Does it matter that your CISO is demoted? – FST’s ‘State of Security in 2022’ panel

Security Leaders Panel
L-R: Loizou (Medibank), Meyer-Gleaves (Hollard), Fouani (TAL), Mizota (Rapid7), Hannon (Moderator)

Moderated by Luke Hannon.

Hannon (MOD): Ken (Mizota), let’s start at a high level. The cyber landscape, how has it evolved up to now in 2022?

Mizota (Rapid7): One of the things that we do at Rapid7 is we publish a vulnerability intelligence report each year. We noticed over the past year within the [cyber] landscape that there’s been, of course, a lot more widespread zero-day attacks – and when we say ‘a lot’ I mean quantitatively.

The most shocking thing for us, though, was discovering that the average time to known exploitation, from when a [vulnerability] is disclosed to when it is actually taken advantage of, has shrunk to 12 days, which is well [outside] most organisations’ ability to change. To give you some context, that was down from 42 days in 2021. This is not normal. We’re really in a period of a lot of change, and we’re seeing that in the numbers.


Hannon (MOD): And, from the business side, what changes are we seeing?

Fouani (TAL): From a change perspective, it really is on repeat. I don’t think many organisations are seeing new and emerging threats, but they are seeing a repeat of what we constantly have to be vigilant around. For us, there is also a greater focus on truly understanding the pace of change within our businesses, because, fundamentally, that’s also going to drive a lot of our activities.

Meyer-Gleaves (Hollard): Probably the most interesting stat I’ve observed in the last six months for our own organisation is that now the number of phishing attacks that we block exceeds the amount of SPAM [detected]. That’s really changing the landscape.

Loizou (Medibank): And, interestingly, Grae’s [Meyer-Gleaves] comment aligns with mine. The thing that we’ve noticed is there are challenges in the global economy, which has made it a breeding ground for threat actors and more people who are motivated, particularly around financially motivated crime.

From that perspective, again, we’re also seeing a huge uplift in phishing attacks against our business.


One other thing we’re noting – talking primarily to health businesses more than financial services businesses at this point – is also an increase in ransomware attacks.


Hannon (MOD): We heard some themes earlier around the pivoting attack surface. Grae [Meyer-Gleaves], to you firstly, how does your team prioritise and, indeed, has the way you prioritise what you protect changed?

Meyer-Gleaves (Hollard): I don’t think so. Particularly when we look at an operational aspect, the team has really got to be on alert for so many different attack types, so many different threat types: be it phishing, ransomware, malware, there are so many different attack types that are coming through all the time with different threat vectors.

From an operational viewpoint, you’re always looking for what is the number one priority at that time based on what type of threat and the sort of impact it could have on your organisation. At the end of the day, that comes down to having really good risk maturity in your organisation and knowing what your valuable assets are and, therefore, having your team prioritise all of their efforts towards protecting those crown jewels.

Loizou (Medibank): We really let the data tell us where we need to be focusing and where we need to be prioritising. That involves getting the right kind of threat analytics feeds to understand threats that are targeting similar organisations. We also prioritise based on what we’re actually seeing trend-wise. As mentioned before, the prevalence and the uptick in phishing has meant that we’ve pushed towards more user education, more awareness, and really trying to protect people because they are the skin of the organisation – that first line of defence.

Hannon (MOD): We speak a lot about the changing attack service. Bringing it closer to home, how is it impacting your organisation?

Fouani (TAL): Not only is it impacting how we think about security, but also the way in which we talk to our leaders. One of the biggest barriers we found was defining a narrative that helps the business align and actually understand what’s going on. One of the shifts that we’re having to make is to ask, ‘What is the type of narrative that we’re having with leadership? How does it align with what the business understands the risks and the threats to be? And then how does that actually translate into action? That’s front of mind for us. It’s not only security’s job, as they say: everyone will look to the security team first and foremost absolutely, but there is a broader undercurrent within our organisation around how we build understanding from leadership and all levels of leadership, in fact, not just right at the top, in terms of what does accountability and responsibility look like.

