Skip to main content
The Panaseer logo shows a white square and a yellow square around the initial P. To the right of the P there is the copy written ‘anaseer’.
Show main menu Hide main menu

From Achilles to Zeus: five myths holding CISOs back

The role of the CISO is evolving rapidly. It has transitioned from a technical to a strategic business leadership role, helping the enterprise control risk and make informed decisions. While the CISO role is fairly new, the human struggle to manage threats and risk has been ever-present, and lessons of the past inform the challenges of today.

Jonathan Gill
read

Over this blog, we’ll explore five key myths, and how successful CISOs can break free from them, using Greek myths as an analogy. The most successful CISOs have overcome these five myths to not only survive but thrive.

1. The Achilles Heel: CISOs have total visibility and know what their weaknesses are

Achilles was heralded as a great fighter, blessed by the Gods. Yet he had one weakness that led to his demise – his heel. The modern CISO equivalent is that they believe they clearly understand what to protect and how well they are doing. But most often it’s the things they did not know about or thought they had protected against that lead to their undoing.

In the words of Mark Twain: "It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so."

The problem for CISOs

Part of the problem is that CISOs oversee a fast-changing IT landscape that IT and security teams aren’t fully aware of.  Despite investing in configuration management database (CMDB) technologies, large enterprises don’t have a complete, accurate, and up-to-date inventory of all assets. Every CMDB has duplicate assets, unknown assets, and assets with incomplete information, such as missing owners.

This lack of visibility has knock-on effects. Enterprises will use security controls to protect their assets. These controls typically cover part of the IT estate, such as a group of servers, and include relevant policies, such as how many days to patch a critical vulnerability on an external server. Security controls rely on security tools, processes, and people to achieve their intended risk reduction.

These tools include cybersecurity solutions, deployed to protect assets. Yet with an incomplete asset picture, there will be gaps in solutions’ coverage, meaning tools are not deployed as intended.

Furthermore, these tools work in siloes – they know where they’re deployed, but not where they aren’t (but should be). In an evolving threat landscape, the expanding IT estate requires more and more security tools to protect it, more than 70 on average, and more than 130 in large enterprises.

This creates an overwhelming amount of data across tens of security tools with gaps, contradictions, and duplicates. This makes it virtually impossible to see the actual attack surface and security posture.

This results in security controls being implemented inconsistently, falling short of the intended policy objectives, and deployed across only part of the IT estate.

Well-intended enterprises spend tens or hundreds of millions of dollars on technology, people, and processes to protect themselves. Yet they still fall victim to security breaches due to these inevitable gaps, therefore missing the benefit of their significant investment.

This ‘Achilles Heel’ undermines confidence in hard-working security teams and adds to the already growing legal and reputational pressure on today’s CISOs.

How to help CISOs identify risk

The good news is that while each tool on its own is an unreliable witness, together they can tell you everything.

Furthermore, these tools help improve the CMDB by identifying more assets, and helping build a complete and accurate picture of the IT estate and security posture.

CISOs need a way to consolidate all these different witnesses and create a single source of truth. Continuous Controls Monitoring (CCM) provides a consistent and automated ‘golden source of truth’ about assets, controls coverage, controls effectiveness, and performance against SLAs.

Panaseer helps improve risk visibility by up to 150%, increase control coverage by up to 50%, and doubles the effective size of the security team by automating the manual work of reporting on and managing siloed tools.

It ensures the return on investment of all your security technology, people and processes – immediately making the business more secure and more efficient. Within hours, unknown assets and control coverage gaps are identified, and easily fixed.

Unlike Achilles, today’s CISO’s vulnerability is both created by and solvable with technology. Once CISOs have full visibility of assets and security tools, they can fully leverage their tools to protect the assets.

2. The Sword of Damocles: CISOs are powerless to prevent disaster

When Damocles was granted his wish to taste what it would be like to be ruler, he was forced to enjoy his reign with a sword dangling over the throne by a single horse hair.

The parable represents the peril of power, having to constantly watch out for the next threat that could befall you. Again, this will feel familiar to many CISOs who fear the catastrophic breach that could ruin their reputation – with many believing that it’s less a case of ‘if’, than ‘when.’

Such feelings of dread have been amplified in the current climate. CISOs can now be held personally responsible for security failings. But this feeling of dread isn’t necessarily warranted.

The chief information security officer can end up holding the risk, but the business owns that risk. It relies on business decisions to either accept more risk or prioritize the work. This would mean investment is needed to achieve the intended residual risk position.

Enterprises start with inherent risk existing before any actions are taken to mitigate it. They then set out to achieve a residual risk position according to their appetite for risk; this is the position they are willing to invest to achieve, accepting any outcomes that come from outside this investment. Controls, in the form of technology, people, and processes, are crucial to achieving this.

The goal of a CISO

The CISO’s goal is to protect the organization at this level of residual risk. In this context, we can see the sword of Damocles is really about the risk of being breached in a way that should have been avoided according to your risk appetite.

