CISOs Should Adopt a Chess Mentality When Assessing Risk
In This Article
Enterprise cybersecurity teams are in a nearly constant state of disruption as cyber continues to become more volatile, with ransomware attacks growing exponentially each year and geopolitical forces and new threat groups only adding to that growth.
Speaking at a cyber panel at the WWT Championship, a group of security leaders said it's time we stop playing checkers when it comes to cyber defense and start playing chess.
"In both chess and cyber, we care about tactics, moves and strategy," said WWT Area Vice President of Security Chris Konrad. "We also care about the value of our assets. In the event of a cyber attack, it's inevitable you will lose a few pawns. But protection of your kings and queens, or in business our assets, is absolutely critical."
Aligning security with the business
To even begin adopting a chess mentality, CISOs need to get their teams out of traditional silos and start working more closely with business stakeholders to assign values to the data sets and assets executives are trying to protect.
"There is no keeping up (with cyber threats)," said Lee Hutcheson, CISO for Camping World. "You're always trailing. You can build depth, but where I've seen success is by getting out of 'IT speak' and start speaking the language of the business and measuring risk in their terms."
Hutcheson said executives and board members typically want to understand more about timeframes and what the company's vulnerability profile looks like, and what costs are associated with bridging those gaps.
Related: How to bridge the gap between IT, security and business stakeholders.
Security and digital transformation
Katie Heyel, a managing director at WWT who works with clients on digital transformation initiatives, said CISOs and security teams should prioritize three areas when integrating security in transformational initiatives, which often span a company's entire organization.
- Embed security at the onset of the overall program and strategy. "It's tempting to think of security as an afterthought when you're going through strategy and planning because the team is so focused on hypergrowth or getting to market faster," she said. "But security is critical to digital success -- they are inseparable. Teams that can plan and integrate the two can succeed and protect the business at the same time."
- Understand the risk you will inherit when your digital plan is in place. "Moving to digital is imperative, but it also significantly increases risk as it broadens the attack surface. So you need to understand the security implications going in and how you will plan to manage it."
- Use security intelligence to your advantage. "A proactive operating model will utilize measurements that use human analysis, automation and AI to increase operational resiliency to quickly detect and analyze or solve for threats."
Chad Garner, vice president for SASE sales at Palo Alto Networks, said that moving forward organizations will need to continuously increase agility and be open to adopting new technologies.
"It's not slowing down, and adversaries are only accelerating," he said.
Related: WWT Research recently published a report outlining key priorities for building security into the core of your business and moving confidently into the future.
Mining for cyber talent
Heyel said the biggest need for CISOs heading into 2023 remains talent.
Jasson Casey, Beyond Identity's CISO, said finding, hiring and training is a challenge facing every security team no matter the industry.
Casey said with talent shortages everywhere and competition fierce, CISOs should get creative in how they find and hire talent.
"Not every security role needs the same style of background," he said. "For us, the most important thing is identifying people that are system thinkers."
Charlie Lawhorn, a Chief Digital Advisor at WWT, says he hears from a lot of organizations about how talent doesn't exist or isn't available, but challenges talent management teams to follow Casey's mindset of getting creative.
"Sometimes IT leaders just aren't always looking in the right places," Lawhorn said. "Maybe the talent simply doesn't exist where you're looking. Some roles like cloud or security are for sure very lean talent pools. But you need to look at different markets and different industries.
"I recently met with a big grocer and one of the biggest gaming companies in the world within a few weeks of each other and they have the same tech and skill challenges. Different industry but same challenges," he said. "Hiring talent is hard. It's hard for us too. But the challenge is to look for talent in different places than you have been."
Related: WWT CEO Jim Kavanaugh recently published an article about how hiring managers can sidestep a "perfect storm" brewing in the talent market with a more strategic approach to staffing.