From end-user to vendor: The CISO difference

Chris Hodson from Zscaler discusses how the role of CISO varies on the client and vendor side

This is a contributed piece by Chris Hodson, EMEA CISO at Zscaler


We all know that the role of the CISO is changing. Heads of the security function are now expected to perform the dual role of astute business leader and technical guru – all while holding a PhD in PowerPoint. At least that’s my experience having worked in leadership roles on the client side. Time allocation was always an issue.

Having changed workplace, I’m now frequently asked “What’s a CISO role like on the dark side of the vendor?” It’s unequivocally very different. Progression through the ranks in most blue-chip organisations follows the similar, linear path: do your job well, get promoted, have a team to manage, get a bigger team. Such a path provides internal recognition and respect, but it often moves you away from the industry you love and the reason you joined the InfoSec profession in the first place.


Client-side versus vendor side

In my experience as a client-side CISO, and that of many I speak to, the majority of time is spent preparing for, or attending meetings, preparing appraisals or undertaking rounds of expense approvals. Climbing the security ladder can be a double edged sword. If you want to get your hands dirty rather than delegate tasks, you really have to enjoy hands-on team management. That’s why we’re seeing so many CISOs at BlackHat and DEFCON. It’s the only opportunity they get to roll their sleeves up and get to grips with the industry trends.

On the flip side as a vendor CISO, I have the flexibility to focus on information and cyber security day-in, day-out. I get to visit customers, listen to their security challenges and offer good practice recommendations. Having millions of customers and a global footprint also means I can identify trends and apply them to determine which threats are most prevalent.

What I’ve learnt from doing so is that regardless of which side a CISO operates, the main challenges are the same. All businesses are a target. Everyone is handling customer data, everyone has a web presence and we all face the same challenges in tackling data breaches, which can have the same catastrophic effects for everyone.


Rethinking security hygiene

Traditionally the ‘who, what and where’ of information security was pretty straight-forward. Users connected from devices we gave them, on networks we controlled using applications we deployed. Now, users are connecting with their own devices via cloud services using the public internet. As a result, we’re losing visibility of core assets and the associated data that comes with them. This means we need robust approaches to security that fit the new realities of user habits.


Encrypted traffic – a blessing and a curse

Encryption technologies have had a profound impact on security but are not without their challenges. They stop the security function from seeing all traffic and force it to make concessions about what traffic is being inspected due to the cost and performance overheads of traffic inspection. The enterprise needs the ability to prevent, detect and respond to cyber-attacks, but the widespread adoption of encryption in mainstream society has significantly inhibited its ability to do so. Decrypting traffic has a significant time, performance and cost impact and is often simply impossible because the necessary cryptographic keys aren’t available. The result is the majority of advanced threats are now being sent over encrypted channels, raising moral and legal issues over traffic inspection and evasion of privacy. As such, the deployment of TLS inspection becomes an onerous prospect.


The ransomware riddle

Ransomware bucks the trend of the surreptitious advanced threat we’ve become accustomed to. What’s more, bad guys are using it to make fast cash. Typically, CISOs appreciate that the vectors associated with ransomware (web exploits and email) are not dissimilar to other modern threats, yet it’s not uncommon for organisations to see ‘ransomware’ as an entirely separate entry in the corporate risk log.


Blacklists no longer cut it

Traditionally CISOs turned to URL filtering to block access to the less salubrious corners of the internet. The rationale was simple: dodgy sites served malware. Now, websites we previously considered ‘trusted’ are being compromised, serving malware which is sailing through counter-measures. To tackle this, CISOs are turning to heuristic protections, sandboxing and artificial intelligence to boost web security and mitigate the risk of zero-day threats.


Meaningful metrics for the Board

Central to these challenges is managing the expectations of Boards not generally compromised of security professionals. Increasingly they are funding new cyber security initiatives without understanding that while they mitigate the risks of a breach, no framework is infallible.

Regularly, they don’t know what information they want or need. They simply need assurance that the tools and teams are in place to deal with a compromise and that playbooks are rehearsed and understood by stakeholders. This is where the CISO becomes that mix of astute business leader and technical guru. Tasked with articulating the problem and solution to the Board members in plain terms, while providing the tools and skills to support the roll out of security best practice to minimise risk of imminent and evolving threats.


Also read:
Fleeting strategic importance? 2016, the year of the CISO