From Achilles to Zeus – busting the myths that are holding CISOs back

The role of the CISO is evolving rapidly. It has transitioned from a technical to strategic business leadership role, helping the enterprise control risk and make informed decisions. And whilst the CISO role is fairly new, the human struggle to manage threats and risk has been ever-present, and lessons of the past inform the challenges of today.

With this in mind, we’ve applied Greek myths to the modern CISO role. Over this blog, we’ll explore five key myths, and how successful CISOs can break free from them. The most successful CISOs have overcome these five myths to not only survive but thrive.

MYTH ONE: THE ACHILLES HEEL

CISOs have total visibility and know what their weaknesses are

Achilles was heralded as a great fighter, blessed by the Gods. Yet he had one weakness that led to his demise – his heel. The modern CISO equivalent is that they believe they have a clear picture about what to protect and how well they are doing. But most often it’s the things they did not know about, or that they thought they had protected against, that lead to their undoing.

In the words of Mark Twain, “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” Part of the problem is that CISOs oversee a fast-changing IT landscape that IT and security teams aren’t fully aware of. Despite investing in configuration management database (CMDB) technologies, large enterprises don’t have a complete, accurate and up to date inventory of all the assets. Every CMDB has duplicate assets, unknown assets, and assets with incomplete information, such as missing owners.

This lack of visibility has knock-on effects. Enterprises will use security controls to protect their assets: with these controls typically covering part of the IT estate, such as a group of servers, and including relevant policies, such as how many days to patch a critical vulnerability on an external server. Security controls rely on security tools, processes and people to achieve their intended risk reduction.

These tools include cybersecurity solutions, deployed to achieve the objective of protecting assets. Yet with an incomplete asset picture, there will inevitably be gaps in solutions’ coverage, meaning tools are not deployed as intended. Furthermore, these tools work in siloes – they know where they’re deployed, but not where they aren’t (but should be). In an evolving threat landscape, the expanding IT estate requires more and more security tools to protect it, more than 70 on average, and more than 130 in large enterprises. This creates an overwhelming amount of data across tens of security tools with gaps, contradictions and duplicates, making it virtually impossible to see the actual attack surface and security posture.

This results in security controls being implemented inconsistently, falling short of the intended policy objectives, and deployed across only part of the IT estate. Well-intended enterprises spend tens or hundreds of millions of dollars on technology, people and processes to protect themselves. Yet they still fall victim to security breaches due to these inevitable gaps, therefore missing the benefit of their significant investment. This ‘Achilles Heel’ undermines confidence in hard-working security teams and adds to the already growing legal and reputational pressure on today’s CISOs.

The good news is that whilst each tool is an unreliable witness, together they can tell you everything. Furthermore, these tools help improve the CMDB by identifying more assets, helping build a complete and accurate picture of the IT estate and security posture. CISOs need a way to consolidate all these different witnesses and create a single source of truth. Continuous Controls Monitoring (CCM) provides a consistent and automated ‘golden source of truth’ about assets, controls coverage, controls effectiveness, and performance against SLAs. Panaseer helps improve risk visibility by up to 150%, increase control coverage by up to 50%, and doubles the effective size of the security team by automating the manual work of reporting on and managing siloed tools. It ensures the return on investment of all your security technology, people and processes – immediately making the business more secure and more efficient. Within hours, unknown assets and control coverage gaps are identified, and easily fixed. Unlike Achilles, today’s CISO’s vulnerability is both created by and solvable with technology. Once CISOs have full visibility of assets and security tools, they can fully leverage their tools to protect the assets.

MYTH TWO: THE SWORD OF DAMOCLES

CISOs are powerless to prevent disaster

Our second myth is the sword of Damocles. When Damocles was granted his wish to taste what it would be like to be ruler, he was forced to enjoy his reign with a sword dangling over the throne by a single horse hair. The parable represents the peril of power, having to constantly watch out for the next threat that could befall you. Again, this will feel familiar to many CISOs who live in fear of the catastrophic breach that could ruin their reputation – with many believing that it’s less a case of ‘if’, than ‘when.’ Such feelings of dread have been amplified in the current climate, where CISOs can now be held personally responsible for security failings.

But this feeling of dread isn’t necessarily warranted. CISOs can be left holding the risk, but that risk really belongs to the business. And it relies on business decisions to either accept more risk, or prioritise the work and investment needed to achieve the intended residual risk position.

Enterprises start out with inherent risk, existing before any actions are taken to mitigate it. They then set out to achieve a residual risk position according to their appetite for risk; this is the position they are willing to invest to achieve, accepting any outcomes that come from outside this investment. Controls, in the form of technology, people and processes, are a crucial part of achieving this.

The CISO’s goal is to protect the organisation at this level of residual risk. In this context, we can see the sword of Damocles is really about the risk of being breached in a way that should have been avoided according to your risk appetite. After all, that’s what’s hard to explain to customers, investors and your board. It’s okay if the businesses suffers a breach that they accepted might happen – it’s certainly unfortunate, but they knew the risks. What’s not okay is for the business to think it was protected only to find out it was breached because endpoint security wasn’t deployed to 5,000 devices, or a vulnerability wasn’t patched because the server wasn’t in SCCM.

