We live in an increasingly interconnected and perilous world. The Solar Winds supply chain hack and recent Microsoft Exchange Server exploits have brought the risk from vulnerable partners into clear focus.
Enterprises are spending tens of millions of dollars to recover from attacks like these, and may lose even more from downtime and reputational damage. The increasing pressure on organizations to get their security house in order highlights how vital the role of the Chief Information Security Officer is to ensuring business resiliency.
How are top security professionals dealing with the increase in threats? What’s foremost on their minds? Alongside Silicon Valley Bank, we convened a panel of more than two dozen top security executives across a wide range of enterprises to talk about what’s on their plates for this year, and what the CISO of 2025 might look like. Here are their top priorities.
Reframing the Conversation Around Business Value
Security incidents continue to increase at an exponential rate. Yet CISOs still struggle to get adequate resources, because the C suite and the board see security as a cost center. In response, many top security professionals are redefining the conversation around business value and risk avoidance.
What is the risk to the business if a vulnerability is exploited? What will a data breach or ransomware attack cost the enterprise in down time, reputational damage, or liability? How can being compliant with regulatory requirements enable the business to enter new markets? These are the kinds of questions more likely to elicit a favorable response – and more funding – from top decision makers.
CISOs can also be viewed as general managers that focus on enabling businesses to grow through their efforts. When a company becomes HIPAA compliant, the security team is enabling the business to enter the healthcare market — they’re not just doing security compliance and mitigating risk.
The Evolving Role of the CISO
To help enable this shift in mindset, chief security officers are evolving into chief risk management officers. Silicon Valley Bank, for example, recently promoted its CISO to a Chief Information Risk Officer (CIRO) and hired a new Chief Privacy Officer, both of whom report to the COO.
“The role and responsibilities of the CISO may evolve the same way IT has with the division between CIO and CTO. We’ll have a Chief Security Technical Officer (CTSO) who manages security architecture, tools, tactics, and operations, while the CISO manages risk, strategy, and executive responsibilities.” – Tad Dickie, Colonial Companies
Reducing Risk from Third-Parties
For some enterprises, more than half of incidents causing business outages today are third-party related. Dealing with this issue has become a high priority for many CISOs, but it’s not an easy problem to tackle.
The larger and more global the enterprise, the harder it is to adequately vet third-party suppliers. Regional business leaders often make procurement decisions based on which supplier is offering the best price, and smaller firms that are undercutting more established vendors often have little to no IT expertise. Because the barriers to entry for suppliers are lower, the number of potential vendors has grown from hundreds to thousands. Worse, many of these companies exist for only a short period of time before they disappear, leaving enterprises with legacy technical debt for years to come.
“We’re moving data around the world faster and in more ways, and we’re relying so much on the third-party supply chain that breaches are becoming a really big issue. How do we reinvent the measurement of risk for everyone in our different supply chains? The bill this presents to the security team is one we can’t pay.” – Steve Zalewski, Levi Strauss
Improving Collaboration with the Procurement Organization
Vendor risk management is key to reducing the attack surface. Enterprises are pursuing closer relationships with procurement teams, so they can collaborate on standardized service agreements, on-boarding questionnaires, and audit procedures for all vendors. Establishing clear lines of communication, so when suppliers are compromised they know who to contact at each firm, is also a priority.
Segmentation of key administrative assets, and limiting third-party access to proprietary or sensitive data, are practical ways some enterprises are minimizing their exposure. Another strategy is to perform random spot checks of suppliers, to ensure compliance with security agreements. Still others are deploying AI-based red team testing and risk assessment tools, or looking toward government-sponsored risk scorecards for software and IoT vendors.
You need a business mindset at the top that says ‘We’re not going to compete on security within our supply chain. We’re going to cooperate and collaborate.’ And you’ve got to explain this to the board, because otherwise no one will justify buying the part that cost twice as much.
Driving the Implementation of SecDevOps
The model of DevOps throwing a finished application over the wall to the security team to vet is no longer viable. Increasingly, development teams and security teams need to work in tandem to identify and mitigate risks before code goes into production.
Whether you call it DevSecOps or SecDevOps, you have to do these things in parallel. Otherwise the development team is going to go off and do its own thing, and then the security will try to solve its own problems. Those two things need to be tied at the hip. It’s not one before the other.
Preparing for a Quantum Future
The next five years will see an even more rapid evolution in the role and responsibilities of the CISO.
The emergence of quantum encryption and decryption, the continued adoption of AI, and the widespread deployment of edge devices are some of the key technologies that are driving changes in the role of security professionals.
Over the next five years, CISOs will shift their focus away from operations and incident response and towards strategy and risk. The time-honored model of confidentiality, integrity, and availability (CIA) will become more of a trust-risk-privacy triad, with CIA falling under risk. And stronger board-level engagement is very critical. Fortunately, we’re starting to see that today.
In today’s world, with the recent dramatic rise in bad actors – everyone is asking how cyber can become more proactive. And the answer may not be what people expect – instead of being about technology or products, it’s really about leadership and organizational design.