The other things we’re also seeing on the ground is with our technology teams directly, because there is a lot of work being done around secure-by-design within our organisation.

We are Australia’s largest life insurer; data is king for us.


Our customers entrust us with their most sensitive of data. So, for us, it’s really ensuring that it is secure-by-design; this means shifting the way in which we operate and how we converse and how we are at the table very early in the conversation, rather than all the way down the pipe when we’re ready to try to bolt on a whole load of compensating controls when something is looking to go live.


Hannon (MOD): Ken [Mizota], what are you seeing from your side with the lens of Rapid7?

Mizota (Rapid7): As a security technology provider, we often get asked by our customers, ‘How should I go about prioritising based on risk and based on the threats in the world?’

Telling a narrative around that is so important because that helps you explain the priorities, as opposed to just ‘Take this number from 10,000 to 2,000’. This really has very limited power versus something that you are building towards as part of your narrative, aligning technical measures with your business objectives.


Hannon (MOD): Are we seeing more organisations take a more proactive approach to their positioning as opposed to reacting to the next big thing or what’s in the headlines?

Mizota (Rapid7): I really liked what Samer [Fouani] said about feeling like we’re “on repeat”.

We want to be proactive, but we have to be reactive; reactive is now, proactive is where we want to be.


And if we are on repeat, then how do we put pieces in place, because being proactive doesn’t happen overnight? You have to build up that muscle, you have to practice, and then you have to identify specific targets that you want to be proactive on. If it was so easy to do it all, you’d already be doing it.


Hannon (MOD): Other thoughts on proactivity versus reactivity? And it’s a bit like being a fire brigade. You try to get smoke alarms working in every house, but occasionally something catches fire and you need to react.

Meyer-Gleaves (Hollard): That point on proactivity is a great one. Particularly in our FS industry, our customers expect a level of trust from providers. It’s never been easier for a consumer to change banks, to change insurers, to change their life insurance policy – you can jump online, you can cancel something, move to another provider, and in most cases do it all in a matter of minutes.

Trust takes a long time to build with a consumer, and it can be destroyed in an instant.


Social media can go after a company, it becomes viral, and it can do enormous damage in a short period of time. Every organisation these days needs to get ahead of it and start building trust and have this as part of their strategy.

I also think how you handle an incident, should it occur for you, can actually be used as a tool to build trust. If your customers see that you react well and protect them – because incidents can and will occur – then that can also be used as a tool to build that further. And that only comes through being proactive; that doesn’t come from building cyber [protections] after the event or on-the-fly.

At Hollard, we’re currently working towards ISO 27001 certification. A big part of the reason for this is trust, because we are part of a supply chain, and we have some of the biggest brands in the country that rely on us as a provider.

We see [ISO certification] as an important toolset to help establish and build a level of trust.


Of course, that certification isn’t the end of it; it’s just reaching one part of the baseline. But it’s about getting proactive, building a strategy around that, and taking that forward.

Loizou (Medibank): We shouldn’t consider it as proactive versus reactive.

I actually think it’s proactive plus reactive.

Think about it from the perspective of a fire: you’re going to take proactive measures, you’ll try to ensure your house isn’t made out of flammable materials, you might do things like turn off the stove when you’re finished using it – that’s proactive stuff. But then you also need that reactive mechanism, that ability to put out the vulnerability, to call in the fireys.

That’s where we are in the cyber world: your proactive measures will often come from having a healthy risk management practice, the ability to understand where you could be exposed and to do something towards that. But you need that quick, reactive mechanism, that, when there is an incident, if something does go the wrong way, you can do something about it in a timely fashion.

Fouani (TAL): Building on that, it’s also fundamentally around understanding what controls you have in place end-to-end. And then, what are you actually going to trigger and at what point?

