Skip to main content
The Panaseer logo shows a white square and a yellow square around the initial P. To the right of the P there is the copy written ‘anaseer’.
Get a demo
Show main menu Hide main menu

Busting the myths that are holding CISOs back: The Achilles Heel

The role of the CISO is evolving rapidly. It has transitioned from a technical to a strategic business leadership role, helping the enterprise control risk and make informed decisions. While the CISO role is fairly new, the human struggle to manage threats and risk has been ever-present, and lessons of the past inform the challenges of today.

Contents

    Jonathan Gill
    read

    Over this series of blogs, we’ll explore five key myths, and how successful CISOs can break free from them, using Greek myths as an analogy. The most successful CISOs have overcome these five myths to not only survive but thrive.

    THE ACHILLES HEEL: CISOs have total visibility and know what their weaknesses are

    Achilles was heralded as a great fighter, blessed by the Gods. Yet he had one weakness that led to his demise – his heel. The modern CISO equivalent is that they believe they clearly understand what to protect and how well they are doing. But most often it’s the things they did not know about or thought they had protected against that lead to their undoing.

    In the words of Mark Twain: "It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so."

    The problem for CISOs

    Part of the problem is that CISOs oversee a fast-changing IT landscape that IT and security teams aren’t fully aware of.  Despite investing in configuration management database (CMDB) technologies, large enterprises don’t have a complete, accurate, and up-to-date inventory of all assets. Every CMDB has duplicate assets, unknown assets, and assets with incomplete information, such as missing owners.

    This lack of visibility has knock-on effects. Enterprises will use security controls to protect their assets. These controls typically cover part of the IT estate, such as a group of servers, and include relevant policies, such as how many days to patch a critical vulnerability on an external server. Security controls rely on security tools, processes, and people to achieve their intended risk reduction.

    These tools include cybersecurity solutions, deployed to protect assets. Yet with an incomplete asset picture, there will be gaps in solutions’ coverage, meaning tools are not deployed as intended.

    Furthermore, these tools work in siloes – they know where they’re deployed, but not where they aren’t (but should be). In an evolving threat landscape, the expanding IT estate requires more and more security tools to protect it, more than 70 on average, and more than 130 in large enterprises.

    This creates an overwhelming amount of data across tens of security tools with gaps, contradictions, and duplicates. This makes it virtually impossible to see the actual attack surface and security posture.

    This results in security controls being implemented inconsistently, falling short of the intended policy objectives, and deployed across only part of the IT estate.

    Well-intended enterprises spend tens or hundreds of millions of dollars on technology, people, and processes to protect themselves. Yet they still fall victim to security breaches due to these inevitable gaps, therefore missing the benefit of their significant investment.

    This ‘Achilles Heel’ undermines confidence in hard-working security teams and adds to the already growing legal and reputational pressure on today’s CISOs.

    How to help CISOs

    The good news is that while each tool on its own is an unreliable witness, together they can tell you everything.

    Furthermore, these tools help improve the CMDB by identifying more assets, and helping build a complete and accurate picture of the IT estate and security posture.

    CISOs need a way to consolidate all these different witnesses and create a single source of truth. Continuous Controls Monitoring (CCM) provides a consistent and automated ‘golden source of truth’ about assets, controls coverage, controls effectiveness, and performance against SLAs.

    Panaseer helps improve risk visibility by up to 150%, increase control coverage by up to 50%, and doubles the effective size of the security team by automating the manual work of reporting on and managing siloed tools.

    It ensures the return on investment of all your security technology, people and processes – immediately making the business more secure and more efficient. Within hours, unknown assets and control coverage gaps are identified, and easily fixed.

    Unlike Achilles, today’s CISO’s vulnerability is both created by and solvable with technology. Once CISOs have full visibility of assets and security tools, they can fully leverage their tools to protect the assets.

    Read more

    Come back soon to read the next installment in the myth-busting series.

    About the author

    Jonathan Gill

    Related blogs

    View all blogs