The case for the ‘battle-hardened’ CISO

Whoa! Cool scar, CISO!

There’s a feeling among some security pros, including those who spoke to IT Brew, that a practitioner who’s been through the battle of breaches has the kind of crisis-management experience that’s valuable to a team, not one to run away from.

“The more battle-hardened individuals that we can bring to the table, the more likely we are to be successful in defending against those that would do us harm,” David Bradbury, chief security officer at the authentication provider Okta, said.

Move, move, move! Bradbury has seen a few cyber fights, with career experience in industries where malicious hackers lurk—previously at IBM and financial institutions, and now at Okta.

In the fall of 2023, Okta discovered unauthorized access to its customer-support system exposing names and email addresses across all customers using the system. In early 2022, Okta confirmed a security incident after the cybercriminal group Lapsus$ posted screenshots, claiming to illustrate applications in the vendor’s environment.

Both incidents gave Bradbury hard lessons in what he considers one of the toughest challenges of crisis management: Picking the right moment to communicate, when there’s enough information and confidence to bring details forward.

Bradbury said the company “took too long” in reporting the Lapsus$ incident. According to its timelines, on March 22, Okta Security determined that the screenshots were related to an incident discovered in January.

“We took too long to assemble our thoughts and have confidence in what we wanted to share,” Bradbury said.

A separate incident, discovered on Sept. 29, 2023, allowed a chance to speed up communication responses. A look at the company’s report of this fall’s customer-support compromise revealed a faster, more descriptive timeline, in comparison to the company’s event log provided after the January 2022 compromise.

“We didn’t hesitate. And so that event was an example of a crisis in the past that’s…given me the strength to counterbalance the idea that we wait until we have high confidence before we come forward,” Bradbury said.

Experience pays. CISOs have faced some liability pressures, as companies deal with new SEC disclosure regulations regarding cyber incidents. But a 2023 study shows that the situation is not as simple as, CISO gets breached, CISO gets fired.

Bradbury, often the final interviewer when hiring new professionals on the Okta security team, seeks employees with backgrounds in highly targeted industries, like government, pharmaceuticals, and healthcare.

A study from the XDR company Trellix, released in November 2023, found that 13% of 500 surveyed CISOs (“with experience managing a major cybersecurity incident within the past 5 years”) experienced job loss or redundancies in the past year—a decrease from 23% one-to-three years before the conducted survey, and 31% more than 3 years before the publishing of the data.

“I think people think that it’s almost the norm: That if there’s an incident, the CISO’s going to get held accountable and they’re going to get fired, but I don’t see that as being the norm. Usually, they’re the ones that help protect the company. They help respond,” Dave Wong, director at Mandiant, told IT Brew.

Wong recalled a time when one’s ransomware experience acted as helpful guideposts at a new company. The director has seen breached companies bring in teams that have been through such compromises to rebuild entire networks and policies.

“These CISOs with that level of experience, not only responding to an incident but helping companies recover, I think they’re highly sought after, when we see companies have major breaches,” Wong said.

Practice! Tim Chase, global field CISO at Lacework, said cyber incidents taught him how to interact with the CEO and members of the board—and their varying levels of technical expertise when communicating news of a breach. “Know your board and know your executives quickly, because they’re all so different,” Chase said.

Cybersecurity pros often recommend organizations conduct tabletop exercises, but there’s no experience quite like the real thing.

Chase considers those tabletop practices important for preparation: “When you get into the middle of an incident, you don’t always have time to stop and think.”

Don’t have time for that kind of exercise? Find someone who’s already spent plenty of time stopping and thinking, who knows how to contain an attack, and communicate with legal counsel, disclose the appropriate details, according to Chase.

“I know that it is important to me to have a CISO that has been there, that has done that before,” Chase said.