The Role of the CISO in the Era of Continuous Exposure to Security Threats

In this report we analyse how the role of security managers in organisations is evolving to adapt to increasingly numerous and sophisticated cyber-attacks.

The role of the CISO in times of increasing prevalence and evolution of cyber threats is not exactly easy to interpret. The attack surface of enterprises and organisations has increased exponentially as business and corporate networks have shifted from being mostly on-prem to being deployed in the cloud. At the same time, corporate networks are becoming increasingly delocalised, as employees connect from different devices and locations, using different tools and even credentials.

Corporate resources have gone from being protected (with better or worse fortune) “behind” firewalls, gateways or security appliances, to being exposed in public and/or private clouds that replace or complement traditional on-prem deployments. This change of topology has made it possible for companies to benefit from the virtues of cloud computing in areas such as scalability, equipment and application maintenance (licence management, updates, etc.), and cost savings.

Image: Marketplace for malware. Source: Outpost24

Yet these advantages are associated with the previously mentioned increase in the attack surface. When we talk about “attack surface” we refer to all those potential entry points for cybercriminals into the corporate resources of a company or organisation  with the aim of obtaining data, information or economic benefits from practices such as ransomware.

Moreover, the tools used by cybercriminals to attack companies have come to adopt a model similar to that of App Stores, but focused on offering kits for cyber-attacks, practically “as a Service”. Ransomware as a Service, in fact, is one of the trends for 2024 in terms of cybersecurity.

In this scenario of increasing attack surface, we are faced with different types of threats, both external and internal. The CISO has to understand the nature and scope of these threats in order to take preventive measures or measures in the direction of tackling a potentially successful ongoing threat.

Attacks from the ‘outside’ of organisations

Attacks from outside are the most similar to traditional threats, except for the increased diversity and frequency with which these threats can become a reality.

These are attacks that take advantage of vulnerabilities in application software or the operating systems and platforms on which corporate networks are deployed.

We are talking about the aforementioned ransomware, as well as malware, malvertising, phishing or DDoS attacks. The problem for CISOs with these types of threats lies not only in the threats themselves, but in the enormous amount of alerts and warnings they generate in traditional vulnerability management systems.

In the past, it was feasible to manage and address these alerts in a systematic and organised way, but the increase in the attack surface of organisations makes it necessary to adopt threat management strategies in a proactive, rather than reactive, manner. And in a continuous and unified way.

And security solutions have to adapt to these needs. Specifically, in the case of Outpost24 and according to David Garcia, Account Executive of Outpost24, the company is tending towards the adoption of the CTEM strategy through its platform: “The goal is to do away with the differentiation that exists right now in different product verticals and that everything is based on a unified view.

In this way, organisations can find in companies like Outpost24 an ally when moving from Open Source solutions or low-cost or free vulnerability detection tools, to more professionalised and automated ones that allow them to face this increase in cyber-attacks, as well as an increase in the attack surfaces of organisations.

The cost associated with cybercrime is expected to exceed $27 billion in 2027, compared to $8.4 billion in 2022, according to data cited by Anne Neuberger, U.S. Deputy National Security Advisor for cyber and emerging technologies.

Attacks from “inside” organisations

Attacks from within organisations are also increasing as a result of this topology shift in corporate networks from being on-prem to being deployed to a greater or lesser extent in the cloud, as corporate applications and resources migrate to “XaaS” access modes and employees access these resources from a wider variety of devices and locations.

It is not that employees have a vested interest in becoming cybercriminals. In some cases this may be the case, but most insider attacks are associated with cybercriminals usurping valid credentials and eventually gaining access to corporate resources.

Attacks associated with social engineering are set to increase, due to the emergence of AI in their methods. Usurping the identity of a department head in front of employees is starting to become easier through voice impersonation, for example, with all that this entails in terms of potential security risks for companies.

The CISO has to face reality: exposure to security threats is continuous and changing.

This landscape of increasing prevalence and frequency of cyber-attacks means that the role of the CISO has to change. The CISO has to adopt a role adapted to proactivity rather than reactivity in the face of continuous exposure to alerts and threats.

