The 5×5—The evolving role of CISOs and senior cybersecurity executives

For this Cybersecurity Awareness Month, senior cybersecurity executives share their insights into the evolution of their roles.

The 5×5—The evolving role of CISOs and senior cybersecurity executives

Share this story
THE FOCUS

In recent years, the role of cybersecurity executives has shifted in the face of increasing cyberattacks and the growing risks of business disruption, fines, and reputational damage. It has expanded from a focus on technology to securing the mission of a business, non-profit, or even government body. Instead of implementing the technical aspects of cybersecurity, these executives now help their organization’s leaders understand the importance of cybersecurity and design the organization’s cyber strategy. 

This Cybersecurity Awareness Month, we brought together five senior cybersecurity executives to delve into key issues faced by CISOs and other senior cybersecurity professionals, offering their insights on navigating regulatory hurdles, ransomware response, organizational risk management, and fostering a culture of security awareness. Their perspectives highlight the growing importance of integrating security into business decision-making and balancing legal liabilities with operational priorities across different types of organizations and countries. 

1. Given emerging jurisdictional conflicts between governments over who should control user’s data, how do you approach new markets and/or collaboration with international partners as a cybersecurity executive, keeping in mind these competing demands?  

Liisa Past (she/her/they/them), Former National Cyber Director, Estonia; Former Chief Information Security Officer, Ministry of Interior’s IT Organization, Estonia 

“Europe has taken global leadership on data and privacy regulation, therefore the EU norms and emerging best (or good enough) compliance practice is likely to become the de facto norm for the privacy-respecting rule-of-law based parts of the world. The dynamic could only change if the EU and US do, in fact, manage an agreement on the transatlantic exchange and processing of personal data or the US establishes appropriate bilateral deals with the largest democracies. Both seem unlikely.

On face value, the approach seems easy – make sure personal data of Europeans does not leave the European Union. After all, all major service providers have European data centers, right? In practice, General Data Protection Regulation’s (GDPR) provisions have by no means been tested as a unified practice across the Member States. Even if there is clarity about users’ and citizens’ personal data, what about metadata or code essential for accessing and processing the data? Do you have to be able to revert to a backup within the same jurisdiction in a crisis? Would encryption and key management that is compliant with the strictest interpretations of national norms also be technically viable? How do we manage requirements and standards across information systems and data owners or processors as well as national borders and jurisdictions?

There are also plenty of views on what compliance to the requirements looks like. While many of my US colleagues are perfectly happy with a service organization controls (SOC 2 type II) report, it is not unheard of that Europeans would not only require a much more through infosec standard compliance report (commonly of the ISO 27k family or the respective national standard) but also want to assess sites of the service providers, including the major cloud platform providers. The latter are less than reluctant to allow for such access to their data centers and it is unlikely to ever be practical or doable.”

Helen Patton (she/her/hers), Cybersecurity Executive Advisor, and former Chief Information Security Officer, Cisco

“I begin by making sure I understand the jurisdictional perspectives – reading regulations, frameworks, and guides from the various governments. Often there is common ground in the control requirements, even if the motivations differ. I talk to CISOs operating in the new environment, who have experienced the things that are assumed, but unwritten, in that environment. I partner with internal government relations teams to understand our current relationships.” 

Megan Samford (she/her/hers), Chief Security Officer, Schneider Electric  

“The first thing a CSO would need to understand is the regulatory landscape, especially as it pertains to data sovereignty. This often requires having an experienced team of digital policy experts across many geographies. From there, if their organization is applying an international security standard, such as IEC62443, they can map their existing security controls to regional regulation to understand where they are complying and where they have gaps. Without a Common Controls Framework, demonstrating compliance across so many international regulations would be challenging to scale.” 

Elizabeth Cartier (she/her/hers), Head of Security and Compliance, Maven Clinic 

“There is security, and then there is compliance, and the two don’t always overlap as much as we’d hope. From a security perspective – there are definitely challenges in international expansion – like what traffic is permissible, what security tooling works with different language sets, how to get MFA to work with service providers country-to-country. From a compliance and privacy perspective – we work very closely with our legal team to understand parameters around international collaboration, and sometimes we’re all sort of waiting for clear guidance on how upstream tech/architecture companies are managing the evolving requirements. There are also certainly different expectations and norms around privacy from country to country and culture to culture that we are always looking to understand and work with.” 

