In cybersecurity, we always seem to search for an "easy button." However, having formerly served as CISO for the U.S. Federal Bureau of Investigation (FBI), I can tell you that there are no quick fixes to balancing security objectives with the aspirations of the business. So, if it’s never going to be easy, can it at least be easier as we grapple with securing legacy infrastructure that isn’t going away, while dealing with growing attack surfaces driven by new tech and hybrid workforces?
I’ve learned influence is the most important aspect of a CISO’s job because there are so many pieces of the business that aren’t under their direct control. That’s why it is critical to work with all business units and boards of directors, making sure that ongoing relationships are forged to ensure security plans and strategies encompass the full business story. As a CISO, what do you know? What do you want to know? What do you need to know that you don't know now? Every organization and business unit has gaps, so understanding that and being able to identify where there are risks is an important aspect of being trustworthy and influencing positive change for the business.
Authority, ownership and accountability
While a CISO holds a pivotal role in establishing and maintaining an organization’s defenses against cybersecurity threats, that role almost never comes with an ideal budget and authority. Those elements are negotiated regularly, and balanced against operational mandates, needs for innovation, time constraints and other business imperatives.
Among the other business imperatives are re-organizations, people joining and leaving the company, and mergers and acquisitions or divestitures. Additionally, there is new technology, new aspects of existing technology and keeping legacy IT because replacing it is often cost-prohibitive. Each of these considerations plays a role in the ever-increasing complexity of cybersecurity.
What authority does a CISO have? The position itself depends on the organization, and whether the CISO is internal or external. But generally, a CISO has the authority to evaluate cybersecurity risk and accept risk up to a threshold. This authority starts with the mandate to set and enforce security policies, standards and protocols, allocate resources and align the cybersecurity budget to priorities. It includes leading risk assessments to identify vulnerabilities, frame threat mitigation strategies and establish clear expectations and training for all employees.
CISOs use the authority to implement a framework for establishing and maintaining security and identifying gaps in the state. The primary objective, of course, is to avoid cybersecurity incidents ... which can range from minor to catastrophic. In the case of a breach, the CISO leads the incident response efforts, and guides the organization through recovery and resilience building.
As a CISO’s authority increases, accountability increases. This means actively participating in strategic decision-making to ensure security is integrated into every facet of the organization's operations, and operational imperatives are integrated throughout its cybersecurity and IT infrastructure. CISOs need a broad skillset including understanding the IT and cybersecurity markets, the regulatory landscape, and competitive pressures to align security initiatives with overarching business goals. CISOs also must establish key performance indicators and metrics to help quantifiably assess security measures and contributions to business success.
Ultimately, the goal of cybersecurity is to avoid losses through IT systems whether from cyberattacks or human error. And the purpose of avoiding losses is so the business can continue at an optimal level. So as important as it is for cybersecurity to support the business, it is even more important to be able to communicate the value of what it costs. The cost is an investment in business enablement. And while cybersecurity is not often perceived as a revenue driver or something that can reduce OpEX, it can be!
Investing in capabilities that simplify security and efficiently and effectively protect valuable assets is crucial. Modern solutions like comprehensive Zero Trust Network Access (ZTNA) can lower overall total cost of ownership and enable more effective security. Case in point? An independent Nemertes analyst study is full of data that quantifies the operational and security improvements identified by commercial and federal customers of industry-leading Appgate SDP, our industry-leading Zero Trust Network Access (ZTNA) solution.
In just two of many case studies in the report, one customer reduced connectivity costs by 67% by eliminating MPLS from 600 sites, and another and cut its gross IT spend by 6% by eliminating its private WAN. This cuts both the cost of the networks and the cost of people to maintain the networks. And it shifts the old perceptions that security can’t be a business enabler ... using ZTNA enables business to be flexible and agile. This is a capability that CISOs can deliver today.
Embracing Zero Trust
Technology evolution has transformed the cybersecurity landscape. Managing the complexity is a constant balance. The adage “the perimeter is dead” is somewhat true ... but mostly, the perimeter has moved. In the past, organizations drew walls around their networks and most of their IT assets were located inside the perimeter. However, with the convergence of storage and devices, and the persistence of remote work, the perimeter has moved to the logical or physical device being used. Now, every piece of data is online and devices communicate seamlessly, blurring the lines between personal and corporate.
To address these challenges, and to significantly decrease risk, more and more CISOs are implementing Zero Trust security strategies using ZTNA as a foundational building block. This approach emphasizes limiting the attack surface, methodically eliminating overprivileged user access and implementing robust authentication measures. This means CISOs focus on end-to-end visibility, understanding who is accessing what assets through what devices and networks.
Implementing Zero Trust security is not a one and done task. It’s a systematic framework that can effectively eliminate a wide array of attack vectors, reduce risk and harden security postures with stringent access controls, continuous monitoring and comprehensive visibility functions integrated across complex hybrid IT. Organizations add Zero Trust as they add new technologies and capabilities, so they remain secure.
It’s true ... a CISO’s job isn’t easy and frankly, it’s never done because IT, the business and the threat landscape evolve continually. But by starting with infrastructure and a security stack that enables Zero Trust and builds on a universal secure access solution like ZTNA to cloak assets, organizations have the right strategies to face today's challenges and resist future threats. Mastering the complexity is not just a goal; it's a mandate in our digitally driven world.
Additional ZTNA resources for CISOs
Comparison Guide: Cloud-routed vs. Direct-routed ZTNA: What’s the Difference?
Blog: Universal ZTNA Advances Enterprise Innovation, Reduces OpEx and Simplies Security
eBook: Zero Trust Maturity Model Roadmap
Zero Trust Access Demo Hub