The CISO's Myopia

Fifteen years ago, I wrote an article entitled "The CSO’s Myopia." At the time, I aimed to highlight a critical limitation in information security management. I demonstrated how many information security professionals struggled to manage all the aspects needed to create effective policies and processes. The conclusion I sought to highlight was that this problem is mainly due to an excessively narrow approach to the organization and its usual resources.

Reflecting on what it would be like to run your company without your most important data or, worse still, imagining that all this information could fall into the wrong hands seemed, although obvious, quite alarming. Unfortunately, this uncomfortable reality has become all too common, where data leaks, cyber-attacks, secret breaches, and industrial espionage are frequently reported in the media. At one extreme, threats to national security, such as cyber-warfare, have also further underscored the urgent need for data protection.

Faced with this not-so-new scenario of growing risks, organizational structures need to constantly reinvent themselves. Just a decade ago, the CSO (Chief Security Officer) role was primarily responsible for physical security measures, such as securing facilities, managing personnel security, and overseeing emergency preparedness. Today, the CSO’s role has evolved to include new responsibilities, such as enterprise risk management. CSOs are now expected to understand, mitigate, and stay ahead of a wide range of risks, including cyber, physical, operational, and reputational risks. Thus, we can say that this professional has gained, in addition to many new concerns and responsibilities, a new letter to their title: The traditional CSO has been transformed into a new, revamped, and now even busier CISO (Chief Information Security Officer).

The CISO got the Old Maid card.

As with many other management positions, the CISO is also the professional responsible for determining the cost vs. benefit ratios of the investments that will be made in the information security area, more specifically, the security and risks vs. the viability of the costs/investments. Obviously, for these decisions, evaluation is crucial, as excessive or misdirected action can derail remediation efforts.

At the same time, the world is committed to seeking solutions for guaranteeing the security triad (Confidentiality, Integrity, and Availability, aka C.I.A.), Numerous regulatory bodies have implemented security norms and standards, such as PCI-DSS, ISO/IEC 27001, and HIPAA, as well as legislation such as the GDPR.

CISO - Compliance and legislation.

As the graph below shows, the types of vulnerabilities recorded over the years continue to be concentrated in very similar main categories. However, the number of occurrences has increased due to the expansion of attack surfaces.

OWASP Rank for Weaknesses by Year - F5 Labs.

Information such as above highlights the critical importance of analysis and tools for a CISO. These tools are essential for improving and updating logical and physical control mechanisms, helping to reduce the risks associated with vulnerabilities that have already been identified and included in organizations' policies.

However, it seems that the "corrective glasses used" now by the new CISO are often not enough to overcome the chronic myopia that plagues the position because the fundamental problem remains unchanged: The constructive process by which companies continue to develop and structure their security policies still uses an "inbox" view that is an internal perspective and, therefore, limited in scope. This "approach" was not, is not, and is unlikely to be sufficient to cover the full range of vulnerabilities in the company.

Companies must consider a new approach since only those who don't experience the day-to-day running of the organization can get far enough away from the heart of the problem to see it from another perspective. As long as CISOs try to base security policies exclusively on their knowledge of the organization and their usual resources, it's improbable that these policies will cover all possible and imaginable gaps. Supported by these policies, many institutions become prisoners of their pseudo-security.

This is the CISO's myopia: believing that building a 100% "made in company" policy can be enough to control all security aspects. This myopia ignores that criminals don't follow the CISO’s rules and policies; they think differently and have different experiences, and, at the end of the day, it's many against few.

CISO - “inbox” view.

In this way, the CISO significantly increases the risk of controlling only the aspects covered by this "inbox" view without considering many other real and unforeseen threats that may go beyond their security measures.

The limitation of relying exclusively on the internal policies and knowledge of the CISO and their team highlights the need for an external and specialized perspective to strengthen organizations' security. Specialized professionals and companies can offer more impartial, less biased views.

Pentest services, for example, allow companies to simulate real attacks on your environment, testing the effectiveness of security measures under adverse conditions. Since criminals don't follow the rules established by internal policies, pentesters imitate behaviors and attack techniques real criminals use. This helps to identify weaknesses that could be exploited by external attackers, who operate outside the limits imposed by the company's security policy and often outside the law.

The incorporation of an "outbox" perspective to alleviate problems rooted in the usual "inbox" view, whether in supporting the construction and updating of internal policies or in expanding the knowledge base for consolidating defenses, can help remedy this dangerous myopia that we have been discussing for years.

Join me as I discuss this issue in my live Webcast, The CISO's Myopia, on October 10th, 2024 at 2:00PM EDT. 

Jordan Bonagura
Security Consultant at Secure Ideas
Jordan is a Security Consultant at Secure Ideas. If you have any further questions feel free to reach out to him at jordan.bonagura@secureideas.com or you can find him on LinkedIn.