The visibility problem we identified in the myth of Achilles is one of two reasons CISOs experience the sword of Damocles. Full visibility of the IT estate and security posture identifies any gaps in the current risk posture compared with what’s intended. However, visibility isn’t enough. CISOs need to translate technical information for non-technical stakeholders to influence the organisation. The CISO’s role is to communicate effectively so the business can take action to either achieve its residual risk position or accept additional risk. Either way it’s a business decision, removing the sword of Damocles from above the CISO. But this relies on the CISO communicating that risk to the business in a way it understands and accepts.

With the aid of CCM, CISOs can build on their existing visibility of security controls to build understanding across the organisation. CCM connects security, IT and business tools to understand assets – whether devices, servers, cloud infrastructure, users, accounts and groups, application databases, or any number of other resources. Critically, it enables understanding of how those assets relate to both each other and the multitude of business processes, people structures, and geographical and business entities within the modern enterprise.

Using metrics, dashboards, scorecards and heat maps to map controls to specific teams’ concerns – such as ransomware, compliance, frameworks or patching – CISOs can provide not only visibility but full transparency over the status of their organisation. CCM helps map technical controls to language the business understands, linking to important business services; crown jewel assets; regulated services; and other business-friendly contexts to explain security to business leaders. Executive owners can see the security controls status for their area of ownership, whether that’s claims management, payment processing, the Unix estate, North America, APAC, or beyond.

CCM empower CISOs to present the business with its actual residual risk position, making recommendations and informing choices that help the business reach its acceptable, intended residual position. Armed with this insight, the business can make informed decisions about risk, and ensure they are protected against preventable breaches. And for the CISO, that means no more sword of Damocles dangling overhead.

MYTH THREE: THE HEADS OF THE HYDRA

CISOs just need to get more tools to be secure

Now we’re looking at something more monstrous. The Hydra was a many-headed monster with the power of regeneration. Every time a head was chopped off, another would grow back, making it almost invincible. Security teams can often mimic the Hydra approach, falling into the trap of responding to each potential new threat by ‘growing more heads’ – or, in security teams’ case, buying more tools. They can soon find that this approach only adds to work; increases stress and burnout; and makes it harder to manage risk. As with anything in cyber security, this behaviour doesn’t exist in a vacuum. More tools mean CISOs need more visibility, contributing to the Achilles heel. And they can make it harder to understand and communicate risk, making the sword of Damocles more likely to drop.

But just as Hercules managed to neutralise the Hydra’s regeneration, so security teams can build on the lessons from busting the first two myths. With visibility translated to non-technical stakeholders to influence business decisions in place, CISOs can ensure the same information is used for both operational excellence and governance and risk reporting.

Operational excellence means using this information for every stakeholder involved in deploying controls to provide clarity, ownership and accountability to achieve those controls’ objective. Governance and risk reporting means using the same information for oversight of the IT estate and security posture for all stakeholders. Whilst the first requires granular data about assets’ and controls’ status over time, the second requires the big picture: aggregation, high level scores, simple summaries and heat maps, and trends.

CCM ensures the CISO is at the centre, coordinating operational excellence with one hand and governance and risk reporting with the other, all based off the same accurate, complete, automated and consistent information. CCM helps security teams get out of the familiar pattern of working every hour, becoming ever more stressed, and effectively playing whack-a-mole reacting to every potential breach, pen test finding or user request. Instead it leads to a shift-left approach, with the appropriate amount of focus on identifying and protecting against threats in turn reducing the amount of energy spent on detection, response and recovery. In short, it replaces reactive crisis management with calm prevention.

In this way, CCM provides the foundation to add new tools and respond to new opportunities and threats. It helps ensure that each new tool is deployed correctly, from both a coverage and policy point of view, and doesn’t drift from that position as the IT landscape changes. CCM is a platform for ensuring new controls are deployed with appropriate governance, and mapped to other existing controls for assets, services, and the business’s crown jewels. In short, these controls should simply slot into an existing framework of operational excellence and governance and reporting. Armed with this, security teams can automate much of the manual work and more easily hold others accountable. Panaseer is proven to double security team productivity, in effect creating two heads for every one, without any additional cost.

MYTH FOUR: THE GORDIAN KNOT

There is too much data complexity for CISOs to comprehend.

Next comes the Gordian Knot – an intractable and complex knot that nobody could untie. Again, we can draw parallels here with the great complexity facing security teams who are often drowning in data and lacking in insights. Security teams can spend days and hours trying to make sense of what all the signals and information mean, tying themselves in further knots and unable to see the woods for the trees. It’s not the fault of the security or IT teams, it’s a simple consequence of the fast pace of digitisation and businesses’ desire to leverage new technologies, which invite new threats.

With a full view of their security tools, their risk exposure, and their accountability, some security teams might still be overwhelmed. There are so many potential issues, each with complex causes and a wealth of data from multiple sources behind them, that they cannot begin to comprehend a solution.

