Leadership

Three technical challenges that keep CISOs up at night  

Today’s columnist, Baber Amin of Veridium met with industry notable Ed Amoroso at the RSA Conference earlier this month to talk about the threats and technical challenges that keep CISOs up at night. (Credit: Getty Images Stock Photo)

When I caught up with TAG Cyber CEO and Founder Edward Amoroso at the RSA Conference earlier this month, we discussed the weight of the CISO’s job.

Amoroso said sitting at the interface between security staff curating cyber controls and senior management governing cyber risk, the CISO has had to learn a plethora of executive skills related to communication, interaction, negotiation, sales, budgeting, and people.

When I asked him “What keeps a CISO up at night?” Amoroso named numerous challenges he hears every day. As we narrowed our focus to technical issues, three main challenges rose to the top.

  • Identity: It’s no secret that the root cause of nearly every major cyber breach we’ve seen over the past few years has been an insufficient set of controls related to identity. Amoroso said the traditional method of issuing user IDs and passwords has been shown to create environments rich in account takeover and fraud. Instead, CISOs who support on-line customer engagement have had to create programs that analyze user behaviors, employ fraud detection programs, and develop advanced verification methods for account recovery and to eliminate synthetic identity fraud, and do so consistent with regulatory and compliance objectives. There’s also the internal friction that slows business processes across the enterprise and adds complexity to routine employee tasks and responsibilities. For example, at a recent banking conference, several attendees shared how their organizations’ continuing reliance on physical authentication tokens for branch floor personnel creates ongoing headaches and daily delays. Replacement of lost tokens and trips home to retrieve forgotten ones are routine. Amoroso said he hears similar challenges within other sectors, especially ones using roaming and/or shared workstations and relying on physical tokens for enhanced security.

  • Asset inventory: This one gives both CISOs and IT operations teams headaches. While most security pros might think that keeping an asset inventory of devices and endpoints would be a foundation for all security controls, it’s often neglected by enterprise teams. Amoroso said the most common issue that emerges with respect to inventory involves sprawl. An organization might have started one or more decades ago with a reasonably manageable inventory. But growth of data creation, minimal data removal, corporate actions (such as mergers), third-party data creation, explosion of app usage, and expansion to cloud and SaaS have all contributed to inventory sprawl. Amoroso said CISOs and their IT partners need to initiate a comprehensive program to tackle their inventory, including identities. Such a program should use the best available technology that can locate, classify, and secure all assets and resources. Without such action, it seems inconceivable that a security architecture can be viewed as standing on solid foundations.
  • Complexity:  By complexity, Amoroso means the difficulty any person or group has in understanding the IT infrastructure, security systems, and business processes of an organization. Every CISO knows that complexity in these areas always implies insecurity – and, in recent years, complexities have abounded. Amoroso said security teams need to ask the simple question of whether they have schematics for the network infrastructure, deployed systems and applications, and all stored data. If a CISO does not have diagrams of how the enterprise network has been arranged, then the environment has simply become too complicated. “Good technology from commercial vendors can be used to scan and graph the network,” Amoroso said. “Managers can also demand that engineers and operators focus on simplifying infrastructure in day-to-day decision-making. Here's a hint: If you are adding complexity to your security architecture, you might be doing things wrong. Removing complexity is always the best security action – and will help with CISO sleep patterns.”

More than ever before, CISOs are faced with complex challenges that demand the evolution of their enterprise. We’re seeing firsthand through our customers eyes how the adoption of AI and machine learning can offer a far better, more efficient and effective experience for employees and customers. But that comes with its own sets of challenges regarding bias, a topic for another day.   

Baber Amin, COO/CPO of Veridium

Baber Amin

At Ping Identity, Mr. Amin is currently CTO for West, helping customers with their IAM strategy, zero trust architecture, and modeling for a privacy first approach. At Ping Identity he is guiding product roadmap for Zero Trust, AI/ML strategy, championing privacy by design principals, and evaluating M&A fit. Previously, he was responsible for Ping’s solution offering around OpenBanking, GDPR, Privacy, and Consent, across Ping’s product portfolio; solution centric go-to market and pricing strategy, and for Ping Identity solutions in Employee, and Consumer centric Identity and Access Management. Prior to Ping Identity, Mr. Amin served as Senior Director of product management for IDaaS solutions at Oracle Corp. and CA Technologies. Before that, Mr. Amin served as Director of Cloud Security with Novell Identity and Security. He was responsible for crafting Oracle’s IDaaS strategy and setting direction for the future of Identity Services. At CA Technologies, Mr. Amin’s primary responsibility was for CA Advanced Risk Based and Multifactor Authentication offering and CA IAM product and service strategy in the cloud, including it’s next generation cloud security service offerings. During his time at Novell, he helped position Novell as a thought leader in Identity based services, cloud and enterprise security. His primary role was to lead the overall strategy for Novell Cloud Security and oversee ongoing product direction in the area. Mr. Amin is also an author on several patents in software security, web caching and content distribution, and speaker at various events.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds