While relationships are important for all CISOs, this has led to something extra for Morales: a unique relationship with the CTO. They are consumers as well as purveyors of their own products, and the CISOs are deeply embedded in the product development process. I know networking, IT, databases, development – I understand all of it.”īoth companies – in the modern parlance – ‘drink our own champagne’. “I'm fully versed in technology across the board,” he said, “and that’s important for most security people. Morales also has deep technical knowledge. If my team is working on things that they're passionate about, I will get exceptional results – but if they're working on things they're not passionate about, I'm only going to get exactly what I asked for and no more.” “If I don't understand the technical details of what that person needs to learn,” she continued, “I'm not going to be able to coach them correctly into getting into something they're passionate about. “Part of my CISO role,” she said, “is to mentor and coach my own team, to help elevate them into leadership or more appealing positions.” She gave the example of a team member who might currently be involved in governance but wants to become a pentester. Whitt-Winyard goes further and believes all CISOs require technical skills. The vendor CISO cannot simply be a businessperson, but must also be a technical guru. The first and most obvious is that while business acumen is needed to manage risk against their own company, this cannot be at the expense of technical acumen to secure their products and help their customers. This requires a deep involvement with the product they sell – and this in turn has knock-on effects to their role that differentiate the vendor CISO from the non-vendor CISO. The SolarWinds incident demonstrates the brand damage that can ensue, with its stock falling 23% in a week after disclosure.īoth Morales and Whitt-Winyard – and most vendor CISOs – have the additional responsibility of not simply preventing their company from becoming a supply chain victim, but preventing it becoming a supply chain source. Up to 18,000 customers could have been affected by the SolarWinds hack, although it is believed that less than 100 important companies and government offices were eventually breached. The Kaseya incident affected an estimated 40 customers, but hundreds more downstream from them. The Okta breach affected about 400 of its customers. Morales pointed to SolarWinds and Kaseya Whitt-Winyard pointed to Okta. Supply chain attacks are increasing because of the ‘hack one, breach 100s or 1000s’ principle widely adopted by criminal gangs and nation state attackers.
This would rebound as brand damage to their own company.īoth CISOs point to their position as the supply chain for their customers.
The vendor CISO has another dimension – protecting the firm’s customers from being breached through a flaw in the product they sell. For most CISOs, this focuses on protecting their own infrastructure against breaches, loss of data, ransomware etcetera. The purpose is to explore the differences introduced into the role of CISO when the business sells cybersecurity to other businesses.Ī key function for all CISOs is to protect the brand reputation of their companies. CISOs in cybersecurity product vendor companies also have a responsibility towards all the companies that buy or use their products.įor this edition of CISO Conversations, SecurityWeek talked to two vendor CISOs: Chris Morales, CISO at security and analytics firm Netenrich and Laura Whitt-Winyard, CISO at EDR firm Malwarebytes. Most CISOs are responsible for the management of cyber-related risk within their own company.
0 kommentar(er)