At TAL, we look at a layered approach with regard to the control set. We’re very conscious of risks and the potential incidents that could come our way. And then we look at what the controls are that we have to then act upon and where are the weaknesses within those controls, and then how do we build on that? Without that view, in the heat of the moment, it becomes extremely challenging.

Hannon (MOD): Sometimes we forget in cyber that the reason organisations exist, apart from the obvious, is to serve customers. Samer [Fouani], staying with you, and on the point friction: How do we balance the need for controls with the demands for a frictionless customer experience – be it internal or external customers?

Fouani (TAL): I struggle with the term ‘frictionless’. At the end of the day, we need to protect our customers, our data, and our organisation. For us, one of the key things that we do double down on secure-by-design. Even from the point of the code.

Looking at code in development, how are we taking the measures that we’re required to take to ensure that we’re not committing something into production that is then going to cause an issue downstream?


We’re fundamentally focused on that, having that as part of our company ethos and not just a flag held by cyber teams saying ‘We’re secure-by-design!’. It’s about building it into our processes and throughout the entire lifecycle of the services that we offer, from the products that we build in-house to those third parties that assist us as well.


Hannon (MOD): Ken [Mizota], I love the comment around ‘frictionless’ because with multi-factor authentication there are inevitably going to be [security] steps for customers.

Mizota (Rapid7): When I think about ‘frictionless’, to me that defines an end state – that is, an absence of friction.

From a security perspective, I see it as a trade-off. And it’s not just a simple trade-off between one or the other – it’s security, it’s freedom and it’s convenience.


I didn’t make this up; this is from Dan Geer, who was the security luminary and CISO at In-Q-Tel. What he’s essentially saying is that you can pick two out of the three: you can pick security and convenience, but it won’t be free. You can pick convenience and freedom, but it won’t be secure.

When we talk about frictionless and secure-by-design, if you choose that to be secure and you choose it to be convenient, guess what? Your developers don’t get to choose – neither they nor your customers get freedom; they must use MFA.

I’d love to say that there’s a path to chart here and that I know the way, but it’s going to be different for every organisation. You have to trade off among those three.


Hannon (MOD): To audience questions now: Given the trust vested in QR codes, particularly during Covid, are you seeing malicious actors exploiting them?

Meyer-Gleaves (Hollard): Great question! In fact, I put out a cybersecurity awareness article in my own organisation about 12 months ago around this exact topic.

The answer to that is absolutely they can they be used! And absolutely there are examples! A QR code can be used to redirect you to create emails, it can do web addresses, it can do quite a lot of different things. It’s definitely a potential threat factor.

Consumers have been led to trust a QR code, and the uptake due to Covid for QR codes has been massive. Some of us cool techies knew about it, used it at conferences and what have you, but now it’s just widespread. And the consumer does walk up and expect a QR code to be safe in its own right. And they are convenient! There’s no doubt that it’s a threat vector.

Loizou (Medibank): I’ll double down on that. It’s a mechanism to simply redirect a user somewhere. You put it in public and I guarantee that the same result as those old thought experiments of ‘Drop USB drives and see who’ll plug them in’ – you’ll probably have people scanning random QR codes if you simply plaster them around your office.

In fact, one of the things that we’re in the middle of rolling out right now is an education piece that goes beyond phishing, looking at scenarios such as bad USBs, bad Wi-Fi and bad QR, recognising that approaches to test users, to train them and to demonstrate that threat vectors don’t just come via email.


Meyer-Gleaves (Hollard): I think we’ll call it ‘Quishing’. If nobody has coined it, I’ll take credit for that!

Hannon (MOD): You heard it here first.

Can you share what is the most difficult challenge you’re facing right now, and how do you plan to overcome it? It might not be your biggest challenge, but perhaps what your customers are coming to you with.

Mizota (Rapid7): The biggest single challenge in this world comes within the context of understanding what we’re in now – what we might refer to as this ‘post-pandemic’ phase – and appreciating there’s already been a lot of change, and there’s already been an increase in threats and a decrease in capabilities. There are also a lot of aspirations about what we can do or how we could get back to ‘normal’ – if that’s possible.

