This is a shorter version of the article "The CISO Research Report: CISOs thrive on being Guardians of the Business and maybe even the Galaxy" originally published in The Lockdown - Thycotic's Cyber Security Blog on thycotic.com.
Some people maintain that “Data is the new oil”. Tech companies around the world are now ranking among the largest global companies. A number of them have values that exceed some countries’ GDP. Tesla, some would argue, is a tech company that builds cars. It now has a market value that is bigger than both GM and Ford combined making it the most valuable car company in the USA.
Many of those companies collect and process huge amounts of data. They can use that data to create new products focused on making our lives better. But some would say that we ourselves are becoming the product and in doing so we are sacrificing both our privacy and freedom.
The holders of the data hold the value. And for many companies data is becoming extremely critical to business success. With technology and data now being so important, and people and businesses worldwide connecting faster and more efficiently than ever—think Internet of Things, 5G, etc.—the value of data is accelerating as never before.
With this in mind, I disagree that data is the new oil.
In fact people are the new oil. People are providing the data that delivers the real value, and data is the commodity that makes the product possible in the first place. In return for inexpensive products we are giving up our data. With a camera in our hands and a sensor in our pocket, our data is being collected and transacted for free services.
Because companies are so heavily dependent on technology, they are exposed to cyber threats which can occur at any moment and come from anywhere. A cyber-attack is more likely to bring a company down than any other type of incident. According to the World Economic Report the cyber-attack is a top-5 risk to world economies and stability. It’s slightly behind risks such as natural disasters, failure to mitigate climate change, and extreme weather.
Given that data and people are critical to business success, it stands to reason that cyber-attacks that target data and people have accelerated. Attackers hold companies to ransom, threaten to release sensitive data to the public, or prevent employees from doing their jobs thereby impacting the company’s productivity. Yes indeed, people are the victims and data is the loot.
Some security companies want you to fear nation state cyber-attacks. However, looking back at the 2019 Verizon Data Breach Investigations Report we see that most cyber-attacks are financially motivated. This means a company is more likely to fall victim to a ransomware attack than find a nation state APT (Advanced Persistent Threat) team sifting through their network stealing data. Though that’s more likely in some industries than others.
CISO's role and how it’s evolving
In the past the CISO’s role—if the company even defined one—was largely focused on technology. But as digital transformations progressed and employees became the primary target of cyber-attacks, the focus shifted significantly to a balance between technology and people.
The CISO has one of the most difficult and challenging jobs in any business today. They often operate in the background, working vigorously with their security and operations teams to keep critical systems and sensitive data protected from bad actors. They keep systems updated, patch around the clock, deliver cybersecurity awareness training to employees, control and secure privileged access and much more. And all while tackling the ever-growing compliance laws and regulations the business must meet.
The need for security to be business focused and people friendly has now become one of the top priorities for the CISO.
Today’s CISO must listen to the executive board and business peers to understand what they measure to gauge success. The CISO’s job is not to simply put technology in place for the sake of security but to put technology in place for the sake of business: technology that helps the business succeed while ensuring that cyber risks are either reduced or eliminated.
Joseph Carson is a Cyber Security Professional with 25+ years’ experience in Enterprise Security & Infrastructure. He is a Certified Information Systems Security Professional (CISSP) and an active member of the Cyber Security community, also a frequent speaker at Cyber Security events globally. He is an adviser to several governments and cyber security conferences and (ISC)² Information Security Leadership Award (ISLA®) Americas Winner 2018.
Thycotic is one of the world’s fastest growing IT security companies. Thycotic provides a full-featured privileged access management (PAM) solution and prevents cyber attacks by securing passwords, protecting endpoints and controlling application access.