Michelle Chia (she/her/hers), Cyber Chief Underwriting Officer, AXA XL Americas

“Data, like other assets, holds value. How assets are used and the significance of their value dictate how those assets are protected, including jurisdictional considerations. Engaging with peer groups, e.g. ISACs, legal experts, and regulatory officials to understand the law and the culture is a great start.” 

2. A ransomware attack, earlier this year, against a major health-payments provider illustrated the risks of trying to negotiate with cyber criminals. Given what we’ve learned from years of dealing with ransomware, should CISOs and senior cybersecurity executives change their response? If so, how? 

Liisa Past  

“Ransomware has become THE wicked problem for information security practitioners given the relatively low barrier of entry for criminals. As a sector, we should not negotiate with criminals, let alone fund their growth by paying ransoms. In a particular situation, however, it might make economic sense for the system or service owners to negotiate and pay the ransom, even if criminals do not give guarantees. Negotiating can also buy time to recover systems or otherwise mitigate damage. 

Just like it is too late to take self-defense classes when already brawling with a thug with a gun, the ransomware problem cannot be solved in the response phase. So, the appropriate response of security professionals is to be prepared for the risk and take appropriate measures early and often including monitoring, segmentation of data and systems, offsite backups, and practiced revert and recovery.”  

Helen Patton   

“A CISOs response will always be framed by the organization they represent. The cross-industry trend is to not pay a ransom and focus on ensuring backups and other controls are in place to mitigate the damage. But ultimately it will depend on the individual circumstances of the attack and the organization being attacked as to the correct way to respond.” 

Megan Samford  

“From an industry perspective, we need to drive down ransomware payments to disincentivize cyber criminals.  Every payment that is made continues to fund a compounding, global problem. That being said, depending on the criticality of the asset and an organization’s confidence in being able to perform backup and restore functions, paying the ransom may be the quickest way to restoring operations. If, for example, a hospital was hit with ransomware, but the ransom amount was only $10K, they may choose to pay that amount to maintain lifesaving capability at the hospital. It’s a tough decision but I strongly recommend that organizations regularly test their backup and restore capability.” 

Elizabeth Cartier  

“I’m not sure if there is one single ‘response’ that can be changed. The risk matrix around ransomware response should be flexible and include consideration of your business imperatives and who you’re dealing with. I do think more awareness that paying a ransom is not a snap-your-fingers solution would inform these conversations and decisions. But as far as an overall shift – if everyone decided that payment would no longer be an option, and victims all stuck to that, it would make sense that ransomware would be a less common attack vector if it was no longer financially beneficial. However – that would require organizations and individuals to have extremely high tolerance for financial losses, downtime, data exposure, and as we see more health care operations get attacked – potential loss of human life. So, from a practical perspective, I’m not sure we’ll ever get there.” 

Michelle Chia 

“For years, CISOs have been collaborating with their legal counterparts to ensure that jurisdictional regulations are considered, e.g. OFAC rules in the US. Beyond that, organizations must balance their ability to respond and recover with other business decisions. Each business weighs recovery time, reputational impact, financial considerations, and other important factors differently. CISOs, senior security officials, and their peers running the business should align on what that balance is prior to experiencing an event so that they can respond confidently and in a timely manner. As an insurance carrier, we have considerable experience helping companies respond to cyber incidents. Furthermore, we have an extensive network of resources for specific areas of expertise.”  

3. What are 1 – 2 metrics that you find most revealing, important, or useful in measuring cybersecurity success (or progress) for your organization?  

Liisa Past  

“Any security professional knows, and all organizations will need to deal with, the inevitability of cybersecurity vulnerabilities. Thus, the way these vulnerabilities are dealt with is a great indicator of maturity of the technology operation. This includes the response to publicly disclosed cybersecurity vulnerabilities as well as regularity of vulnerability scans and their patch or mitigation time. Vulnerability scanners are readily available, and the Common Vulnerability Scoring System (CVSS) score quantifies severity to help prioritize actions, assuming the organization understands their technology stack. Patch time also provides an easily mappable and explainable management metric over time for those in the boardroom.” 