This continuous exposure to threats is incompatible with a traditional CISO role, focused on reactivity. Moreover, the human resources available in cybersecurity teams, far from growing, are subject to management containment policies, complicating the CISO’s relationship with the rest of the members of the organisations’ executive teams.

“The CISO is not threatened by a specific trend as such, but his or her role will depend on the strategy of each organisation. Whether the strategy of a business decides to outsource a service or not will depend on many interests. It is true that in cybersecurity it is often decided to outsource in order not to have to spend more of the budget on its own human resources to manage technologies,” says García. In this sense, having tools such as those proposed by Outpost24, which allow CISOs to know, evaluate and prioritise threats and the company’s attack surface, within a CTEM strategy, is essential to optimise resources.

CTEM, the strategy that CISOs will have to adopt to reduce the prevalence of cyber-attacks in their organisations

The answer to this continuous and growing exposure to cyber-attacks is CTEM, or Continuous Threat Exposure Management. In English, this is Continuous Threat Exposure Management. CTEM is the strategy that Gartner predicts will enable companies and organisations to reduce their vulnerability to security breaches by up to a third by 2026.

The framework proposed by Gartner for the implementation of CTEM strategies has deeply influenced organisations, as well as security solution providers, who are beginning to offer CISOs the necessary tools to accompany them in the adoption of an adequate continuous management of exposure to cyber security threats.

CISOs need to take a holistic view of organisations and have clearly defined aspects such as the threat exposure surface. It is also necessary to integrate insights from traditional vulnerability management tools, as well as those from external attack surface monitoring (EASM) or threat intelligence tools into a single threat management strategy.

With all the insights at their disposal, CISOs have to segment, classify and prioritise threats, allocating the resources available in the organisations’ cybersecurity teams to the tasks that have a higher priority.

This shifts from a ‘brute force’ cyber threat management model to one based on operational intelligence aimed at providing cyber resilience to businesses and organisations through techniques such as process automation and optimisation of available technical and human resources.

Exposure Management Platform: Outpost24’s answer to accompany the CISOs in the adoption of a CTEM strategy

Outpost24 is a company specialised in offering companies and organisations the necessary tools to improve their cyber resilience, at a time when the increase and diversification of threats and cyber-attacks have made traditional cybersecurity strategies no longer operationally valid.

Outpost24 offers its Exposure Management Platform, which consolidates on a single dashboard, the unified view of the company’s assets, the attack surface and the context of threats. This dashboard thus becomes the CISO’s ally in his new role as manager of his organisation’s cyber resilience.

Outpost24 helps in such critical tasks as the prioritisation of the vulnerabilities through the Key Risk Indicators (KRI) to allocate resources to their management proportional to this priority. The integration of EASM or Threat Intelligence tools provides the necessary data to convert them into the operational intelligence required by the CTEM strategy.

In addition, Outpost24 helps to size the scope of threats, the discovery of vulnerabilities, the validation of risks and the mobilisation of cyber security teams to tackle threats. These four points complement prioritisation within the CTEM strategy.

This data covers the attack surface associated with network infrastructure, applications and user interactions. This paradigm shift in security management also allows CISOs to communicate more effectively and understandably to company and organisational executives about cyber security needs.

No less important is the ability of cyber security tools to adapt to the peculiarities and business processes of each organisation.

According to García, a cybersecurity tool has to operate according to “not only traditional practices based on cybersecurity standards or certain regulatory frameworks, but also according to the specific characteristics of each business.”

Among all the qualities that businesses need to develop, cyber resilience is a quality that still has a long way to go before it becomes mainstream. CTEM is the strategy coined by Gartner just a year ago, which paves the way for organisations to work on this quality beyond the traditional approaches of cyber security departments based on reaction to threats and attacks rather than proactivity and intelligence.

In the following articles we will focus on different types of threats and how to deal with them from the perspective of a CTEM strategy, supported by a tool such as Outpost 24.