The recent news around the trial of former CSO, Joe Sullivan, has raised quite a discussion about CISOs and their personal liability for breaches. Let’s be clear, the Sullivan verdict was not so much about the data breach responsibility as much as it was about attempts to cover up and keep the info about the breach from authorities. More here. The cover up is always worse than the incident.
But the fact that a breach that is the work of threat actors (internal or external), can ultimately result in a CISO/CSO going to prison for years is nerve wracking for all hardworking CISOs carrying the responsibility of securing large organizations.
The average cost of a breach in the United States is $9.4 million, and globally, the average cost is $4.35 million. And, according to IBM’s annual breach study, it takes an average of 277 days – 9 months – to identify and contain a breach. And with fines from GDPR and other regulations looming for missteps, even the most earnest of CISOs feels the pressure.
With so much riding on it, how an org or a CISO responds becomes about fear, insight and confidence. The better visibility that IT security teams and CISOs have into their infrastructure, the more they can trust that their org is safe. In the unfortunate event of a breach, how quickly can it be discovered and stopped, and how quickly will it take to recover?
The modern outlook is that it’s not a matter of if an organization is going to get breached as when it will happen. So, given the public perspective that a breach is always a threat, there’s little reason to cover up. In fact, this is a compelling reason to provide clarity to your board, your investors, your leadership team and your customers. With the proper tools in place, you will know what happened, when and what you did to stop it.
But IMO, this Sullivan event will also usher in another big change in security world spend/tools.
Moving forward, the role of CISO will carry a much bigger stick. More importantly, CISOs will invest heavily in reporting tools, analytics dashboard and governance processes to give them a comprehensive view of the risk and its impact across their organization.
I attended a CISO event in San Francisco a couple of weeks ago. CISOs from various sizes of business shared how they managed risk. For some, risk management was clearly defined as their organizational responsibility, which made tracking, reporting, enforcement and management of risk centralized; for others it was distributed across business units which made visibility and control a complex challenge. But no matter what setup, the CISOs in that forum unanimously acknowledged that they were responsible for the risk of the entire organization.
The risk dashboards that collect and report data from various tools and present critical information to CISO to manage/control risk are going to become more valuable, if not already. A unified identity security approach delivers what CISOs need to make informed decisions and for their teams to ensure efficient and secure operations.
Thus, convergence of the security tools and value proposition of the unified identity security platform that focuses on delivering on such centralized risk dashboards will become all the more indispensable to CISOs.
See below for more information about how to implement a unified identity security approach and how reduce anxiety about breaches.