After all, that’s what’s hard to explain to customers, investors, and your board. It’s okay if the businesses suffer a breach that they accepted might happen – it’s certainly unfortunate, but they knew the level of risk. What’s not okay is for the business to think it was protected only to find out it was breached because endpoint security wasn’t deployed to 5,000 devices, or a vulnerability wasn’t patched because the server wasn’t in SCCM.

The visibility problem we identified in the myth of Achilles is one of two reasons CISOs experience the sword of Damocles. Full visibility of the IT estate and security posture identifies any gaps in the current risk posture compared with what’s intended.

However, visibility isn’t enough. CISOs need to translate technical information for non-technical stakeholders to influence the organization. The CISO’s role is to communicate effectively so the business can take action to either achieve its residual risk position or accept additional risk.

Either way, it’s a business decision, removing the sword of Damocles from above the CISO. But this relies on the CISO communicating that risk to the business in a way it understands and accepts.

How to use Continuous Controls Monitoring

With the aid of Continuous Controls Monitoring (CCM), CISOs can build on their existing visibility of security controls to build understanding across the organization. CCM connects security, IT, and business tools to understand assets. This can be devices, servers, cloud infrastructure, users, accounts and groups, application databases, or any number of other resources. Critically, it enables an understanding of how those assets relate to both each other and the multitude of business processes, people structures, and geographical and business entities within the modern enterprise.

Using metrics, dashboards, scorecards, and heat maps to map controls to specific teams’ concerns – such as ransomware, compliance, frameworks, or patching – CISOs can provide not only visibility but full transparency over the status of their organization.

CCM helps map technical controls to language the business understands, linking to important business services; crown jewel assets; regulated services; and other business-friendly contexts to explain security to business leaders. Executive owners can see the security controls status for their area of ownership, whether that’s claims management, payment processing, the Unix estate, North America, APAC, or beyond.

CCM empowers CISOs to present the business with identifying security risks, making recommendations, and informing choices that help the business reach its acceptable, intended residual position. Armed with this insight, the business can make informed decisions about risk, and ensure they are protected against preventable breaches. And for the CISO, that means no more sword of Damocles dangling overhead.

3. The heads of Hydra: CISOs need more tools to be secure

The Hydra was a many-headed monster with the power of regeneration. Every time a head was chopped off, another would grow back, making it almost invincible. Security teams can often mimic the Hydra approach, falling into the trap of responding to each potential new threat by ‘growing more heads’ – or, in security teams’ case, buying more tools.

They can soon find that this approach only adds to work; increases stress and burnout; and makes it harder to manage risk. As with anything in cyber security, this behavior doesn’t exist in a vacuum. More tools mean CISOs need more visibility, contributing to the Achilles heel. And they can make it harder to understand and communicate risk, making the sword of Damocles more likely to drop.

The need for complete visibility

But just as Hercules managed to neutralize the Hydra’s regeneration, so security teams can build on the lessons from busting the first two myths. With visibility translated to non-technical stakeholders to influence business decisions in place, CISOs can ensure the same information is used for both operational excellence and governance and risk reporting.

Operational excellence means using this information for every stakeholder involved in deploying controls to provide clarity, ownership, and accountability to achieve those controls’ objectives.

Governance and risk reporting means using the same information for oversight of the IT estate and security posture for all stakeholders.

While the first requires granular data about assets’ and controls’ status over time, the second requires the big picture: aggregation, high-level scores, simple summaries and heat maps, and trends.

How CCM can aid the CISO

Continuous Controls Monitoring (CCM) ensures the CISO is at the center. They are coordinating operational excellence with one hand, and governance and risk reporting with the other. All are based on the same accurate, complete, automated, and consistent information.

CCM helps security teams get out of the familiar pattern of constantly working. They become more stressed and effectively whack-a-mole react to every potential breach, pen test finding, or user request.

Instead, it leads to a shift-left approach, with the appropriate amount of focus on identifying and protecting against threats. This in turn reduces the amount of energy spent on detection, response, and recovery. In short, it replaces reactive crisis management with calm prevention.

In this way, CCM provides the foundation to add new tools and respond to new opportunities and threats. It helps ensure that each tool is deployed correctly, from both a coverage and policy point of view. It also means controls don’t drift from that coverage position as the IT landscape changes.

CCM is a solution for ensuring new controls are deployed with appropriate governance, and mapped to other existing controls for assets, services, and the business’s crown jewels. In short, these controls should simply slot into an existing framework of operational excellence and governance and reporting.

Armed with this, security teams can automate much of the manual work and more easily hold others accountable. Panaseer is proven to double security team productivity, in effect creating two heads for every one, without any additional cost.

4. The Gordian Knot: Too much data complexity for CISOs to comprehend.

Next comes the Gordian Knot, an intractable and complex knot nobody could untie. We can draw parallels here with the complexity security teams face, who are drowning in data lacking insights.

Security teams can spend days and hours trying to make sense of what all the signals and information mean. Consequently tying themselves in further knots and are unable to see the woods for the trees.

It’s not the fault of the security or IT teams. It’s a simple consequence of the fast pace of digitization and businesses’ desire to leverage new technologies, which invite new threats.