Helen Patton  

“Metrics that measure the adoption of security practices and activities (not just security awareness training) in non-IT parts of the organization are a great indicator of the health of the cybersecurity of an organization. This includes measurement of how many times non-security people reach out to the security team, and initiate security conversations and activities.” 

Megan Samford  

“It goes back to why we collect metrics, as Richard Seiersen would say, we collect metrics to inform decision making to ‘quantify, qualify, communicate, and advocate for change.’ Generally, metrics are going to be captured for protection of data, people, suppliers, financial assets, enterprise applications, and incident detection and response.   

Many peers may jump at some of the fancier metrics like mean time to detect, resolve, contain incidents, etc. but I’m going to keep it old school on this – my top metric is completeness of asset inventory/devices on the network. This seems foundational and it is; but it is extremely difficult and I haven’t seen many companies that had high confidence levels in their asset inventories. This can lead to cascading problems with devices directly exposed to the internet, lack of patching, and lack of basic visibility to changes that could be made to those devices. Not to mention lateral movement that attackers may be able to more easily obtain without being detected. If possible, organizations should seek third party independent validation of their metrics.” 

Elizabeth Cartier  

“Patching cadence and effectiveness and vulnerability remediation are two big ones – yes, there are tailored, well-planned attacks that can target your network. The basics can make the difference between being a victim of low-level, off the shelf attacks, and demonstrate overall hygiene and uptake. I also appreciate metrics around employee-reported flags – even if they’re false positives, it means folks are trying to be security-minded and have a security-aware culture.” 

Michelle Chia  

“Basic security hygiene is important. Too many firms make large investments in bells and whistles and fail at the basic level.” 

Liisa Past 

“It is alleged that the SolarWinds CISO was aware of risks and vulnerabilities but did not address them or raise enough noise, and that the public was misled about the company’s security posture. If one is negligent in their job or misrepresents facts, they have to be held responsible regardless of the industry, be they medial or financial professionals, system administrators, security operators, or CISOs. Even selling ice cream is subject to strict food safety and hygiene regulations.  

Such allegations should, of course, meet the reasonable professional test– would a reasonable qualified professional act differently in the situation.  Equally importantly, no profession should be scapegoated or singled out. If the CISO raises alarm and the CEO fails to appropriately address risks, it is on them.  

The SolarWinds charges drive professional responsibility home and make CISOs more likely to walk away if the organization is coming down on the wrong side of the functionality/security dilemma. Hopefully it also highlights the responsibility of the role, making those less competent or committed consider their options.” 

Helen Patton  

“This has a significant impact. It will change how a CISO shows up in an organization – their reporting structure and their management authority – hopefully for the better. It is also causing CISOs to question how they present their security concerns internally, versus what is reported to the market – and making sure the CISO has authority over the messaging. Finally, it is causing organizations to reconsider who is ‘in charge’ of security, and making sure that person has c-suite access and authority and is covered as an officer of the organization.” 

Megan Samford   

“In the absence of clear policy and regulation, the SEC charges are meant to signal to the market the behavior they don’t want to see, which is sometimes easier than articulating what behavior they do want to see. To CISOs, it must seem that an invisible line has been drawn, and the SEC will let you know if you cross it. Every CISO is currently reviewing content and claims their company has made over the last several years in regards to cybersecurity, and they’re measuring that against their confidence in security controls they’ve put in place. If you’ve made wide sweeping statements in the past claiming you follow best practices and have maintained security  at the forefront of everything your organization does, you need to be able to verify that, preferably through an independent third party. Even if you have policies that define security controls and what is acceptable risk tolerance in your company, if you’re found to not be consistently following what you’ve put in policy, you’re exposing yourself and your organization to liability.   