But the biggest challenge then is marshalling the energy to focus on the actual operations, to focus on the actual embedding of how we operate security within our businesses.


With all the changes that have been going on, this is far from normal; whatever you had working previously probably needs some additional attention and practice.

The question I have for my own company, Rapid7, but also from a customer’s perspective, is where’s that rally going to come from? It needs to initiate from somewhere because it’s not going to come from the top down. Operational excellence and achieving the outcomes you want has always been hard. But there’s been so much that’s changed, that probably needs some attention vis-à-vis some lofty new technology or initiative that’s out there.


Hannon (MOD): Another audience question: What’s the key thing you need to add to a current enterprise security strategy?

Loizou (Medibank): Transparency. A lot of our strategies, particularly those written years ago are very technically focused and focused on capabilities.

The problem is that, unless we’re fully transparent with the business, with our peers (those within the business and side-by-side with security), our executives, the board of course, and unless we can completely open the door, then we run the risk of continuing to be something of a shadow function, something that’s a little bit opaque.


And that’s damaging to the purpose of security, and it’s damaging to the business.

Fouani (TAL): There are so many. One thing I often reflect on is the leadership around you and the leadership within your security teams, as well as leadership more broadly. What will the leaders of tomorrow look like? How do they function? What are they thinking about? And how are they influencing those around them?

If I could give any guidance to anybody, look to the left and to the right of you above and below you. What does leadership look like and how is that manifesting in the way in which you are delivering your security strategy and the way in which people are interacting with each other?

Often what we find, and in my experience is, that some of the greatest friction is around a built understanding of everyone around the table.

Often people can be put off by security; it can be something that’s quite daunting. And it can sometimes often be used to bamboozle your business peers.


How do we manifest and build a common language, where people walk away understanding and not feeling like they’ve walked away not knowing what’s going on?

Hannon (MOD): This might be controversial, but what advice do you have for security practitioners whose organisation has decided to “go backwards” and demote a CISO role to a head of reporting under the CIO?

Meyer-Gleaves (Hollard): That is a tough one. Regardless of where you report in an organisation, as a security professional you can be a leader. Not every organisation is going to have a CISO that gets to be in front of the board. Of course, there are regulatory requirements in our industry, and things have changed in that space, but it’s not always going to be that case.

It’s our job as security professionals to get out there and lead. And I think you can lead whether you’re on the front line, whether you’re on a service desk right through to being a CISO or if you’re in middle management.


What I would say is, get out there and promote security, be seen as a partner in your business or your organisation, because it’s people that make the difference. If you’re dead focused on that and keep pushing it and doing the right things, you will get more and more buy-in from your organisation.

Loizou (Medibank): It doesn’t stop you from doing what you do well, it doesn’t stop you from meeting with your executives, and it doesn’t stop you from communicating with the board.

In my own firsthand experience, having held Head of roles and still meeting with the board, still presenting, still articulating and challenging the executive team to look at security differently, the Head of role doesn’t stop you from doing any of that!

Fouani (TAL): Also, look at how you leverage that CISO role to further drive the conversation and the outcomes. A reporting line is a reporting line. There are different reasons and rationales that organisations take. But how does that partnership work in harmony to help ensure that you’re getting the right outcomes? You can have CISOs reporting right into the CEO and they’re still not able to get the impact or facilitate change. It’s thinking about how you leverage those relationships and how you work in harmony to get the outcome and focus on what’s right.

And I’ll close with this: manage that message to your teams. Any organisational change of that nature would probably need a transparent and open conversation with your teams so that they understand that this is not a demotion, this is a structural change with a purpose and a reason; having a clear understanding of what that reason is will also help ensure they do not feel disempowered and that they are working within levels.

*This is an edited extract from the Security Leaders’ Panel featured at the Future of Security Melbourne 2022 conference.