Why a CISO should be advising your board

How CISOs on the board can improve cybersecurity—and how AI should be introduced into the conversation.

This is a contributed article by Stephen Moore, chief security strategist, Exabeam


In an era when technology often is the business, members of a company's board of directors need a rock-solid understanding of the security risks facing their company. Only with such an understanding can they ensure that the company's security teams have the capabilities to mitigate and respond to attacks - and also prepare for the fallout when measures fail.

The best way for them to develop this understanding is to include a chief information security officer (CISO) or a cybersecurity expert as an observer and advisor on the board. This expert will help board members to understand the requirements for robust cybersecurity defenses and can also coach the board on how to prepare for and prevent a breach beyond just the technical response.


The scope of the challenge

In today's environment, a security expert will likely advise the board to pursue automated cybersecurity wherever possible. The battle between cybercriminals and corporate security teams is often tilted in favor of the adversaries who utilise automation at scale.

When there is a digital reward - whether it's money, espionage, intellectual property or private data - cyber attackers have persistence and automation on their side. They don't follow the rules of change management, and they enjoy working while you sleep. They even benefit from poorly contrived compensating controls and audit exceptions, which do little to thwart an attacker but do allow organisations to pass compliance audits.

Today's attackers will probe your defenses until they find a weakness. These well-organised criminals often use automation to initiate and replay their attacks, delivering malware, stealing accounts and deploying backdoors. Remember, they only need one breakthrough to be successful.

Most cyberthreats are not advanced. All it takes is one impulsive click on a phishing email containing fairly crude malware to take down a network or even attempt to erode a democracy.

An effective CISO knows that finding an answer starts with the help desk, an already overwhelmed resource. Everyone should ask, "Is this attachment safe to open? Have we received an email from this person before? Is this URL OK to click? Could it be malware or a link to a phishing site?"

These questions take time to answer. Attackers have time on their side, attacking when they want and as often as they like.

The CISO also knows that when it comes to patrolling the attack surface of a corporate network, most teams have too few resources to do the job properly. When an attack does occur, there's not much time to respond. And an infection can spread at network speed.

There is also little warning because overburdened security can miss the initial signs of an attack. Security tools are notoriously noisy, giving off more alerts than analysts can handle. Most security teams observe a small percentage of their computing network using their limited legacy tools. They rely on manual and error-prone work for their defenses. And they often can't determine if an event is normal or a security risk.

Couple those factors with the shortage of security talent available for hire, and you have a recipe for disaster.


The need for automation

A CISO can explain to the board how investing in automation can make security teams more effective.

The CISO can also explain that basic artificial intelligence (AI) is not the answer. With all the hype around AI, the board might be tempted to look at the technology to combat cybercrime, but AI rules are generally static and unable to adapt to the innovations of cybercriminals. Criminals will continually probe network defenses for vulnerabilities, and basic AI is not designed to learn and adapt. While AI systems appear to be intelligent because they make decisions without a human, they're often dependent on static rules that were drafted by humans.

Contrast this with technologies that dynamically learn from the behavioral patterns in data to make their decisions. This form of AI, known as machine learning, applies algorithms that find the signs of an attack by recognising the abnormal behaviors of users and machines, answering questions like:

  • Did a hacker try to use your account to access an accounting database, and what servers were involved?
  • Was your account just used in New York and then immediately again in Jakarta? Is it unusual for this to happen in one day?
  • Is there an ongoing "low and slow" attack trying to remove data from your network?

Machine learning can provide the right answers to the right humans and machines - a huge time-saver and advantage for cybersecurity defenders.

Cyberthreats will continue to be a challenge, but having a CISO or cybersecurity expert working with the board will give companies a better understanding of the risks they face - and the strategies needed to address them. Using technologies like machine learning will give back time to our cyber defenders so companies can take the right steps to detect and respond to the next attack.



Stephen Moore is chief security strategist at security intelligence company Exabeam. In his role, Moore helps drive solutions for threat detection and response, as well as advise customers in breach management and program development. He brings deep experience working with legal, privacy and audit staff to improve cybersecurity.