Chief Information Security Officer, or CISO for short. The abandonment of this term makes many managers sigh: “the person who holds everything back with tricky rules.” It’s a false image, as became clear in a panel of CISOs that Tanium recently organized at its Converge conference. The role of the CISO has only become more strategic recently. And the CISO also faces some challenges.

During Converge (November 13-16), the more than 1,000 attendees in Austin, Texas, and the thousands watching online received a series of keynotes and breakout sessions on the importance of endpoint management and its impact on the Endpoint management kept up to date with the functioning of an organization. In addition to contributions from partners such as Microsoft and ServiceNow, a presentation from Gartner on Digital Workplace Maturity and partner spotlights for Cognizant, PWC, EY and Capgemini, the debate with customer CISOs led by Tanium’s own CISO Chris Hallenbeck was certainly special Interesting.

Larger attack surface

In his introduction, Hallenbeck immediately pointed out the pressure on CISOs and what has changed for this role in recent years. The fact that the pandemic suddenly made it possible for anyone to connect to corporate networks from anywhere opened the door to many risks and the full adoption of remote work. CISOs are still feeling the consequences of this today.

Liz Morton, senior director, cybersecurity at Intercontinental Exchange, pointed out that employees have also become significantly more demanding. “Every device they use in their private lives, they also want to use in their work environment. That’s nice for them, but it’s not necessarily good for the security of a company.” Opening production systems to remote access, for example, also creates additional headaches for the security department, said Kevin McLaughlin, VP of Stryker. “And that places new demands on the speed of response and requires new software that makes it possible to react so quickly.”

“It used to be that it could easily take a few months before we rolled out an upgrade,” says Liz Morton. “Now our customers and our customers’ customers are demanding that upgrades be made immediately.”

Personally liable?

Just before Converge took place, there was a lot of excitement surrounding the conviction of Uber’s former security chief and the lawsuit related to the SolarWinds hack. The personal liability of those involved in the security sector was therefore also an important topic in this panel discussion. How do CISOs feel about being held personally liable? And what can they do before, during and after an incident to avoid prosecution?

Renate Spinks, CEO of Cybersec International, has a long history as a CISO for the US federal government, where it was common for a CISO to personally purchase an insurance policy to protect themselves from prosecution. “I just hope this doesn’t become the new norm for CISOs in other industries. But as a CISO, you must evolve with your adversary, and it is only accelerating. CISOs must do more than ever to evade cybercriminals. You must also see this as a personal obligation. As CISOs, we simply have to do our best and we will be safe. This is a better approach than buying insurance out of convenience and letting the rest take its course.”

“Every disadvantage has its advantage”

The fact that the CISO is more visible also has its advantages. According to Peeyush Patel, CISO at “This helps ensure new initiatives are better supported by management, which increases the acceptance of these programs within the organization. You may have more responsibility, but at the same time it’s an opportunity to do things better and more thoroughly.”

The fact that there will be so many more regulations that companies have to adhere to doesn’t worry him too much. “It is good that everyone, including regulators, understands the impact a security incident can have on the value of a company. It shows once again the value of cybersecurity.”

And of course, a CISO must always be honest with audit organizations. “I learned not to lie as a child,” says Liz Morton. “A CISO must always keep this in mind when reporting on an incident and what impact that incident will have on your own organization and third parties.”

The final part of the CISO panel was about these third parties: Supply chain risk is of greater concern to everyone. What software comes into a company and how secure is it? How do you create a software bill of materials (SBOM) that gives you 100% certainty about the provenance and safety of all parts and modules in that software? “Unfortunately, it’s not the natural reflex of software developers to document everything properly,” says Peeyush Patel, “but these are important questions that we ask our software suppliers.” Making matters worse is that we have too little regulation about who is responsible for software is responsible in the cloud. Is it the software supplier? Or the company that offers storage and computing power in the cloud?” On the one hand, regulations make the CISO’s job easier, but at the same time they also make the CISO’s life more difficult.

What was definitely clear in the panel discussion: There is a great need for collaboration between the CIO, CISO, all other C’s of an organization, contact persons at partners and, last but not least, with the committees that set the rules and are responsible for enforcement. If you want to make a security forecast for 2024, you can’t go wrong with this statement: the CISO will have a lot of extra work next year.

This is a post from Wytze Rijkmans, Regional Vice President of Tanium. Further information about the company’s services can be found here. Recordings of sessions on Converge will continue to be available to view on-demand on the Converge website.