Counting Threats: 5 Things that Keep CISOs Up at Night

Written by Pam Baker
January 8, 2019

No matter how tight their battle plans, the fear that something got through haunts CISOs.

CISOs understand the gravity of the attack surface growing far faster than their budgets, talent rosters, and reports to the C-Suite. Within this general state of unease are several hair-raising threats robbing the CISOs of their sleep.

Kudelski Security’s John Hellickson

Chief among the evolving list of concerns is one worry that stubbornly remains. “One top challenge is the ability for the CISO to demonstrate to the Board of Directors that they are the right person for the role,” says John Hellickson, Vice President, US Advisory Services at Kudelski Security, a cybersecurity firm recognized recently by Forrester as an Emerging MSSP Leader.

It’s hard to prove your worth to the powers-that-be when everything is boring and silent as soon as you’re at the top of your game. It only gets exciting and noisy when you slip or fail. The same holds true for MSSPs.

“It’s very difficult for MSSPs to prove that their solutions are working because when they are doing really well, there shouldn’t be much noise coming from them. It’s because of this that MSSPs need to find tangible ways to highlight that the approach is working,” said Jason Rebholz, senior director of strategic partnerships at Gigamon, the network and security vendor.

This shared concern between CISO and MSSP should be acknowledged and mutually leveraged, if not by word than surely by deed.

“With 67 percent of CISOs claiming they do not have enough staff to handle the amount of cyber alerts they receive daily, many must rely on MSSPs to meet this growing threat,” says Larry Friedman, CISO at Carbonite, the file backup and recovery firm. “The best MSSPs will put themselves in the shoes of CISOs. They will analyze the same challenges facing CISOs today and proactively offer solutions, sometimes before CISOs can think of one themselves.”

But beyond the nagging overall worry that the job done right could result in a job unfairly lost, is a plethora of additional fears. Each presents a different challenge, a new opportunity, and perhaps the means to validate the effectiveness of both the CISO and the MSSP.

Cavirin Systems’ Mukul Kumar

“Many CISOs are overburdened due to the diversity of the security tasks under their responsibility, the increasing complexity of multicloud and hybrid-cloud deployments, and the growing sophistication of hackers,” says Mukul Kumar, CISO & VP of Cyber Practice at Cavirin Systems, the security provider for hybrid-cloud environments.

“They need to be able to speak intelligently to their boards and auditors, as well as being able to offer solutions to their peers in DevOps and SecOps.”

The Countdown of Nightly CISO Terrors

It’s a given that bad actors will continuously rage against your defenses in an ongoing search for new vulnerabilities to exploit. Already known vulnerabilities are more numerous than the published exploits indicating that there’s no shortage of opportunities for bad guys to do harm. The question is, which vulnerabilities will be exploited next and whether protection is in place to mitigate that risk when it goes active.

Add to this concern a growing number of unique potential threats in the CISO’s realm. And there are plenty. Here is the shortlist experts say contains the newest and scariest …