The great CISO resignation and the reasons for it

CISOs are quitting their jobs, and many other security people appear to be “Retired in Post” or “Quitting in Post” – this is the tip of the iceberg. For some security people that thought that being a CISO was a way into the Board Room have found the reality of that position comes with responsibility, accountability and an absolute performance measure “if you are successfully cyberattacked, you have failed.”

The role of the CISO’s is in crisis driven by never ending stress of futility. Futility with the current means of defence and operations but also the futility of their key nemesis, the fear and anxiety of the unknown. Despite spending millions of dollars on the next infosec technologies and security teams, CISOs are working to exhaustion and breakdown, with the same result. CISOs are losing the foot-race with their ‘Cyber Adversaries’ and are getting breached at an accelerated rate.

The rest of the enterprise’s board may extend a set of challenges to the CISO so they can redeem themselves, but more often than not it is easier to slash the offending (failed) budget that has been evidenced as wasted money. Understandably, in this way enterprise cyberattack risk is re-defined as a business economic decision that favours dealing with a cyberattack when it happens, with incident response, and damage control.

With the massive increase in the availability of novel cyberweapons-as-a-platform, i.e. services that are automated for the user with basic knowledge (with one such cyberweapon platform service hosting over 7,000 active users), the problem for an enterprise has escalated significantly.

There is also increasingly the use of legitimate enterprises and service providers being weaponized, unwittingly delivering malware thereby providing an opportunity to attack 1,000’s of organisations that use the same platform provider.

Under these conditions the ability of an enterprise to tackle the cyberattack threat risk is falling from an already weak position, resulting in more cyber-attacks and more cyber insurance claims.

Redefining Cyber Risk by Defining the Unknown

Confusion is caused when something occurs outside of awareness or a core assumption that the principles that are used to make decisions no longer hold true. Both the information security and cyber insurance industries have been brought to a culminating point of confusion by the pronounced jump in successful and shocking cyberattacks. These include the compromising of SaaS platforms affecting thousands of users. Attacks on, and through global supply and value chains, that are unseen and unknown and the use of new cyber weapons and capabilities such as autonomous dynamically adapting AI malware, ‘Polymorphic Malware’, ‘Steganography’ and ‘HTML Smuggling’. Along with the potent cocktail of new weapons and capabilities there is now new adversarial capacity to attack “bag of hooks infrastructures”, that combine and converge multiple threats on a target. These infrastructures use unrelated and legitimate trusted assets to smuggle malware into a target e.g., a distance learning school in Ukraine, or a University in Australia.

To make sense of the situation whilst in a state of confusion, there is a tendency to revert to oversimplification in order to manage a way through. A direct example of this is the ’Parametric Insurance’ approach that reduces policy products to a transaction, e.g., if ‘X’ happens we will pay out a maximum ‘Y’. The Insured gets a product they can easily understand, at a price calculated in a simple way. This might be good for some customers however, this approach does not fit all the needs of the market, particularly when the insurer has other sideways liabilities with the insured, which may be triggered by a cyber incident. It may also open the door to alternatives to cyber insurance coverage from the insurance market including ‘Captives’, ‘Sidecar Captives’, and ‘Self Insurance’ [do not understand this sentence].

The “Unknown Estate” and the World After Midnight.

The surprise and shock felt reflected in Headlines about cyberattacks and their victims, can be described as originating from an “Unknown Estate” that unseen produces new and more dangerous cyber threat risks and capacity to execute attacks to our world after midnight. Meaning, that every new day presents fresh threats to be dealt with. The information security industry and the enterprise tackle these fresh threats by hardening the enterprise’s IT/IS estate. The enterprise IT/IS estate also has both unknown and unmanageable risks including the increasing dependency on ‘Managed X-as-a-Service’ providers (MSP’s). Whilst the enterprise may try to defer some responsibility for cyber security to these MSPs, accountability cannot be transferred.

Defining the risk problem is at the heart of the culminating point for the critical co-dependency between the information security industry and the insurance industry, and this begs four questions:

• How can an insurer develop an appetite for cyber risk unless it can assess, measure, profile and enumerate the policy holders’ cyber risk from the “Unknown Estate”?
• How will the insurance industry players differentiate whilst not considering the “Unknown Estate”? Will it be through better risk selection or increased business competition?
• How will underwriting continuously monitor insured risk when the “Unknown Estate” produces a new cyberattack risk at Midnight?
• How will insurers bring better and more relevant cyber products to a market desperate for simple proportional answers, whilst continuing to develop their margins, and manage their loss ratios and preserve profitability?

