Small Talk with Sam Small: The Evolving Role of a Chief Security Officer

Today we’re introducing a new series, highlighting the role of Chief Security Officer (CSO), both in its importance to a company’s success and evolution over time. To help us do so, we’re sitting down with ZeroFox’s very own CSO, Dr. Sam Small. Dr. Small is one of the country’s foremost experts on security operations and intellectual property (IP), and at ZeroFox, he defines, executes and manages the security strategies for ZeroFox and our customers. Over the course of this series, we’ll be featuring a mix of posts sharing Sam’s ideas, direct interviews, and blogs written by the man himself. So without further ado, let’s dive in.

When we first sat down with Dr. Small to chat all things CSO, the thing that was most striking was just how far the role has evolved in the last 5 years. There’s no denying that the industry is dynamically changing. In 2013, Cisco reported that there were 1 million unfilled cybersecurity positions globally. This number is expected to rise to 3.5 million unfilled roles by 2021. The roles of CSO and CISO were also pretty cut and dry: to serve as the company’s leader in information and corporate security. However, in recent years, as the cyber threat landscape and the digital channels that encompass it have expanded, so has the responsibility and the role of the CSO. CSOs have had to adapt to this changing landscape, shifting from a focus on structuring internal security initiatives and programs to one that addresses these new threats not only on the web, in the cloud and on mobile devices, but across social media as well.

Here’s Sam’s take on some of the most significant ways the CSO role has changed, and what you can do at your organization to keep up:

Shifting from IT priority to business priority

For many years, security was considered an operational issue, not a business issue. IT Managers sitting in dark corners of the office held sole responsibility for the ins and outs of a company’s security policies and C-level executives rarely concerned themselves with security protocol. Often, executive leaders lacked any significant understanding of IT basics to make decisions on security investments and incident management. Threat actors have taken advantage of this lack of awareness and action at the executive level, putting a target on the backs of large private companies. The results of this are almost immeasurable: billions in lost revenue, resources and company trust. Consider significant hacks such as the Target breach, which took months and millions of dollars to mitigate. If Target had a security professional at the leadership table, could this situation have been handled better? Potentially even prevented?

In the last five years, as more attacks like the one that happened to Target have hit other major corporations, we’ve seen a rise in leadership for security professionals with big companies adding CSOs and CISOs to their leadership teams. This is a good thing. It means organizations are getting serious about security, and it presents new career possibilities for mid-level IT managers. However, it also means that CSOs and CISOs are required to command a greater sense of business and leadership acumen than they traditionally have held. Most C-level executives and board members are in unfamiliar terrain when it comes to cyber threats. The most successful CSOs/CISOs are both intuitive and articulate, able to not only identify and remediate security risks but also able to determine and explain the solution to these risks in a way the rest of the leadership team can understand. This provides a wealth of opportunity to set strategy, define policy and implement new processes, but with it also comes new challenges.

Moving outside The Perimeter

Though we’ve been talking about its deterioration and imminent disappearance for a long time, I think most would agree that—in our modern landscape—the enterprise perimeter is now almost entirely porous. The idea that a CSO can effectively shop around and identify strictly on-premise solutions in hopes that everything can sit safely in a server room under lock and key is both a pipe dream and a disastrous recipe for blocking organizational agility and innovation. It’s not just applications and infrastructure: the same holds true for data and data sharing.

Dr. Small notes that about 5 years ago we began to hear from a small but vocal group of forward-thinking security leaders in our industry who evangelized adopting a more modern, DevOps-inspired mindset as a practical and principled approach to framing infrastructure and greater enterprise security issues. Perhaps this was an inevitable outcome given the parallel transformation we’ve seen in the evolution of SaaS infrastructure and delivery best practices, but since then, this line of thinking has rapidly become a conventional, de facto standard for many successful enterprise CSOs.

As the landscape changes almost daily, CSOs must be more adaptive and innovative to comprehensively address new security concerns. This demands a certain level of insatiable curiosity and a culture of continuous learning. CSOs can no longer solely rely on standard IT management practices. In fact, many of today’s threats come in a new form: 140 characters or less.

An increasing focus on social media

In 2018, the effective CSO cannot ignore social media. Why? Multiple sources confirm that social media platforms have surpassed other channels such as email to become the #1 source of malware delivery. Social media platforms have also brought about a renaissance in social engineering attacks, enabling attackers to realize advances in reach and efficacy through automation like never before.

What does this mean for a CSO? As Sam sees it, your attack surface is more extensive—and your weakest link is more accessible—than ever. Despite all of the technical jargon about botnets, trojans and ransomware, human behavior sits at the core of security strategy. The most successful corporate strategy requires an equal focus on people, processes and technology. And it’s increasingly difficult to take stock and effectively manage the community of employees and customers that your company interacts with on a daily basis.

“Employee” social media accounts are a prime example. Whether real or impersonators, employee accounts serve as your unofficial and often unregulated “brand ambassadors,” potentially spreading confidential or negative information about your company, or worse, spreading malware and security risks to your clients, customers and followers. On the other end of this spectrum are real or impersonated “angry customer” social media accounts. These accounts, if unmonitored, can potentially lead to uncontrollable and uncontainable PR crises and customer narratives. And while the immediate impact may fall directly on the shoulders of the Chief Marketing Officer, successful CSOs know they must do their part to monitor and mitigate these disasters wherever possible by addressing the risk head-on.

New threats require new methods for identification and mitigation. ZeroFox provides digital risk protection for the channels your traditional security appliances can’t reach. Want to learn how the ZeroFox platform can partner with your security team to handle the social media security landscape? Let’s chat.

Want more Small Talk? Next up in this series, “CSO: Chief Security Officer or Chief Social Officer? When Security and Social Media Collide.”