Ensuring the security, availability and authenticity of the various data sets that a company creates or is entrusted with by its partners and customers should be top-of-mind for a chief information security officer (CISO) focused on cyber security risk. It’s a broad brush indeed, and for many smaller companies, a CISO is a luxury that they simply cannot afford. However, this does not obviate the need to have the CISO’s responsibility and accountability fall within the remit of a senior company executive.

Cyber Security Risk

That said, does the role of the CISO require technical or business acumen? In the recent keynote address at SC Magazine’s Toronto Congress, IBM’s Global CISO Joanne Martin highlighted the need for information technology professionals to be prepared to deliver actionable insights into threats to their respective company’s leadership and boards. According to Martin, at IBM, the top cyber security risks identified by her team are security risks that accompany the continued use of machines that use Windows XP, as it remains embedded in parts of IBM’s systems. Microsoft ceased to provide support to Windows XP on April 8, 2014.

Crown Jewels

Couple the Windows XP migration effort with the continued avalanche of breaches affecting customers, patients and company internal data, and every CISO has his or her hands full. These issues aren’t the type that executives and boards of directors sit with quietly. Boards of directors have sat up and noticed as more and more companies have been pilloried following a breach or cyber security incident that puts customers, partners or the company itself at risk.

When the existence of a cyber security risk has been recognized by the board, the CISO is asked, “Do you know what constitutes the ‘crown jewels‘ to the company and what the damage will be to the company should they be lost, stolen or otherwise compromised?” Crafting a cyber security risk mitigation strategy to protect data is a challenge, and it is important to know where the most valuable information lies. If you are a new (or established) CISO and don’t have this answer, you now have your task.

Malicious Code and Sustained Probes

For those who have followed the prognostications in the annual security reports issued in the first half of 2014, CISOs are facing two major types of incidents within the cyber attack continuum: malicious code and sustained probes. These are the same issues identified in IBM’s annual report issued in July 2013. The challenge for CISOs will be processing the extraordinary amount of data fed to them from the near-constant probing of their company’s infrastructure while also maintaining a level of service to their constituency to conduct unimpeded business. The reality is that, once penetrated, the more advanced entities will burrow deep into the infrastructure in hopes of a long-term engagement via a snatch-and-grab compromise. Therefore, the challenge for the CISO will not only be monitoring the outside coming in, but also the inside going out and any anomalous activities within the intranet of the company.

Overall, the role of CISOs is a mixed bag of skills. They need to earn their place at the leadership table. This is possible through their successful ability to articulate business risks and execute mitigation methodologies designed to address those risks. While CISOs may always be focused on creating solutions that assure the security, availability and authenticity of the company’s data and “crown jewels,” their measure of success will be evidenced by the continued trust of the company’s partners and customers.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…