对手。但是当涉及到安全性时,我们会把它放下,我们只会说话,“蔡斯说。
四、人才短缺困境
信息技术领域和网络安全领域正在经历人才短缺。在德勤对技术行业领导者的调查中,90%的受访者表示,招聘和留住人才是一项中等或重大的挑战。各种类似的统计数据和研究都说明了网络安全人才的短缺,描绘了数百万个空缺职位的惊人画面。这个问题引起了政府的注意。拜登-哈里斯政府今年早些时候发布了《国家网络劳动力和教育战略》,以解决人才缺口问题。
虽然人才是一种稀缺商品,但首席信息官CIO和首席信息安全官CISO可以利用第三方来获得他们内部没有的技能,也不需要招聘。他们还可以找到自动执行较低级别任务的方法,使员工能够将更多时间花在其他更重要、重复性更少的任务上。IT 领导层还可以对现有团队成员进行再培训和提升技能。
在他的职业生涯中,Froggett 一直在寻找开始挖掘发展中的人才管道的方法。与高中、大学和退伍军人计划建立关系可以吸引人们在组织内开设 IT 和网络安全职位。
无论 IT 领导者如何组建团队,他们都必须与他们保持联系。“我们不需要一个与安全组织其他部门如此脱节的领导者。这本身就是一种风险,“Farrar说。
五、新技术应用可能带来的安全问题
生成式人工智能和量子计算是令人兴奋的前沿领域,但它们对首席信息官CIO和首席信息安全官CISO来说代表了多方面的挑战。组织如何在不引入更多风险的情况下采用这些工具?众多选项和用例似乎无穷无尽。需要制定什么样的指导方针来确保员工了解潜在的安全问题?就人工智能而言,这些工具非常容易获得,员工可以在公司不知情的情况下使用它们。
但像这样的新技术的挑战不仅仅是内部的。“经济中的大多数(如果不是全部)’破坏性’技术是地下经济或黑市中的’破坏性’技术,”Jerry Sto。医疗保健SaaS软件公司HealthEdge的首席信息安全官CISOTomas在电子邮件采访中警告说。
毫无疑问,人工智能和量子计算将对首席信息官CIO和首席信息安全官CISO的工作方式产生深远的影响,但预测这种变化将是什么样子并驾驭它将是一个持续的挑战。
“通常情况下,当你拥有一项技术时,你可以说:’好吧,这将被取代。你可以设想一个未来,一个技术将要达到的点。老实说,我不能在生成人工智能和量子[计算]周围划定界限,“Froggett说。“我真的,真的相信我们学到的很多东西,当然在我的职业生涯中,都会被他们的头顶,我们将不得不接受剧烈的变化。
六、成为组织中的变革者
首席信息安全官CISO和首席信息官CIO必须让自己和他们的组织跟上不断发展的技术和安全环境,这意味着他们经常需要带头开展变革驱动的项目。在任何情况下,推动组织范围的变革都是具有挑战性的,但如果首席信息官CIO和首席信息安全官CISO没有在董事会层面进行定期沟通和支持,则更是如此。
“仍有相当数量的首席信息安全官CISO不定期向董事会报告。所以,我认为那里有很大的差距需要填补,“蔡斯说。
虽然这一差距仍然存在,但它正在缩小。营销技术公司 Foundry 进行的 2023 年 CIO 研究状况发现,77% 的 CIO 表示与首席执行官和董事会建立了牢固的教育合作伙伴关系。此外,85%的受访首席信息官CIO表示,他们正在成为组织中的变革者。
麻省理工学院斯隆的网络安全公司 Proofpoint 和学术论坛网络安全在《网络安全:2023 年董事会视角报告》中审查了 CISO 和董事会沟通。共有53%的董事会成员受访者表示与网络安全同行定期沟通,比去年增加了47%。
美国证券交易委员会(SEC)针对上市公司的新规则强调董事会层面参与网络安全风险管理,这可能会鼓励CISO与董事会成员之间建立更紧密的联系。
“有计划的人将是最有效的变革拥护者,”斯托说。托马斯。“确保衡量你的成功、失败和计划的价值,以便你准备好应对快速发展的风险并适应全球经济变化。
英文原文:
6 Pain Points for CISOs and CIOs and What to Do About Them
Chief information security officers and chief information officers have distinct roles, but they share some common challenges.
