Managing threat on a worldwide scale has all the time been difficult, however within the aftermath of the COVID pandemic, CISOs have needed to grow to be much more agile. The shift to hybrid work, the speedy deployment of cloud functions, and the transfer to steady integration and steady growth (CI/CD) have emboldened risk actors with new and broader targets.
In the meantime, the variety of units and endpoints on organizations’ networks have elevated exponentially. Two veteran CISOs lamented the challenges these modifications have imposed throughout a webinar final week organized by Sepio, an asset detection and threat administration startup. Sepio’s CISO Ilan Kaplan moderated an hour-long dialogue with HSBC CISO Monique Shivanandan and Carl Froggett, who was CISO at Citi for 17 years earlier than becoming a member of startup Deep Intuition final summer time as CIO.
Shivanandan and Froggett shared with Kaplan what they see as three of probably the most vital challenges the quickly altering cybersecurity and threat panorama presents.
1. Sustaining Visibility of All Community Belongings
Cybersecurity professionals have traditionally struggled to realize full visibility into what’s on their networks and threats directed at them. Froggett famous that newer cloud-native applied sciences, equivalent to container-based functions and SaaS, supply higher visibility than conventional software program as a result of trendy apps had been constructed to be safer.
However overshadowing that profit is the sheer scale of all of the elements related to trendy functions. “An asset used to outlive 5, 6, 7 years, or longer for those who embody the underlying working techniques, whereas now the lifetime of the container will be measured in seconds or possibly minutes,” Froggett mentioned. That creates “an entire new set of [visibility] challenges from that perspective.”
Shivanandan famous that conventional strategies of capturing inventories, conserving them updated, and monitoring them had been predicated on the notion of including belongings to a community manually. However with trendy functions, that does not work, she mentioned, due to the size and the velocity by which units and software program are deployed. “One of many largest challenges that each CIO and each CISO faces is having that visibility and ensuring that visibility is updated,” Shivanandan mentioned.
2. Avoiding New Dangers When Including Apps
In addition to addressing the mounds of current regulatory dangers and the present risk panorama, safety groups should additionally keep away from being the supply of recent dangers. Requested how they be certain that, Shivanandan mentioned that, whereas reviewing the supply code of each part added to the infrastructure is not possible, HSBC has rigorous processes round onboarding a brand new expertise, which incorporates “a whole lot of pen testing and pink teaming.”
“Sadly, with the variety of events we have now, we can’t do it for everybody,” she added. “We do it for a choose few.” The issue is “each software program change and each new launch can knowingly or unknowingly introduce one thing new. It is a fixed battle that we’re going through.”
Froggett mentioned that Citi has strict processes round onboarding new expertise, together with pen testing and pink teaming, however with the present launch cadences, enforcement has grow to be difficult. “In the end, you may’t normally do supply code evaluations” of every little thing that is available in, he mentioned.
3. Recruiting and Retaining Expert Expertise
The scarcity of skilled cybersecurity specialists is nothing new, however Shivanandan mentioned it stays one among her prime challenges. “All of the expertise on the planet is just pretty much as good because the folks there to be sure that we set up [everything] appropriately and maintain it updated,” she mentioned.
Shivanandan mentioned regardless of appreciable progress, it stays tough for ladies to interrupt the glass ceiling. She believes males have an outsized presence in senior cybersecurity roles in comparison with the complete IT trade.
“While you begin out on the decrease ranges, there’s [an] equal [proportion of] women and men, 50-50, typically even 60-40 ladies,” she mentioned. “Then, as you undergo the development, the ladies drop out, and the lads proceed to progress from a seniority degree.”
However, Shivanandan mentioned ladies face fewer obstacles right this moment in contrast with when she began out. She mentioned, “After I was beginning out, they wished to pat you on the pinnacle and say, ‘expensive, don’t fret your fairly little head, I will handle technical issues.’ However not anymore. There isn’t any ceiling for a girl to get into any place now. It is a matter of simply perseverance.”
Shivanandan considers herself lucky at HSBC, the place 40% of her management workforce is ladies. “The ladies and the lads are each improbable, and that is the factor that you just actually wish to search for,” she mentioned.
Froggett mentioned throughout his almost 25 years at Citi, most of his bosses had been ladies. “The job’s not accomplished for positive, however there’s undoubtedly extra of a steadiness [of men and women in senior leadership roles than] I noticed 5 or 10 years in the past.”
Shivanandan emphasised that making a numerous workforce goes past gender. A big portion of her workforce has some type of neurodiversity, she mentioned. In keeping with analysis, an estimated 15%-20% of individuals have some type of neurodivergence equivalent to autism, consideration deficit hyperactivity dysfunction (ADHD), psychological well being circumstances, or studying disabilities.
Shivanandan mentioned these circumstances are sometimes belongings: “That is what makes them fabulous within the job.” However she added, “I feel that is in all probability more durable to beat from a profession development standpoint, from a management versus a technical perspective.”
