CISO Corner: CIO Convergence, 10 Critical Security Metrics & Ivanti Fallout
Also in this issue: Mideast investment, new FCC breach notification rules, and how Dark Reading readers use GenAI tools in their cybersecurity apparatus.
February 17, 2024
Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
In this issue:
10 Security Metrics Categories CISOs Should Present to the Board
CISO & CIO Convergence: Ready or Not, Here It Comes
FCC Requires Telecom & VoIP Providers to Report PII Breaches
DR Global: Middle East & Africa CISOs Plan to Increase 2024 Budgets by 10%
GenAI Tools Will Permeate All Areas of the Enterprise
Should CISOs Skip Ivanti For Now?
10 Security Metrics Categories CISOs Should Present to the Board
By Ericka Chickowski, Contributing Writer, Dark Reading
Boards of directors don't care about a security program's minute technical details. They want to see how key performance indicators are tracked and used.
With the US Securities and Exchange Commission's new rules around cybersecurity now in place, security teams need to bring more rigor to how they track key performance indicators (KPIs) and key risk indicators (KRIs) — and how they use those metrics to advise and report to the board.
"When shared with the board of directors' risk or audit committees, these key performance indicators illuminate the organization’s cybersecurity capabilities and the efficiency of cyber controls, while also helping the board of directors evaluate the adequacy of investments in technology and talent," according to Homaira Akbari, CEO of AKnowledge Partners, and Shamla Naidoo, head of cloud strategy for Netskope, writing in The Cyber Savvy Boardroom.
Taking cues from the recommendations in the tome, Dark Reading breaks down the top security operational metrics that CISOs and cyber leaders need to be fluent with order to give the board a comprehensive report on risk levels and security performance and discusses how to create a data-backed model for determining the efficacy of an organization's program and identifying gaps in protection.
Read more: 10 Security Metrics Categories CISOs Should Present to the Board
Related: How CISOs Can Craft Better Narratives for the Board
CISO & CIO Convergence: Ready or Not, Here It Comes
Commentary by Arthur Lozinski, CEO & Co-Founder, Oomnitza
Recent shifts underscore the importance of collaboration and alignment between these two IT leaders for successful digital transformation.
The CISO's stewardship of controlling digital risks is so essential to successful digital transformation that their roles increasingly are overlapping with CIO — highlighting cybersecurity's continuing trajectory from the server room to the boardroom.
The two roles have been coming together for 20 years, but now CIOs are mainly tasked with procuring and harnessing technology to support business innovation — and the role is markedly less operational than it once was.
Meanwhile the CISO is now a core operational stakeholder, facing compliance mandates, preventing operational disruption from data breaches, and assigning risk scores for emerging cybersecurity threats.
The result? CIOs and CISOs increasingly walk in lockstep — and regardless of how the two roles evolve, the shift underscores the importance of collaboration and alignment between these two IT leaders for successful digital transformation, and beyond.
More on CIO/CISO convergence: CISO & CIO Convergence: Ready or Not, Here It Comes
Related: How Changes in State CIO Priorities for 2024 Apply to API Security
FCC Requires Telecom & VoIP Providers to Report PII Breaches
By Tara Seals, Managing Editor, News, Dark Reading
The Commission's breach rules for voice and wireless providers, untouched since 2017, have finally been updated for the modern age.
Move over, SEC: There's a new compliance mandate in town.
Starting next month, telecom and VoIP providers will have to report data breaches to the FCC, the FBI, and the Secret Service within seven days of discovery.
And they will have to issue data breach notifications to customers whenever there's personally identifiable information (PII) caught up in a cyber incident.
The FCC released its final rules this week, mandating that carriers and service providers be more transparent when PII is exposed. The Commission's definition of PII is broad and encompasses not only names, contact information, dates of birth, and Social Security numbers, but also biometrics and a slew of other data.
Previously, the FCC required customer notifications only when Customer Proprietary Network Information (CPNI) data was impacted, i.e. phone bill information like subscription plan data, usage charges, numbers called or messaged, and so on.
The last update to the FCC's breach reporting requirements was 16 years ago.
Read more: FCC Requires Telecom & VoIP Providers to Report PII Breaches
Related: Prudential Files Voluntary Breach Notice With SEC
Middle East & Africa CISOs Plan to Increase 2024 Budgets by 10%
From DR Global
By Robert Lemos, Contributing Writer, Dark Reading
New data shows higher-than-expected cybersecurity growth in the Middle East, Turkey, and Africa region, thanks to AI and other factors.