At a Glance
- Resilience is becoming the new mantra of the cybersecurity field.
- Threats abound: Ransomware, zero-day vulnerabilities, third-party and supply chain attacks, vishing, phishing, deepfakes.
- AI and quantum computing will have a profound impact on the way CIOs and CISOs do their jobs.
CISOs and CIOs occupy different seats at the C-suite table, but they both are concerned with organizations’ IT infrastructure.
“If you look at the role of the CIO, we are responsible for taking care of bringing the technology infrastructure, which keeps the company engine going,” says Prasad Ramakrishnan, CIO of cloud-based customer relationship management company FreshWorks. “The CISO’s charter is to make sure that we have the governance and security and the controls to … take care of our customer data, take care of our employee data, take care of privacy.”
Unsurprisingly, CISOs and CIOs share some pain points. Four CISOs and two CIOs talked to InformationWeek about some of the biggest challenges they face and how they are addressing them.
Operational Resilience
Resilience is becoming the new mantra of the cybersecurity field. Resilience is about how an organization will respond if and when it experiences a cybersecurity incident. “We as CISOs are all going to experience at least one if not more and certainly or potentially significant, cybersecurity incident in our careers,” says Tyler Farrar, CISO, at cybersecurity company Exabeam.
Will an organization be crippled for days or weeks? Or will it have the playbook in place to respond and execute a rapid return to operations?
Related:How Will AI Change the CISO Role?
For CIOs and CISOs, achieving operational resilience requires strategic planning, education, and alignment throughout their organizations.
“Being a good CISO is part education and part practitioner,” says Laura Deaner, CISO at financial services and life insurance company Northwestern Mutual.
CIOs and CISOs have to wear many different hats, acting as both technical and business leaders. The technical aspect of the job is essential to operate and protect the IT infrastructure, but these leaders cannot do that part of their job without making a compelling business case that secures C-suite and board buy-in.
“The culture of a company is also important, ensuring that the technology and security goals are aligned with the mission and the objectives of the organization itself,” says Deaner.
The Sprawling Tech Stack
“Everybody is struggling with the sprawling technology stack,” says Carl Froggett, CIO of cybersecurity company Deep Instinct. Many companies are working with a mix of legacy technology, like on-premises servers, and new cloud and SaaS systems. CIOs and CISOs are faced with the operational and security challenges that come with this disparate tech stack and the migration to new systems.
With that sprawl comes the challenge of data governance. What data does a company have? Where does it reside? How can it be safeguarded? If CIOs and CISOs can’t answer the first two questions, they can’t even begin to collaborate on an effective strategy for protecting their organizations’ data.
Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023
Given the proliferation of data, it is unsurprising that many leaders feel overwhelmed; 60% of IT leaders reported that they feel overwhelmed by data, according to the 2023 IT Priorities from cloud-native platform Snow Software.
FreshWorks CIO Ramakrishnan and his team regularly practice app rationalization to understand what software the company has, what it is actually using, and how compatible those tools are.
“We look at all of our tools on a regular basis to make sure … are we using the tool? Are we getting the required level of utilization from the tool?” he explains. “Does this tool talk to all the other tools that we have? Is this still a tool that we want to keep within our enterprise?”
If a tool is not being utilized or working within the overall tech stack, Ramakrishnan and his team determine if it needs to be replaced by a new option or if an existing tool can take over. Then, they prepare it for retirement.
“I also need to look at the security impact of all the tools. Have too many tools and what happens is security becomes an afterthought,” says Ramakrishnan. “Simplifying the stack is top of mind from a CIO perspective.”
Related:Harmonizing the CIO and CISO Roles to Bolster Security
Evolving Threats and Compliance Requirements
Ransomware, zero-day vulnerabilities, third-party and supply chain attacks, vishing, phishing, deepfakes: new cyber threats emerge every day. CIOs and CISOs are challenged to keep their organizations operational and to keep data out of threat actors’ hands. Plus, the regulatory landscape continues to broaden across different states and countries.
“Each industry has their specific areas that they have to worry about because the attack vectors are different and then also the type of data is different,” says Tim Chase, global field CISO at cloud security services company Lacework.
