In the last decade the role of the chief information security officer (CISO) has evolved considerably. Not long ago, the CISO was considered a part of the IT team and their main focus was on building firewalls, implementing antivirus and keeping spam emails at bay. Today, however, things are very different.
The huge surge in attacks over the last decade means cybersecurity is the biggest challenge organizations face today, and attacks pose the greatest threat to their survival. This has significantly increased security awareness, and cemented the topic on the CEO’s agenda. It is now one of the most important issues discussed at board meetings. Cybersecurity today is about much more than just technology, it is a business enabler, providing key competitive advantages and, with regulatory bodies enforcing seven-figure fines on organizations that gamble with security, it can have significant consequences for the bottom line.
As a result, the CISO is now incremental to the safe and successful operation of any organization, and many have been moved from the basement IT suite into the boardroom. Today, the CISO plays a key role in business strategy and company objectives, and ensures that security is included within all business processes. For instance, as organizations continue to digitally transform their businesses, the CISO is there to ensure security is considered, every step of the way. However, despite the CISO’s newly established seat at the executive table, it doesn’t mean their job has gotten any easier.
One of the biggest challenges CISOs face today is around protecting the organization without impacting services. Board members want to ensure that all systems are fully updated and protected against the latest threats, but they do not want security updates to impact the availability of their services to customers, as this could create financial loss. However, any person working in IT security knows there is no way to guarantee this.
Some security updates will cause accidental downtime, while others require a system restart for them to take effect. This essentially means the CISO is caught between two fires – carrying out essential updates, which could cause service interruption and impact the bottom line. Or, leaving vulnerabilities unresolved and hoping they are never exploited by attackers. The latter is high-risk and definitely not recommended. So, what is the solution?
When a CISO finds themselves in this situation, the most obvious answer lies in education and teaching the board about the importance of security updates. Every board member must understand that cybercrime is far from just an IT issue. It is a company-wide concern which could bankrupt the organization and/or send its customers running. Applying patches and security updates against the latest threats is one of the best lines of defense. It is also worth reminding them that any CEO that gambles with security will not be in their job for long.
However, from a more technical standpoint, there are two methods that can minimize downtime but still provide a way to apply all required security patches.
First, CISOs can schedule patches in advance and apply them at times when business is generally quieter; for instance, overnight or throughout the weekend. This means customers can be warned in advance of the security updates, and, by applying them outside of peak business hours, the downtime should have little financial impact. There are also available solutions that will apply security updates automatically. These tools will use the vendor-supplied update and perform a generic assessment of the severity level based on its perceived impact to the businesses and the technical landscape. These solutions will provide details of when updates will be applied and by whom; however, they may not be applicable in all scenarios. These solutions will only allow the automation and management of known commercial off-the-shelf (COTS) software updates, and are generally not designed to manage issues on in-house-developed, bespoke software, which is often the backbone of many software-driven businesses.
Organizations should build on these approaches and deploy solutions which not only manage patches, but also take into account a threat-modeled approach. The inclusion of threat modeling into design allows new systems to be designed and built with a greater level of security and with multiple layers of defense, which will allow those defending them to take a more measured approach to patching and updating on their timetable.
While the role of the CISO has changed significantly, it certainly hasn’t gotten any easier. Many CISOs often find themselves on the hook when security patches impact customer facing services.
However, tied with an emphasis on a more security aware board and security-first company culture, there are tools which can help tackle this problem. These tools can be used to understand the vulnerabilities that pose the biggest risk and need to be patched first. The company can then deploy patches on either an automatic or scheduled basis. By following this process, CISOs can rest assured their company is protected against the latest threats, while keeping the CEO and board members happy.