Managing danger on a world scale has all the time been difficult, however within the aftermath of the COVID pandemic, CISOs have needed to develop into much more agile. The shift to hybrid work, the speedy deployment of cloud purposes, and the transfer to steady integration and steady growth (CI/CD) have emboldened menace actors with new and broader targets.
Meanwhile, the variety of units and endpoints on organizations’ networks have elevated exponentially. Two veteran CISOs lamented the challenges these modifications have imposed throughout a webinar final week organized by Sepio, an asset detection and danger administration startup. Sepio’s CISO Ilan Kaplan moderated an hour-long dialogue with HSBC CISO Monique Shivanandan and Carl Froggett, who was CISO at Citi for 17 years earlier than becoming a member of startup Deep Instinct final summer time as CIO.
Shivanandan and Froggett shared with Kaplan what they see as three of essentially the most vital challenges the quickly altering cybersecurity and danger panorama presents.
1. Maintaining Visibility of All Network Assets
Cybersecurity professionals have traditionally struggled to realize full visibility into what’s on their networks and threats directed at them. Froggett famous that newer cloud-native applied sciences, akin to container-based purposes and SaaS, provide higher visibility than conventional software program as a result of trendy apps had been constructed to be safer.
But overshadowing that profit is the sheer scale of all of the parts related to trendy purposes. “An asset used to outlive 5, 6, 7 years, or longer in the event you embrace the underlying working techniques, whereas now the lifetime of the container might be measured in seconds or perhaps minutes,” Froggett mentioned. That creates “a complete new set of [visibility] challenges from that perspective.”
Shivanandan famous that conventional strategies of capturing inventories, holding them updated, and monitoring them had been predicated on the notion of including belongings to a community manually. But with trendy purposes, that does not work, she mentioned, due to the size and the velocity by which units and software program are deployed. “One of the largest challenges that each CIO and each CISO faces is having that visibility and ensuring that visibility is updated,” Shivanandan mentioned.
2. Avoiding New Risks When Adding Apps
Besides addressing the mounds of current regulatory dangers and the present menace panorama, safety groups should additionally keep away from being the supply of recent dangers. Asked how they be certain that, Shivanandan mentioned that, whereas reviewing the supply code of each part added to the infrastructure is inconceivable, HSBC has rigorous processes round onboarding a brand new expertise, which incorporates “plenty of pen testing and crimson teaming.”
“Unfortunately, with the variety of events we now have, we can’t do it for everybody,” she added. “We do it for a choose few.” The drawback is “each software program change and each new launch can knowingly or unknowingly introduce one thing new. It’s a continuing battle that we’re dealing with.”
Froggett mentioned that Citi has strict processes round onboarding new expertise, together with pen testing and crimson teaming, however with the present launch cadences, enforcement has develop into difficult. “Ultimately, you’ll be able to’t normally do supply code critiques” of all the pieces that is available in, he mentioned.
3. Recruiting and Retaining Skilled Talent
The scarcity of skilled cybersecurity specialists is nothing new, however Shivanandan mentioned it stays considered one of her prime challenges. “All the expertise on the planet is simply pretty much as good because the individuals there to be sure that we set up [everything] appropriately and maintain it updated,” she mentioned.
Shivanandan mentioned regardless of appreciable progress, it stays troublesome for ladies to interrupt the glass ceiling. She believes males have an outsized presence in senior cybersecurity roles in comparison with the complete IT trade.
“When you begin out on the decrease ranges, there’s [an] equal [proportion of] women and men, 50-50, generally even 60-40 ladies,” she mentioned. “Then, as you undergo the development, the ladies drop out, and the boys proceed to progress from a seniority degree.”
Nevertheless, Shivanandan mentioned ladies face fewer limitations in the present day in contrast with when she began out. She mentioned, “When I used to be beginning out, they needed to pat you on the pinnacle and say, ‘expensive, don’t be concerned your fairly little head, I’ll deal with technical issues.’ But not anymore. There’s no ceiling for a lady to get into any place now. It’s a matter of simply perseverance.”
Shivanandan considers herself lucky at HSBC, the place 40% of her management crew is ladies. “The ladies and the boys are each improbable, and that is the factor that you simply actually wish to search for,” she mentioned.
Froggett mentioned throughout his practically 25 years at Citi, most of his bosses had been ladies. “The job’s not executed for certain, however there’s undoubtedly extra of a stability [of men and women in senior leadership roles than] I noticed 5 or 10 years in the past.”
Shivanandan emphasised that making a various crew goes past gender. A big portion of her crew has some kind of neurodiversity, she mentioned. According to analysis, an estimated 15%-20% of individuals have some type of neurodivergence akin to autism, consideration deficit hyperactivity dysfunction (ADHD), psychological well being circumstances, or studying disabilities.
Shivanandan mentioned these circumstances are sometimes belongings: “That’s what makes them fabulous within the job.” But she added, “I feel that is most likely more durable to beat from a profession development standpoint, from a management versus a technical perspective.”