Yet like Alexander the Great taking the initiative to swipe through the Gordian Knot with a single cut, security teams can use analytics as their sword. The more overwhelmed teams are with data, the more information they have available; it just needs to be ‘data scienced’ to clean, de-dupe, normalise, and reveal relationships between the assets and the business . For instance, a team might know there are 5,000 machines to patch – but the risk may be low on most of those devices, so just 500 or even 50 are in urgent need, based on actual business priorities.

The truth is that the right data to give the right insights is out there for teams, but it may be out of reach, fragmented or manually processed – making it appear far more complex than it truly is. The key is finding the right approach – one based on data science and automation. With this approach to CCM, teams can remove the fog of war, and move from tribal knowledge to turning complex data into insights that allow them to identify and prioritise solutions.

It’s even better than simply cutting through the Gordian Knot. By harnessing the data available in each security, IT and business tool, the data science approach means each tool makes the others more effective. Rather than being overwhelmed by more data, CISOs have access to layers of information that help inform decisions and priorities. To make the best use of this information it’s better to identify a small number of important priorities – such as the extreme case of the hypothetical user who always clicks on phishing links; is missing endpoint protection; has privileges that are not appropriately protected in the vault; is accessing an important business service; which in turn is running on a sever with a critical vulnerability that does not have a patching agent. Addressing this one user’s issues would pay dividends.

CCM helps harness the right data to make big problems smaller, while also helping identify the root cause of process problems, such as aged vulnerabilities being re-introduced in a build server, by showing the big picture. It turns the overwhelming data, or Gordian Knot, into insights and priorities based on business – not just technical – importance.

MYTH FIVE: THE SISYPHEAN STRUGGLE

CISOs have to push the boulder on their own, doomed to never reach the summit

Finally, we reach the myth of Sisyphus. A devious tyrant, Sisyphus was punished by Zeus to toil in Hades, forever pushing a rock up a slope only for it to slip and roll back down when he got to the top. Security leaders have a difficult job, doing all they can to protect their enterprises. Yet despite their best efforts it can feel like an unwinnable struggle, constantly toiling yet never reaching the summit.

For the modern CISO, this metaphorical boulder is constantly changing shape and size, with the slope shifting underfoot. Many feel like they are set up to fail. They don’t have visibility of their IT and digital estates, or the status of the security controls that protect them. It therefore becomes difficult to communicate and prioritise as ‘you can’t manage what you can’t measure.’ Security is a team sport, and the Sisyphean struggle sometimes boils down to the loneliness of a CISO carrying the burden of the business. After all, as we’ve shown it’s all about business risk, not CISO risk.

As we can see from previous myths it’s possible to solve these issues. Yet many CISOs will still find they cannot engage the wider business to fully collaborate in achieving the intended residual risk position – making them feel like they are fighting an unwinnable fight single-handed. Ultimately, if the rest of the C-suite cannot understand risk, cannot understand how their actions affect risk, and cannot understand what their responsibilities are, CISOs find themselves taking all that responsibility on their shoulders.

What’s more, with multiple regulatory pressures building on organisations – from SEC rulings around disclosing security risk, to legislation such as CPRA – and the threat landscape shifting constantly, it becomes harder to reach the top of the mountain. A single slip can send the rock tumbling.

Yet it needn’t to be this way. CISOs don’t have to push that boulder on their own, and the summit isn’t unreachable. They can create a culture of ‘we’, where accountability and responsibility are shared across the business. Using the right tools will enable clear communication with non-technical teams, helping drive accountability and ensure everyone is pushing in the same direction. CCM enables this cross-functional collaboration by ensuring all stakeholders can see the information they need to see according to their role. The myth of the Hydra touched on CCM’s value in both providing high level summary information, and being able to drill down to any asset, vulnerability, patch or security tool. Beyond that, CCM ensures full transparency and data lineage for all the information in the platform.

This transparency helps democratise data quality and removes any human bias or error from the automated process. It stops people turning up to meetings with their own data and arguing about what that data shows, instead of working on solving the issue. CCM helps channel that energy positively, towards achieving business goals. When business leaders and their business, IT, GRC, audit and security teams are working together with trusted information translated to their needs, they can create a culture of accountability. And in turn CISOs become business enablers rather than risk takers, as everybody carries their own rocks.

Final thoughts

By banishing these myths, CISOs can escape their apparently unwinnable struggle. CCM can provide full visibility of the IT estate and security controls’ coverage and effectiveness. Translate that technical information to non-technical stakeholders and map to business priorities. Enable the CISO to both orchestrate operational excellence and provide governance and risk reporting in the same platform. Harness the power of data to move from information overload to turning big problems into smaller problems with data-driven insights that help prioritise. And provide a single platform to enable cross-functional collaboration, achieving a culture of accountability.

Ultimately, every business needs to take risks, but they need to be informed. A rigorous, scientific approach to CCM will be essential in helping CISOs sort truths from legends, overcome myths, and focus on enabling the business to make informed choices, together.