Counting Threats: 5 Things that Keep CISOs Up at Night

No matter how tight their battle plans, the fear that something got through haunts CISOs.

Pam Baker

January 8, 2019

6 Min Read

CISOs understand the gravity of the attack surface growing far faster than their budgets, talent rosters, and reports to the C-Suite. Within this general state of unease are several hair-raising threats robbing the CISOs of their sleep.


Kudelski Security’s John Hellickson

Chief among the evolving list of concerns is one worry that stubbornly remains. “One top challenge is the ability for the CISO to demonstrate to the Board of Directors that they are the right person for the role,” says John Hellickson, Vice President, US Advisory Services at Kudelski Security, a cybersecurity firm recognized recently by Forrester as an Emerging MSSP Leader.

It’s hard to prove your worth to the powers-that-be when everything is boring and silent as soon as you’re at the top of your game. It only gets exciting and noisy when you slip or fail. The same holds true for MSSPs.

“It’s very difficult for MSSPs to prove that their solutions are working because when they are doing really well, there shouldn’t be much noise coming from them. It’s because of this that MSSPs need to find tangible ways to highlight that the approach is working,” said Jason Rebholz, senior director of strategic partnerships at Gigamon, the network and security vendor.

This shared concern between CISO and MSSP should be acknowledged and mutually leveraged, if not by word than surely by deed.

“With 67 percent of CISOs claiming they do not have enough staff to handle the amount of cyber alerts they receive daily, many must rely on MSSPs to meet this growing threat,” says Larry Friedman, CISO at Carbonite, the file backup and recovery firm. “The best MSSPs will put themselves in the shoes of CISOs. They will analyze the same challenges facing CISOs today and proactively offer solutions, sometimes before CISOs can think of one themselves.”

But beyond the nagging overall worry that the job done right could result in a job unfairly lost, is a plethora of additional fears. Each presents a different challenge, a new opportunity, and perhaps the means to validate the effectiveness of both the CISO and the MSSP.


Cavirin Systems’ Mukul Kumar

“Many CISOs are overburdened due to the diversity of the security tasks under their responsibility, the increasing complexity of multicloud and hybrid-cloud deployments, and the growing sophistication of hackers,” says Mukul Kumar, CISO & VP of Cyber Practice at Cavirin Systems, the security provider for hybrid-cloud environments.

“They need to be able to speak intelligently to their boards and auditors, as well as being able to offer solutions to their peers in DevOps and SecOps.”

The Countdown of Nightly CISO Terrors

It’s a given that bad actors will continuously rage against your defenses in an ongoing search for new vulnerabilities to exploit. Already known vulnerabilities are more numerous than the published exploits indicating that there’s no shortage of opportunities for bad guys to do harm. The question is, which vulnerabilities will be exploited next and whether protection is in place to mitigate that risk when it goes active.

Add to this concern a growing number of unique potential threats in the CISO’s realm. And there are plenty. Here is the shortlist experts say contains the newest and scariest …

… additions to the attack surface:

  1. The building comes alive. “Many organizations operate totally unaware of the threats within their buildings. More and more, IoT devices are slipping into company networks without IT’s knowledge, like smart thermostats,” warns Karl Soderlund, senior vice president of worldwide channels at Palo Alto Networks. “These devices can easily go undetected and thus unmanaged from a cybersecurity point of view. Typically, IoT vendors do not actively manage threats, and even if they did announce a vulnerability with a patch, reaching the individual who would know how or what to do with this information is rare. The biggest threat is not knowing the devices are there, and subsequently not providing patches and securing them.”

  2. The cloud gives cover for bad actors. “Many businesses are moving to the cloud and are expressing increased concern about how they can best protect that data — this includes both infrastructure in the cloud as well as SaaS services,” says Rebholz. “MSSPs are increasingly looking to expand their visibility into the cloud, which helps secure the expanded perimeter organizations are building and address a key concern for CISOs.”

  3. Supply chains deliver the bad with the good. “Much of the cybersecurity conversation in 2018 was centered on the threats posed by the supply chain, and how attackers now identify the most vulnerable partners as the attack vector to exploit their primary targets,” said Dror Liwer, founder and CISO at Coronet, a security provider for cloud applications. Thus the fear that a growing number of threats will be in ready supply from this source.

  4. Professional services bite the hand that feeds them. “As attackers continue to identify vulnerable third parties to fulfill their objectives, evidence and common sense suggest that professional-services agencies are the next big target,” warns Liwer. “As such, the professional-services agencies that brands of all sizes regularly rely upon – including but not limited to PR firms, accounting firms, advertising agencies, staffing firms, actuaries and more – must bolster their defenses before an attack occurs.”

  5. Data growth fills the universe, sets off a cacophony of never-ending alarms, and continuously feeds Godzilla-sized attackers. “One top concern for CISOs – and it will inevitably get worse in 2019 – is the sheer size of data sets that must be analyzed to identify security threats that are constantly emerging and disappearing. Even the most efficient technologies can cause alert fatigue in such a data-heavy environment,” says Simon Whitburn, SVP, cybersecurity services at Nominet, the official registry for .UK domain names and a cybersecurity vendor.

Given the scope and diversity of these sleep-depriving worries, what should CISOs and MSSPs focus on to validate their hard work is making a positive difference — and to ensure their continued employment has value to the organization? In short, skip the bells, whistles and confusing data points — and cut straight to the chase.

“Go beyond automated reporting that provides no value to the customer. Show progress over time on how the company environment is more secure; avoid the traps of showing blocked ‘attacks’ or number of alerts triaged,” advises Rebholz.

The focus, he says, needs to be on reducing business risk, and measurably so, such as in reducing the mean time to detection (the amount of time between security event and detection) or the mean time to remediation (the amount of time between detection and remediation).

“Simply put, MSSPs need to highlight not only how an organization has less risk because of their managed services, but also how they can address additional pain points that the CISO has. MSSPs need to focus on evolving from a security vendor to a trusted security adviser,” Rebholz added.

In short, when CISOs and their MSSPs truly become partners, they both tend to sleep better.

Read more about:


About the Author(s)

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like