A Day in the Life of a CISO – Part 2 – Reality Check

The Chief Information Security Officer (CISO) of an organization has a vital role. The CISO is responsible for the security of all information and data. Hence, the role includes a variety of responsibilities that covers almost every department within the enterprise. With attackers continuously seeking malevolent ways to harm their targets, and the world’s growing reliance on technology, the CISO’s job is becoming increasingly important.

In Part 1 of the “Day in the Life of a CISO”, our RDM series’ CISO gave an account of a busy, yet “good” day at work. Here, he provides insight into what a more chaotic day might look like. We hope everything turns out okay for him, and his organization.

6:00 am

My alarm goes off, but it is unnecessary (and irritating) as I have been awake the entire night. We had a security incident the other day that I am responsible for investigating. Although it was not directly my fault, I am the CISO of the company, which means that any security incidents fall under my responsibility. Because of the organization’s large size, any security incident is taken very seriously due to the potential damage it can cause. And we need to be sure that, once detected, the issue is comprehensively addressed to avoid the possibility of an attacker remaining “within” our organization.

8:00 am

I arrive at the office, met with complete chaos within the IT department. One of our security solutions failed to update, leaving us vulnerable. A bad actor (be that a group or individual) exploited this vulnerability and infiltrated the organization, stealing a substantial amount of data. Not only do we have to make up for this lost data, but it is mine and my team’s responsibility to patch the vulnerability. Although this simply means ensuring that the security software is updated, we need to be extra vigilant to avoid a repeat occurrence.

We take this time to continue our investigation; why the security software failed to update and what the attack method was. Importantly, we need to determine if the attack came as a result of the failed software update. It is possible that there are other vulnerabilities within the organization that were exploited, and the investigation will provide an answer to this.

11:00 am

The time I have been dreading; my meeting with the CEO and CFO. As expected, they are less than impressed. Of course, I make every effort to ensure that the organization’s information and data are protected to the greatest extent, but attackers are always one step ahead. However, this is not the time to argue; we need to discuss a plan going forward. Most likely, this means increasing the cybersecurity budget which, inevitably, they are not thrilled about – and that is putting it lightly.

My superiors are too indignant to acknowledge that this is the worst time to impose financial restraints on my department. They do not understand that the changing attack landscape means that we need to continuously update our security approach. What we bought yesterday is not what we need for tomorrow’s challenges. I am not oblivious; I know that constant updates to security are an expensive cost. However, a successful cyberattack can cost the organization even more due to the myriad of direct and indirect expenses. One would not think that one of the most challenging parts of my job is to convince other C-level executives that the extensive cybersecurity measures are necessary.

12:00 pm

Still here, arguing with the CEO and CFO. This is extremely unproductive as we are not getting anywhere. In the end, either they will not agree to increase my department’s budget, which will put us at substantial risk, or they will agree to it, which will mean that the two hours we have spent arguing was a waste of valuable time. My team needs my assistance, and I need to be fully aware of every aspect of the investigation to ensure the mitigation plan is effective.

1:00 pm

Finally, after what seemed like hours, the meeting finished. I will not have time to take a break and go out for lunch today. This means a quick sandwich at my desk as I continue my efforts to investigate the breach. Not ideal, but I would not be able to focus if I had gone out for lunch, anyway.

2:00 pm

Great. One of my top team members has told me that another bank has offered her a job. She is an extremely talented individual, so that doesn’t surprise me, but now I need to convince her to stay. And, in today’s competitive environment, this typically means increasing her salary. I cannot wait to bring that up with the CEO and CFO after today’s earlier meeting…

3:00 pm

Another hit. I have just been alerted of the presence of a Rogue Device within the organization. Thankfully, Sepio Systems’ HAC-1 solution was able to detect the device, block it, and identify its location. The device was a Raspberry Pi embedded within one of our Logitech mice, impersonating a keyboard. If it were not for HAC-1, there could have been some serious consequences. Impersonating a keyboard means that the Raspberry Pi is identified as a legitimate HID and is therefore not detected as suspicious. The attacker can remotely execute a payload that causes substantial damage to the organization, such as malware injection, data theft, and espionage, among others. Wow, that was a close one.

4:30 pm

As if this day could not get any worse, it seems as though someone on the marketing team accidentally clicked on a malicious link in a phishing email that subsequently installed malware on the endpoint. Apparently, the training program I put together had not been as effective as I had hoped. This incident emphasizes the risk that employees pose to an organization. That is not to disregard the staff’s efforts in remaining cautious, but to highlight the extent that bad actors will go to manipulate employees.

The email was extremely well-curated, and this is the precise reason we need multiple layers of security. The harsh reality is that we cannot rely on humans to keep the organization secure. Our anti-malware software detected the presence of the malware and was able to remove it. However, if the software had failed to update, it might have been ineffective, should the malware have been a new form that the software did not recognize. In this case, the malware was generally harmless and just flashed advertisements whenever the user clicked anything. Irritating, but harmless. However, phishing emails can have detrimental consequences if the perpetrator attaches nefarious malware.

5:30 pm

After a tiresome morning and afternoon, I have a moment of quiet to work on the organization’s cybersecurity strategy. Recent events have convoluted this process, especially the disagreements over the budget. The ambiguity surrounding the financial details means that I cannot create a conclusive strategy. And, if the budget is too restrained, then the final strategy will not provide comprehensive protection. However, I curate a tentative plan in the meantime, which most definitely needs to address the gaps in our security software solutions. I also need to reassess the approach to employee training and education after the successful phishing attempt today.

Importantly, I need to ensure that the entire strategy complies with the relevant regulations. Our organization has a substantial global presence, meaning more regulations and frameworks with which we must comply. And, in some cases, regulations can contradict each other. Know Your Customer (KYC) regulations are in place to ensure organizations know enough about their clients. And banks are especially concerned with this regulation to ensure that they follow the rules on anti-money laundering (AML) and combatting the financing of terrorism (CFT).

However, data protection regulations, such as the EU’s General Data Protection Regulation (GDPR), significantly restrict how organizations collect customer data. The strategy I compose must comply with both, which is a somewhat challenging task. Another regulation we must comply with is Section 889 of the National Defense Authorization Act (NDAA). As an organization that obtains government contracts, we need to ensure that we do not use any equipment, system or service that uses covered telecommunications equipment produced by the specific companies, and their subsidiaries or affiliates, outlined in the regulation.

HAC-1 Solution

Typically, this would be a highly laborious task, and may not even be accurate due to the covert nature of Rogue Devices. However, the HAC-1 solution provides complete visibility into all of our hardware assets, in addition to information regarding each device’s vendor name, product name and more. The greatest challenge of compliance comes in the supply chain – how do we ensure that our suppliers comply with Section 889? I might have to include a requirement in the strategy that all third parties deploy the HAC-1 solution to guarantee their compliance with Section 889 to ensure that we maintain our government contract.

Time to Relax?

It is finally time for me to go home following a very stressful day. It has been a while since I have had a day as taxing as this one. However, part of being a CISO means that I need to quickly adapt to the unpredictable environment of cybersecurity. Today demonstrates just how erratic my job can be. One of the greatest downsides to such a busy day is that I have not had time to myself. The lack of a break, coupled with a multitude of stressful challenges, means that I am tense and irritable. A negative headspace will have adverse effects on my performance tomorrow, or until I do get that needed “me time”.

  • Previous Post

    A Day in the Life of a CISO – Part #1 – Wishful Thinking

  • Next Post

    New York Cyber Insurance Risk Framework

Leave a Reply