The cybersecurity market is expected to grow quickly in the Middle East, Turkey, and Africa (META) region, with spending set to hit $6.5 billion in 2024.
According to the IDC, more than three-quarters of CISOs in the region are planning to increase budgets by at least 10% this year, spurred in large part by geopolitical threats, the growth of generative AI, and increasing data protection regulations across the region.
"The increase in successful cybercrimes has driven demand for consulting services in non-core countries where awareness is not as high compared to the core countries," says Yotasha Thaver, a research analyst for IT security data at IDC South Africa and META. "There is also a push coming from governments — particularly in the Middle East — for improved cybersecurity."
The spending of course will vary by country. For instance, both Saudi Arabia and the United Arab Emirates (UAE), which are actively investing in national strategies to secure their networks and technologies, are in a more high-growth spending trajectory than their peers, IDC found.
Read more: Middle East & Africa CISOs Plan to Increase 2024 Budgets by 10%
Related: UAE Banks Conduct Cyber War Games Exercise
GenAI Tools Will Permeate All Areas of the Enterprise
From Deep Reading: DR Research Reports
Many departments and groups see the benefits of using generative AI tools, which will complicate the security teams' job of protecting the enterprise from data leaks and compliance and privacy violations.
There is significant interest among organizations in using generative AI (GenAI) tools for a wide range of use cases, according to Dark Reading's first-ever survey about GenAI. Many different groups within enterprises can use this technology, but these tools seems to be most commonly in use by data analytics, cybersecurity, research, and marketing teams.
Almost a third of the respondents say their organizations have pilot programs or are otherwise exploring the use of GenAI tools, while 29% say they are still considering whether to use these tools. Just 22% say their organizations are actively using GenAI tools, and 17% say they are in the process of implementation.
Security teams are looking at how these activities can be incorporated into their day-to-day operations, especially for writing code, looking for reference information related to specific threat indicators and issues, and automating investigative tasks.
Meanwhile, marketing and sales groups most often use AI generators to create first drafts of text documents or develop personalized marketing messages and summarize text documents. Product and service groups have begun leaning on GenAI for identifying trends in customer needs and creating new designs, while service groups are focused on forecasting trends and integrating technology into customer-facing applications, such as chatbots.
Learn more about how Dark Reading readers anticipate using generative AI in the enterprise in this free downloadable report.
Read more: GenAI Tools Will Permeate All Areas of the Enterprise
Related: Saudi Arabia Debuts 'Generative AI for All' Program
Should CISOs Skip Ivanti For Now?
By Becky Bracken, Editor, Dark Reading
Cascading critical CVEs, cyberattacks, and delayed patching are plaguing Ivanti VPNs, forcing cybersecurity teams to scramble for solutions. Researchers are unimpressed.
Ivanti has disclosed five VPN flaws so far in 2024, most exploited as zero-days — with two of them publicly announced weeks before patches became available. Some critics, like cybersecurity researcher Jake Williams, see the glut of Ivanti vulnerabilities, and the company's slow incident response, as an existential threat to the business.
Williams blames Ivanti's current problems on years-long neglect of secure coding and security testing. To recover, Ivanti would have to overcome that technical debt, according to Williams, while somehow building back trust with their customers. It's a task Williams adds he's dubious Ivanti will be able to pull off.
"I don't see how Ivanti survives as an enterprise firewall brand," Williams tells Dark Reading, a sentiment he has repeated widely on social media.
Ultimately, Ivanti's woes fall on enterprise cyber teams, which will have to choose. Cyber teams can follow CISA's advice and disconnect Ivanti VPN appliances and update before they are reconnected. Or, while they're already offline for patching, they can replace Ivanti appliances altogether with fully updated gear.
However, some say that sticking with Ivanti is a juice that may not be worth the squeeze. "These devices need their software engineered with the same kind of seriousness that this threat requires," says John Bambenek, president at Bambenek Consulting. "If I were a CISO, I'd take a pass on Ivanti for a few years until they’ve proven themselves again."
Read more: Ivanti Gets Poor Marks for Cyber Incident Response
Related: Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity
About the Author
You May Also Like