There’s so much cybersecurity news these days, from elections integrity to stolen credit reports to the latest cybersecurity start-up, sometimes it feels like you need a decoder ring to make sense of it all.
One way to start breaking through the jargon and intrigue is to try viewing these issues through the lens of the Chief Information Security Officer (CISO), typically the top cybersecurity executive at a company.
The CISO role dates back to 1994, when banking giant Citigroup (then Citi Corp. Inc.) suffered a series of cyberattacks from a Russian hacker named Vladimir Levin. The bank created the world’s first formal cybersecurity executive office, and hired Steve Katz to run it.
Today, Katz is a go-to name in the industry. He works as a cybersecurity consultant and has a track record of supporting high-value information-sharing initiatives in finance, and more recently in health care.
Katz says it’s important for people to understand the responsibilities of the people who oversee cybersecurity. This way, people can be better prepared to interpret headlines and know what really matters.
Investors need to understand how the business works too, as more cybersecurity companies enter a crowded marketplace, vying for business, venture funds or new capital from an IPO.
Valentyn Ogirenko | Reuters
A view shows a laptop display showing part of a code, which is the component of Petya malware computer virus according to representatives of Ukrainian cyber security firm ISSP, at the firm’s office in Kiev, Ukraine July 4, 2017.
What a CISO does
The responsibilities of CISOs vary by industry, size of company and how the organization is regulated. Different companies structure cybersecurity in different ways, but there are many common themes.
At big companies, CISOs often oversee a team of security professionals that work for the company. Smaller firms may outsource the job to a company that provides managed services. Many do a combination of the two.
We compiled this list based on research of public, private and academic resources, job postings, and interviews with cybersecurity officers and the executives who hire them.
Security operations: This function involves real-time analysis of threats, including watching the tools that monitor a company’s firewalls, entry points, databases and other internal environments. When something goes wrong, these folks are supposed to discover and triage the problem.
Cyberrisk and cyber intelligence: Corporate boards often ask CISOs to get out ahead of new types of attacks that could be harmful, business deals that could introduce risk of a breach or new products that might weaken security.
In 2017 Verizon lopped $350 million off the buying price of Yahoo, following revelations a prior data breach had affected more people than Yahoo originally stated. That’s an example of Verizon quantifying how much a cybersecurity risk costs (although the company reportedly wanted a bigger discount of up to $925 million).
When a senior official with the Office of the Director of National Intelligence told a panel in Aspen that Iranian operatives have cyber weapons poised on U.S. infrastructure, he’s relying on a complex collection of cyber intelligence.
Data loss and fraud prevention: People emailing out sensitive information, or insiders stealing intellectual property when they quit, are two examples of what these professionals handle. They use tools that monitor the flow of information in an organization, to spot when large amounts of data are leaving the company.
Security architecture: This person builds the security backbone of a company, sometimes from the ground up, in part by deciding where, how and why firewalls are used. These pros may also make decisions like how to separate or segment certain networks. They may also rely on penetration testers or ethical hackers to test the defenses they create for the company.
If you wondered how the WannaCry or NotPetya ransomware moved so rapidly between different parts of some affected companies, that’s because many companies had “flat” networks with no way to quarantine the attack between business units. A security architect could help build a more resilient network.
Identity and access management: These employees deal with credentials. When you get your username and password at a new company, it likely went through the hands of somebody in this field. These professionals maintain who has access to which tools, who gets which email addresses and how rapidly those credentials are taken away when somebody gets fired.
That last point is key and if mishandled can lead to a lot of data loss. In one famous case involving an engineering firm in Tennessee, an ex-employee was able to access valuable information for several years after leaving for a competitor because his credentials were never retired.
Program management: Once a company has measured its risks, gathered intelligence and mapped where its data is going, it may find some gaps. To fill those gaps, companies create projects and programs. Cybersecurity program managers don’t always have a deep technical background, but they know how to build and manage new initiatives meant to keep the company safer.
One example of a common program: patching systems on a regular basis. When program management is poorly handled, you can have missed patches — like the one that led to the massive data breach at Equifax and cost CEO Richard Smith his job.
Investigations and forensics: These pros are the “cops” of the cybersecurity organization, and many of them do indeed come from a background in law enforcement. When an incident occurs, they may work with outside law enforcement agencies, consulting firms, government agencies or sometimes on their own to conduct forensics. If an employee got caught emailing source code, these are the cybersecurity employees who will both prove that it happened and then may sit him or her down for a conversation about it.
When the Democratic National Committee brought in Crowdstrike and worked with the FBI on suspected email attacks during the 2016 campaign, those were two teams of investigative professionals who, in part, tried to determine who perpetrated the attack. The forensic results are what you can read in the indictment of 12 Russian nationals released last week by Rod Rosenstein.
Governance: All of this can cost a lot of money, and these employees can help mind the budget and provide other types of oversight. Security programs have to keep running smoothly or else they may never get finished. Regulations bubble up and change frequently, and employees need to be hired to staff these jobs. Good governance can involve setting up a framework based on factors important to the business, and making sure the entire cybersecurity organization is functioning well. A lack of governance can lead to big problems, such as CEOs never getting a clear picture of significant cyber problems in their organization, or senior officials never getting properly trained on how to spot phishing attempts.
In the end, security is about people
The security profession has all these well-established roles now, but in 1994, Katz was starting from scratch.
The world of telecommunications and the internet were just starting to blend, and the hacker, Levin, had tried to steal $10 million by gaming the international funds transfer system, which was then run on phone lines.
The fraud was found by Citi employees who examined wire transactions on printouts on green-bar paper. They saw the anomalies and raised a red flag to senior management.
“It shows you the importance of people within the overall information security process. Your greatest risk, and your greatest asset,” he said.
Levin was later arrested at JFK airport in New York, tried in district court and sentenced to three years for his crimes.
Of those stolen funds, all was recovered but $400,000, Katz explained. That number is dwarfed by many large cyberattacks today.