The Strategic Role of the CISO

Akamai Technologies’ Head of Security Technology and Strategy, Asia Pacific Fernando Serto shares the new strategic role of the CISO and their responsibility to quantify risk to gain budget. To Serto, it’s about having tried and tested processes in place and encouraging users to realise the full benefits of their tools to reduce risk.

He chatted with our Senior Research Strategic Aparna Sundararajan at Security Edge.

Aparna Sundararajan:

Have your conversations in the last few years changed with the CISOs in terms of what they’re asking you – the questions or the challenges they’re facing within the organisation?

Fernando Serto:

Yes. I think, where Akamai came from. Being born as a content-delivery network, and the people that we talk to was really only the digital offices for every organisation. So, whoever owns an application that is being published to millions of users, for example, these are usually the people that we always spoke to. Security in those cases was always an afterthought. Now, because every organisation is building their own security capabilities, everyone has woken up to the risk, Everyone is getting bombarded on the news with breaches and problems and fines and compliance and GDPR and everything that came about. So suddenly everyone’s very aware of the risk.

Because of the risk, now every application that is published to the outside world has to have a tick of approval from a CISO.”

So now, we went from five, six years ago, when we never even met with CISOs, to now, having really strong and great relationships with a lot of the CISOs in every country that we are operating in.

Aparna Sundararajan:

Wow, so that means that their role is actually evolving and becoming more strategic to the business.

Fernando Serto:

Yeah.

Aparna Sundararajan:

And, do you think it’s only going to grow in that way?

Fernando Serto:

I think businesses understand that there is a risk. I’m not saying that they know exactly what the risk is or how to quantify it. But with everyone who is exposing an application or delivering a service, risk now comes into the conversation every time. So, the only way to really mitigate risk is to bring people who understand and can quantify that risk.

If you can’t quantify risk, it’s really hard for you to put a dollar amount onto what is your security budget.”

How much money do you need to spend? This is where the role of a CISO is growing significantly because of the need for them to understand what are all these initiatives in the business because they can’t be the nay-sayers anymore. They can’t be the guys that people come to them with a, “Hey, guess what? We’re publishing this tomorrow, this new initiative, this new application, and we need you to say yes.” 100% of the time CISOs or security people are used to saying, “No, no, I haven’t done the analysis on this and I’m not going to approve it.” So the business, a lot of times it would launch initiatives with a, “Yeah, there’s a risk, but we’re gonna wear the risk and hope that nothing bad happens.” But the knowledge that something can happen is very visible now on public news and all, talking about airlines being fined hundreds of millions of pounds for breach of compliance, for a particular type of attack vector that could have been prevented in some way. And, it was just an oversight. CISOs are more and more getting involved in these conversations a lot earlier on. For them, resource planning and getting the right skills into the business. They have a little more of a runway to get to the yes or the no, and they’re comfortable saying yes.

Aparna Sundararajan:

So they’ve always been behind the curtains, and then suddenly everyone is looking at them with hopes that maybe you’ll save us from attacks.

Fernando Serto:

And, I was having lunch with one of our customers here today and talking about his view as a CISO where he finally got to a point where mentioned that he has enough visibility of everything that he’s responsible for? So, he can very confidently go on holidays, for example. And, knowing that all the processes are in place, whether, if this happened, you do this, if that happened, you do that. His playbooks are all done and they’ve been tested multiple times. So, there’s a level of comfort that in the event of a security incident, the team that’s there is capable of making decisions based on tested models.

Aparna Sundararajan:

So are they facing any talent gap? Or are they facing any gap in resource planning, so to say? For example, budgets, I’m sure they still work with an approval process and making a business case.

Fernando Serto:

I don’t think budgets are growing on trees. I think that challenge will always be there. I think the problem that we have now is the fact that if they do get the budget and that budget includes new headcount, finding the right talent can take time. And I think for some businesses, you end up hiring not the best talent you could because public-listed companies [are competition]. If you wait until the next financial year, and you haven’t filled the headcount, you may lose the budget.

Aparna Sundararajan:

Yes.

Fernando Serto:

So, there’s that fear of, “Okay, I got the approval now, I got a budget now. I need to spend that now, otherwise, someone will come and take it away from me.”

Aparna Sundararajan:

Right, okay. Okay, that’s a good perspective.

Fernando Serto:

When you look into resourcing versus tools, one thing that I always tell our customers is don’t buy, even our services, if you don’t know what you’re gonna be using it for.”

Because the last thing that we want as a provider of security services is people buying our solutions and two years later, there was no value. They never used it. So, now there’s a big programme that we’re working on to get people to turn on all the features that they already paid for. All the things that come as part of a product. As part of a capability and actually turning it on and getting it implemented. And sometimes they don’t get implemented because of the lack of resources on a customer’s side. Sometimes they don’t really realise how much of a risk reduction that would be if they turned it on.

Aparna Sundararajan:

Is this related to the training of the tools?

Fernando Serto:

So, we do a lot of managed services for a lot of our customers. And this is more to bridge the gap on having to train people. Some of our customers are more than capable to drive our tools. But our managed service’s capabilities are growing more and more and this is typically due to the complexity of new applications or new solutions. On the other end of the spectrum, we’re actually building a lot of tools that are a lot simpler to use. So the round table that we had today about zero-trust is really around that. How can you start implementing a zero-trust framework without having to hire 10 people? Without having to really understand the tools down deep and write command line code and that kind of stuff. More of a click-click-click and you can start onboarding applications into this type of platform. So, when you look into IT security operations, for example, whenever they’re troubleshooting something and you’re reducing that attack service and the risk of someone – a human – making a mistake in misconfiguring something. Whenever you’re doing threat hunting, whenever you’re looking for a possible problem, an incident, it becomes a lot quicker for you to get there rather than having to go into every single component that is part of the delivery of that application and troubleshooting those