CISOs need to be thoughtful when negotiating their employment contracts to understand what insurances may be available to them, as well as where their employee versus personal protections may begin and end. In the event that a CISO is held personally liable in a criminal or civil case, that person would want to know beforehand if their organization is willing to pay their legal fees or if that’s something they will need to account for with their own finances.  What may be missing from a policy perspective is whistleblower protection, something akin to Cyber OSHA, whereby individuals and organizations would have the ability to report unsafe cyber conditions to a regulatory authority without fearing civil and/or criminal legal ramifications.” 

Elizabeth Cartier  

“I’m interested in why, of all the executives making risk-based business decisions – and security risks are business risks – that we seem to be singling out CISOs. But generally, the threat of jail definitely makes any job less appealing, I would say.” 

Michelle Chia  

“C-suite executives have been held to account on a variety of management risks.  Publicly traded companies are held to an even higher standard, as they have a duty of care and loyalty to their shareholders and employees.  The role of CISOs is critical to their company’s operations; therefore, upholding a high standard of professionalism is paramount. All executives need to prioritize risk management, such as adopting strong communication and documentation practices that ensure transparency and accountability, to protect themselves and the organization from potential legal consequences.” 

Liisa Past   

“Humans, of course, are most likely the weakest link because they use the IT systems and in doing so click on things, connect things and open things, generally for legitimate purposes. Security professionals have to stop treating normal and predictable human behavior as a problem and consider it a given planning assumption instead. This refocuses the conversation on designing and building systems that are secure for human use rather than trying to undo human instincts and behavioral patterns. Fault tolerant systems, better design, monitoring and similar do not replace cyber hygiene but has to supplement it by making doing the wrong or dangerous thing hard. 

For example, after a well-targeted phishing campaign had over a 50% success rate in gathering credentials of law enforcement professionals in an hour, we redesigned the login page so that the first login option was using Estonian government-provided secure digital ID, a two-factor authentication/authorization system. That drastically cut down the proportion of those even using their username and password and therefore dramatically reduced the related risks.”  

Helen Patton  

“I think this is a lazy answer. Instead, I suggest that ‘human’ failures are process and culture failures, and stopping at the ‘human’ as the root cause of a vulnerability misses the mark. So, to improve security awareness, I encourage employees to examine their business processes end to end and evaluate the security risks to those processes (not just the technology), and own closing any gaps.” 

Megan Samford     

“Humans can be a risk, but we should always ask from what standpoint? Apathy? Lack of capability? Lack of awareness? We should understand where human beings are failing in the task and work backwards from that problem because the converse can also be true, humans can act as a firewall in your first line of defense, when adequately trained and educated in cybersecurity. Human error is a prevalent and significant source of cyber incidents, even the most diligent individuals can make mistakes. These mistakes can range from downloading malicious attachments to using weak passwords or misplacing storage devices, all of which can compromise system or data security. Organizations should adopt a customized approach to address diverse employee groups, providing continuous training and awareness for high-risk populations such as VIPs, human resources, finance, customer-facing roles, and developers, empowering them to practice secure behaviors.” 

Elizabeth Cartier  

“We are the weakest link. We are the users; we want systems and apps to be convenient and usable because we have jobs to do and lives to live. But that also makes people the biggest security opportunity. My team works to explain why security is important in understandable, relatable terms. We aim to empower people to understand why security matters so they can apply related principles to their own roles and own lives. We also have an approachability policy around reporting – we promise we won’t get mad when you report something, even if you screwed up. Because if we got angry every time someone tried to do the right thing and follow guidance and report something, people would stop coming to us to ask for help or flag possible incidents. But it’s definitely a cultural drive – it’s going to be different at every organization.” 

Michelle Chia  

“Cyber risk is new compared to other types of risk, especially natural catastrophes. Most societies reinforce safety best practices by providing regular training from an early age, for example fire drills. My question is, how can we socialize cyber risk earlier so that security awareness and responsibility training does not rest solely on an employer? Until then, a combination of regular training and loopback is a strong approach to fostering a culture of security awareness and responsibility. Cyber underwriters look for employee training protocols in our risk assessments because through our claims data we see that human errors can open doors for an incident. Insurers see cybersecurity training for employees as an important loss prevention strategy and often offer guidance or services to help clients boost their cybersecurity posture.”  


The Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.