At our latest CISOs Anonymous event, we welcomed Daniel Cuthbert to discuss his Black Hat 2022 keynote and his views on current innovation within the industry. With a career spanning over 20 years on both the offensive and defensive side, Daniel has seen rapid evolution across the security sector. Alongside some of the UK’s leading CISOs, we explored key challenges and approaches as complex security demands continue to develop, which we’ve collated here.
What does good look like?
The challenge with regulation is that risk is an abstract concept, and measuring securities is difficult to quantify. Regularly reporting on the number of phishing emails and HackerOne submissions your business receives is a common set of metrics but presents a very narrow field of ‘impact’.
Turning to other industries that generally do a better job of security, regulation, and legislation, such as pharma, can reveal standards to model against. The reality is that risk will never be at zero, and it takes less than 1% of your organisation to compromise security. Embed those quick wins: get rid of default passwords, use two-factor authentication, and ensure updates are regularly installed.
Breaches are becoming a normal occurrence, but information is rarely shared between companies. Sharing could reveal patterns in attacks, resulting in standardised tools to combat common issues. Unless we can begin to understand these breaches as a collective, they will continue to happen.
Legislation as a kitemark
Consistency is vital as we look to the future of information security; creating standardised legislation that spans the industry ensures uniformity regardless of organisation size, with no room for justification if requirements are not met.
Financial penalties should be the norm. For companies unable to meet these requirements, substantial fines should be issued, giving vendors a specific incentive to do better. Those who do satisfy regulations would be identifiable by a kitemark, which can be utilised for marketing purposes, business and talent attraction, and recognition within the industry.
Proof of vendor security measures should also be standardised: are all pipelines meeting requirements, are they using modern SaaS tools, and are people within the supply chain actively thinking about security? Vendors who are open, transparent, and happy to have the conversation are obviously proactive and confident in their own procedures.
Security and innovation are often viewed as opposite sides of the same coin; new technology introduces unknown elements, and development is regularly slowed down by security testing phases. An accepted level of risk, and therefore loss of control, must be permitted to allow for innovation.
The role of a CISO is not to make every element secure, it's to make businesses generally safer. CISOs are the canaries in the coalmines; they can write and verify their own secure code, but the opportunity to impact external risks is rare. With so many uncontrollable elements, flagging hazards and possible areas of exposure is often the only response.
The prediction for the future of security software is that it will feature interactive elements – thinkChatGPT – with the ability to review code, identify and understand malware, and provide actionable advice for specific incidents. As an additional tool used alongside current approaches, it suggests a level of speed and responsiveness that can help CISOs and their teams to cast a wider net, and therefore have more control.
To find out more about La Fosse, attend a CISO Anonymous event, or learn more about the total talent solutions we offer, contact one of our expert consultants:
Brian Hinojosa - Principal Consultant Manager in InfoSec
Ross Tanner - Senior Manager in Infosec and Architecture
Stephanie Crates - Principal Consultant in InfoSec