“In my last place, I had a team of 60 cryptographers. Here I have one guy to look after identity management and public key infrastructure,” Jean sighed as he shared with us the significant challenges of his job demands as CISO of a Global 500 company. His demeanor was interesting – on the one hand, the Sisyphean list of tasks on his plate was clearly weighing heavily on his mind, but he spoke with an eagerness that conveyed how much the vocation still meant to him. He enjoyed the intellectual dilemmas cyber poses even with all the challenges. He wasn’t burnt out yet.
Over the past few months, we had many conversations like this one with Jean in an effort to understand the key pain points for CISOs . Jean’s case is an example of many CISOs who are gaining greater responsibility but with tighter budgets – not an easy task! Once an esoteric executive role, the CISO is now firmly established in the C-Suites of all leading organizations. Very few people appreciate the CISO when all is well; but when disaster strikes with a cyber breach the spotlight shines its harsh light very brightly. The high-profile cases against CISOs at Uber and SolarWinds are two examples of how much scrutiny is now drawn to the role.
Many CISOs have a technical background and feel more at home hacking around with new gizmos than filling out compliance reports. However, the maturation of cybersecurity has meant Reporting, Compliance, Audit, and Logging have grown to dominate their workload. This is driven by tightening regulations (HIPAA, GDPR, PCI-DSS, FIPS, DORA) and increasing dialogue with external auditors. The growing web of new technologies, network topologies, Bring-Your-Own-Device-policies, and multi-cloud-with-on-prem Chimeras that make up modern IT estates in large organizations have blown up the attack surfaces for hackers to exploit.
It is no longer possible to guarantee a zero-risk IT ecosystem, and auditors understand this, but require a constant and thorough justification of what CISOs are doing to protect their infrastructure and data. Learning to operate to the spirit of the law is an artform that has replaced the science of operating to the letter of the law.
Understanding third-party risk is a growing headache. Where does the burden of responsibility fall between buyers and vendors, which increasingly blur together? Building a watertight internal PKI is futile if a business-critical SaaS vendor suffers an outage due to their own poor certificate hygiene. The status quo is for cybersecurity departments to fill out (in the best cases annual) audits of all external vendors, usually a checkbox exercise that all parties know is not up to the task.
Deploying new software agents to monitor an endpoint is an increasing challenge. The onerous process of navigating organizational red tape, passing through multiple phases of tech evaluation committees, and the resulting months or years of delay drains momentum and goodwill. Time kills all deals, or all new deployments. Once finally certified for deployment, security teams have to make tough decisions about how many agents to allow on an endpoint to avoid choking computers with background processes.
“I allow 30 agents maximum per endpoint. It’s one-in-one-out after that,” Jean tells me. “If my team wants to add a new agent, they need to pick one to remove.” This either requires a value judgment on the problems each agent is solving - comparing apples to oranges - or it requires the new software to additionally provide the functionality of some incumbent agent, justifying a direct replacement. Agents are necessary - there are many security functions that require direct access at the edge.
Nevertheless, there is a wariness around agents, and the Crowdstrike saga has only deepened mistrust. Despite the best efforts of countless compliance teams–and who knows how many third-party vendor audit forms and checkbox-style reports–one erroneous software update brought IT systems globally to a standstill.
When it comes to cryptography management, we’ve noticed a divide. There are CISOs who are already following regulations on cryptography in their highly regulated industries, and then there are organizations in sectors that have yet to come under the tight regulation of encryption implementations. The first group wants tools that give them a continual clean bill of health, or show them the fastest route to one. The rest are too busy reacting to fire drills to get to the issue. Everyone acknowledges cryptography is the bedrock of data protection, but as a technology it is taken for granted. Aside from IT organizations large enough to hire their own cryptographers, buyers expect that cryptography comes baked into whatever product they are buying and would prefer to wash their hands of the responsibility to maintain secure configurations, ciphersuites, randomness generation, and the myriad other considerations concerning cryptography.
The themes we’ve taken away from these conversations are:
Tech gets inexorably more complicated. There are dozens of software solutions to every business problem today, and they each introduce their own strengths and weaknesses into the IT organism. Cybersecurity solutions of tomorrow can no longer be mainly about the tech. Cyber is too important today; too many non-technical people are paying attention. The products that will win tomorrow’s market will be the ones that communicate effectively, from the coders punching away at keyboards all the way up to the C-Suite, and, god forbid, maybe even fraud investigators at the SEC.
What are your thoughts on the key pain points for cyber organizations today? Let us know at discover@sandboxaq.com.
Author:
David Joseph is a product manager in the Cybersecurity Group. Formerly a researcher, he has a background in theoretical cryptography and quantum computing for attacking information security, which he studied during his PhD at Imperial College London. He is an author on “Syndrome Decoding in the Head”, a digital signature scheme submitted by SandboxAQ and Crypto Experts to the NIST call for signatures, and a leading author on the2022 Nature paper “Transitioning Organizations to Post-Quantum Cryptography.”