Counteracting the “Unknown Estate”

We believe that the way forward is through primary source intelligence utilising machine learning artificial intelligence. Thus, providing holistic intelligence gathering, sensing, and processing, through to finished actionable intelligence into operations within hours. This technique removes many human decision points and the whole operational implementation sequence.

Whilst bringing “clandestine cyber operative” and “cyberwarfare analyst supervised machine learning (AI)” to holistically profile capabilities, state of readiness, and intentionality of our adversaries on the cyber battlefield as it relates to an enterprise and its networked IT/IS. Utilising this technique, allows for the non-intrusive assessment of the cyberattack risk and dynamically orchestrates counterintelligence directly to an enterprise’s cyber defences.

By addressing the advantage of cyber adversaries with foresightful anticipatory precision intelligence, an enterprise is removed from the “victim list” and is provided the basis for better data driven decision making with respect to cyber defence, with new options to measure and describe cyberattack resilience efficacy in real terms. This dramatically increases the value beyond that of standard threat intelligence, giving greater relevance, precision and real-time speed of action unencumbered by the human decision train.

Dynamic Precision Cyber Counterintelligence

Precision or “Finished High Confidence” intelligence on enemies is the basis of both military defensive and offensive operations. For a defensive battle being fought from an observed static defence position (i.e., an enterprise, on a network) it is the over-the-horizon predictive counterintelligence that allows the defender to out anticipate the attacker and decisively deal with threats from new or evolved cyber weapons, strategies and tactics, before they are weaponised against the enterprise, and the supply and value chain.

First Mission: Protect the Business. Protecting the Business Mission First

Many enterprises are undertaking ambitious digital transformations that take advantage of technological innovations. At the same time the risk from the “Unknown Estate” almost always remains un-factored into business mission planning.

Irrespective of whether there is technological transformation, and or technical debt to manage, an enterprise should look at the provision of both holistic cyber warfare intelligence for human team members, and pre-emptive prevention actions for “InfoSec Tech Stack Machines”. This approach allows an enterprise to move ahead with digital transformation programmes whilst being protected from cyberattacks from weapons that are far in advance of the traditional defence-in-depth cyber security defence.

The ability to “proxy patch” technology debt in real-time, using a pyramid-of-prevention approach provides security operations and risk managers with a prevent-first treatment of the risk of technical debt. Thereby removing the time under risk from technical debt and extending the time for consideration of replacement technologies or re-platforming.

Blackwired - Rethinking Cyber Operations

Rewiring Security Operations, Reducing the Cyberattack threat risk, and providing absolute and relative risk measurement.

By rewiring the security operations world with purposeful automation that has been encoded in our “Supervised Machine Learning” platforms, Blackwired produces actionable precision intelligence, operationalised on the day of detection. Supervised Machine Learning AI changes security operation effectiveness, levelling the playing field and providing the means to assess, measure and monitor holistic cyberattack risk profiles in the following ways:

• The ability to assess cyberattack threat risk, and the efficacy of cyber security vendor choices in preventing the attack. Allowing the factual, absolute, and comparative assessment of security architectural performance relative to the battlefield as it develops.
• Providing enterprise business leadership with a clear expression of their ‘Cyber Risk Profile’ and preventative treatment of cyber risks ahead of time is now a realisable expectation of a responsible board.
• Smaller intelligence-led security operations with much greater real-world cyberattack prevention effectiveness.
• The prevention of cyber-attacks on technology debt, and digital transformation futures.
• A demonstrably higher ‘Return on Investment’ on every vendor in security stacks.
• Better quality data-driven security operations and architectural decision-making.
• Cyber threat risk assessment, profiling, and monitoring that is both non-intrusive, fast and effective for identifying unknown cyber risks that have happened and anticipating the future occurrence of cyber risks.

Chris's goal is by that using information technology, identity, and cybersecurity he can restore, protect and accelerate trust in the global digital economy.

A 'Practical Futurist' and inventor with a track record of commercial success in identifying new concepts, value engineering to market ecosystems, and applying strategic scenario planning to bring new products to enterprise markets. Chris facilitates mission value-driven innovation, direction, and leadership of business development engine to deliver just-ahead-of-the-curve thinking into real-world competitive edge solutions.

With an international scope and Chris has achieved ground-breaking results in strategic information security confidentiality, privacy, integrity, and availability. Chris is a seen as a thought leader in Federated Identity Management, Financial Services, Payments, Concept to Market, Transformation programs, and troubleshooting.