With a full view of their security tools, their risk exposure, and their accountability, some security teams might still be overwhelmed. There are so many potential issues, each with complex causes and a wealth of data from multiple sources behind them, that they cannot begin to comprehend a solution.

Yet, like Alexander the Great taking the initiative to swipe through the Gordian Knot with a single cut, security teams can use analytics as their sword. The more overwhelmed teams are with data, the more information they have available. It just needs to be ‘data scienced’ to clean, de-dupe, normalize, and reveal relationships between the assets and the business.

For instance, a team might know there are 5,000 machines to patch – but the risk may be low on most of those devices. So just 500 or even 50 are in urgent need, based on actual business priorities.

The truth is that the right data to give insights is out there for teams, but it may be out of reach, fragmented, or manually processed. The key is finding the right approach, one based on data science and automation.

With this approach to CCM teams can remove the fog of war. They can turn complex data into insights that allow them to identify and prioritize solutions.

It’s even better than simply cutting through the Gordian Knot. By harnessing the data available in each security, IT and business tool, the data science approach means each tool makes the others more effective.

Rather than being overwhelmed by more data, a successful CISO has access to layers of information that help inform decisions and priorities. To make the best use of this information, it’s better to identify a small number of important priorities. Some examples are:

  • The user who always clicks on phishing links;
  • Who is missing endpoint protection;
  • Also having privileges that are not appropriately protected in the vault;
  • And accessing an important business service, which in turn is running on a server with a critical vulnerability that does not have a patching agent.

Addressing this one user’s issues would pay dividends.

CCM helps harness the right data to make big problems smaller, while also helping identify the root cause of process problems, such as aged vulnerabilities being re-introduced in a build server, by showing the big picture. It turns the overwhelming data, or Gordian Knot, into insights and priorities based on business – not just technical – importance.

5. The Sisyphean struggle: CISOs have to push the boulder alone, doomed to never reach the summit

Finally, we reach the myth of Sisyphus. A devious tyrant, Sisyphus was punished by Zeus to toil in Hades, forever pushing a rock up a slope only for it to slip and roll back down when he got to the top. Security leaders have a difficult job, doing all they can to protect their enterprises. Yet despite their best efforts, it can feel like an unwinnable struggle, constantly toiling yet never reaching the summit.

For the modern CISO, this metaphorical boulder is constantly changing shape and size, with the slope shifting underfoot. Many feel like they are set up to fail. They don’t have visibility of their IT and digital estates, or the status of the security controls that protect them.

It therefore becomes difficult to communicate and prioritize as ‘you can’t manage what you can’t measure.’ Security is a team sport, and the Sisyphean struggle sometimes boils down to the loneliness of a CISO carrying the burden of the business. After all, as we’ve shown it’s all about business risk, not CISO risk.

As we can see from previous myths it’s possible to solve these issues. Yet many CISOs will still find they cannot engage the wider business to fully collaborate in achieving the intended residual risk position – making them feel like they are fighting an unwinnable fight single-handedly.

Ultimately, if the rest of the C-suite cannot understand risk, cannot understand how their actions affect risk, and cannot understand what their responsibilities are, CISOs find themselves taking all that responsibility on their shoulders.

What’s more, with multiple regulatory pressures building on organizations – from SEC rulings around disclosing security risk to legislation such as CPRA – and the threat landscape shifting constantly, it becomes harder to reach the top of the mountain. A single slip can send the rock tumbling.

Yet it needn’t be this way. CISOs don’t have to push that boulder on their own, and the summit isn’t unreachable. They can create a culture of ‘we’, where accountability and responsibility are shared across the business.

Using the right tools will enable clear communication with non-technical teams, helping drive accountability and ensure everyone is pushing in the same direction. CCM enables this cross-functional collaboration by ensuring all stakeholders can see the information they need to see according to their role.

The myth of the Hydra touched on CCM’s value in both providing high-level summary information and being able to drill down to any asset, vulnerability, patch, or security tool. Beyond that, CCM ensures full transparency and data lineage for all the information in the platform.

This transparency helps democratize data quality and removes any human bias or error from the automated process. It stops people from turning up to meetings with their own data and arguing about what that data shows, instead of working on solving the issue.

CCM helps channel that energy positively, towards achieving business goals. When business leaders and their business, IT, GRC, audit and security teams are working together with trusted information translated to their needs, they can create a culture of accountability. And in turn, CISOs become business enablers rather than risk takers, as everybody carries their own rocks.

Final thoughts

By banishing these myths, CISOs can escape their unwinnable struggle. CCM can provide full visibility of the IT estate and security controls’ coverage and effectiveness. Translate that technical information to non-technical stakeholders and map to business priorities.

Enable the CISO to both orchestrate operational excellence and provide governance and risk reporting in the same platform. Harness the power of data to move from information overload to turning big problems into smaller problems with data-driven insights that help prioritize. And provide a single platform to enable cross-functional collaboration, achieving a culture of accountability.

Ultimately, every business needs to take risks, but they need to be informed. A rigorous, scientific approach to CCM will be essential in helping CISOs sort truths from legends, overcome myths, and focus on enabling the business to make informed choices, together.

About the author

Jonathan Gill