CISOs Share Their 3 Top Challenges for Cybersecurity Management
Managing risk on a global scale has always been challenging, but in the aftermath of the COVID pandemic, CISOs have had to become even more agile. The shift to hybrid work, the rapid deployment of cloud applications, and the move to continuous integration and continuous development (CI/CD) have emboldened threat actors with new and broader targets.
Meanwhile, the number of devices and endpoints on organizations’ networks have increased exponentially. Two veteran CISOs lamented the challenges these changes have imposed during a webinar last week organized by Sepio, an asset detection and risk management startup. Sepio’s CISO Ilan Kaplan moderated an hour-long discussion with HSBC CISO Monique Shivanandan and Carl Froggett, who was CISO at Citi for 17 years before joining startup Deep Instinct last summer as CIO.
Shivanandan and Froggett shared with Kaplan what they see as three of the most significant challenges the rapidly changing cybersecurity and risk landscape presents.
1. Maintaining Visibility of All Network Assets
Cybersecurity professionals have historically struggled to gain complete visibility into what’s on their networks and threats directed at them. Froggett noted that newer cloud-native technologies, such as container-based applications and SaaS, offer better visibility than traditional software because modern apps were built to be more secure.
But overshadowing that benefit is the sheer scale of all the components associated with modern applications. “An asset used to survive 5, 6, 7 years, or longer if you include the underlying operating systems, whereas now the lifetime of the container can be measured in seconds or maybe minutes,” Froggett said. That creates “a whole new set of [visibility] challenges from that perspective.”
Shivanandan noted that traditional methods of capturing inventories, keeping them up to date, and tracking them were predicated on the notion of adding assets to a network manually. But with modern applications, that doesn’t work, she said, because of the scale and the speed by which devices and software are deployed. “One of the biggest challenges that every CIO and every CISO faces is having that visibility and making sure that visibility is up to date,” Shivanandan said.
2. Avoiding New Risks When Adding Apps
Besides addressing the mounds of existing regulatory risks and the current threat landscape, security teams must also avoid being the source of new risks. Asked how they ensure that, Shivanandan said that, while reviewing the source code of every component added to the infrastructure is impossible, HSBC has rigorous processes around onboarding a new technology, which includes “a lot of pen testing and red teaming.”
“Unfortunately, with the number of parties we have, we cannot do it for everyone,” she added. “We do it for a select few.” The problem is “every software change and every new release can knowingly or unknowingly introduce something new. It’s a constant battle that we’re facing.”
Froggett said that Citi has strict processes around onboarding new technology, including pen testing and red teaming, but with the current release cadences, enforcement has become challenging. “Ultimately, you can’t usually do source code reviews” of everything that comes in, he said.
3. Recruiting and Retaining Skilled Talent
The shortage of experienced cybersecurity specialists is nothing new, but Shivanandan said it remains one of her top challenges. “All the technology in the world is only as good as the people there to make sure that we install [everything] correctly and keep it up to date,” she said.
Shivanandan said despite considerable progress, it remains difficult for women to break the glass ceiling. She believes men have an outsized presence in senior cybersecurity roles compared to the entire IT industry.
“When you start out at the lower levels, there’s [an] equal [proportion of] men and women, 50-50, sometimes even 60-40 women,” she said. “Then, as you go through the progression, the women drop out, and the men continue to progress from a seniority level.”
Nevertheless, Shivanandan said women face fewer barriers today compared with when she started out. She said, “When I was starting out, they wanted to pat you on the head and say, ‘dear, don’t worry your pretty little head, I’ll take care of technical things.’ But not anymore. There’s no ceiling for a woman to get into any position now. It’s a matter of just perseverance.”
Shivanandan considers herself fortunate at HSBC, where 40% of her leadership team is women. “The women and the men are both fantastic, and that’s the thing that you really want to look for,” she said.
Froggett said during his nearly 25 years at Citi, most of his bosses were women. “The job’s not done for sure, but there is definitely more of a balance [of men and women in senior leadership roles than] I saw five or 10 years ago.”
Shivanandan emphasized that creating a diverse team goes beyond gender. A large portion of her team has some sort of neurodiversity, she said. According to research, an estimated 15%-20% of people have some form of neurodivergence such as autism, attention deficit hyperactivity disorder (ADHD), mental health conditions, or learning disabilities.
Shivanandan said those conditions are often assets: “That’s what makes them fabulous in the job.” But she added, “I think that’s probably harder to overcome from a career progression standpoint, from a leadership versus a technical perspective.”