The IT field does offer a plentitude of resources that CIOs and CISOs can use to collaborate and learn from one another. Conferences like RSA and Black Hat bring together thousands of professionals. IT-ISAC has industry-specific groups for sharing information on threats.
“I feel like compared to maybe other industries, it’s very interesting that we will come together. We’ll be competitors out there on the battlefield of sales. But when it comes to security, we’ll put that down and we’ll just talk,” says Chase.
Talent Shortages
The information technology field and the cybersecurity field are experiencing talent shortages. In a Deloitte survey of technology industry leaders, 90% reported that recruiting and keeping talent was a moderate or major challenge. The shortage of talent in cybersecurity is illustrated by all sorts of similar statistics and studies painting an alarming picture of millions of unfilled jobs. The problem has garnered the attention of the government. The Biden-Harris Administration released the National Cyber Workforce and Education Strategy earlier this year to address the talent gap.
While talent is a scarce commodity, CIOs and CISOs can leverage third parties to get the skills they do not have internally and have yet to hire. They can also find ways to automate lower-level tasks, freeing staff to spend more time on other more important, less repetitive tasks. IT leadership can also retrain and upskill existing team members.
Over the course of his career, Froggett has looked for ways to begin tapping the developing talent pipeline. Building relationships with high schools, universities and veterans’ programs can attract people to open IT and cybersecurity positions within an organization.
Regardless of how IT leaders build their teams, they must maintain a connection to them. “We do not need a leader who is so disconnected from the rest of their security organization. That is a risk in and of itself,” says Farrar.
New Technology
Generative AI and quantum computing are exciting frontiers, but they represent multifaceted challenges for CIOs and CISOs. How can organizations adopt these tools without introducing more risk? The multitude of options and use cases seem endless. What kind of guidelines need to be in place to ensure employees understand potential security issues? In the case of AI, the tools are so easily accessible employees could be using them without company knowledge.
But the challenges of new technology like this are not only internal. “Most, if not all, ‘disruptive’ technology in the economy is ‘destructive’ technology in the underground economy or black market,” Jerry Sto. Tomas, CISO of HealthEdge, a healthcare SaaS software company, warns in an email interview.
There is no question that AI and quantum computing will have a profound impact on the way CIOs and CISOs do their jobs, but predicting what that change will look like and navigating through it will be an ongoing challenge.
“Normally, when you have a technology, you can kind of go: ‘Alright, this is going to get replaced.’ You can envisage a future, a point where that technology is going to get to. I honestly can’t put a border around generative AI and quantum [computing],” says Froggett. “I really, truly believe a lot of the things that we’ve learned, certainly in my career, are just going to get tipped on their head, and we’re going to have to just embrace a drastic change.”
Championing Change
CISOs and CIOs must keep themselves and their organizations up to date with the evolving technology and security landscapes, which means they often need to spearhead change-driven projects. Driving organization-wide change is challenging in any scenario, but even more so if CIOs and CISOs don’t have regular communication and buy-in at the board level.
“There’s still a fair amount of CISOs that don’t regularly report to the board. So, there’s just a big gap there that I think needs to be filled,” says Chase.
While that gap still exists, it is narrowing. The State of the CIO Study 2023, conducted by marketing technology company Foundry, found that 77% of CIOs report having a strong educational partnership with their CEOs and board of directors. Furthermore, 85% of the surveyed CIOs said they are becoming changemakers in their organizations.
Cybersecurity company Proofpoint and academic forum Cybersecurity at MIT Sloan examined CISO and board communication in the Cybersecurity: The 2023 Board Perspective Report. A total of 53% of board member respondents reported regular communication with their cybersecurity counterparts, up for 47% the previous year.
New rules for public companies from the US Securities and Exchange Commission (SEC) emphasize board-level involvement in cybersecurity risk management, which will likely encourage closer ties between CISOs and board members.
“The person with a plan will be the most effective champion of change,” says Sto. Tomas. “Make sure to measure your success, failures and values of your plan so you are prepared to address the fast-evolving risks and adapt to global economic changes.”
本文由数字化转型网(www.szhzxw.cn)转载而成,来源:IT经理人联盟;编辑/翻译:数字化转型网默然。
免责声明: 本网站(https://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
