By Haley Williams, from the perspective of Black Kite CSO, Bob Maley

Throughout the month of June, I hit the road to attend a variety of CISO Exec Net conferences around the country. At each of these events, CISOs from different companies met up and discussed the most pressing and top-of-mind topics together. The focus of the roundtables for this quarter was attack surface and vulnerability management. As attack surfaces continue to grow, how are CISOs managing them successfully with vulnerability management practices to lower organizational risk? While attack surface management has not often been discussed in the past, Gartner has claimed it as the next big thing. So, to discuss the next big thing – I headed to Fort Lauderdale.

June 14th Ft. Lauderdale, FL CISO Exec Net

My first thought was – How do I get to Fort Lauderdale from Phoenix? Of course I have loyalties to a particular airline (boarding early is hard to beat!) But to my dismay, there was nothing direct! Flying itself is a risk assessment process: having two flight segments doubles the chance of something happening, such as a cancellation. So I flew direct to Miami, with a short Uber ride up the coast. When I left Phoenix, it was hot. When I got to Miami, it was humid. Although I had prepared my attack surface with the appropriate Florida clothing, I was not prepared for what the humidity did to me!

The format of each event is a round table discussion, where CISOs representing different companies speak about their organization’s experience. Before the pandemic, the events were always in-person. Then they temporarily moved to remote only, and are now hybrid events.  As stated above, the main topic of conversation was attack surface management.

They ask CISOs to talk about what is top-of-mind with their risk management process. What I realized is that everything that a CISO does is complex, and most people do not realize quite how complex the job is. A long time ago, the job felt more one-dimensional, almost as if you had a physical castle to protect. Now that so much has progressed, and data has been moved over to the cloud, the job is now feeling three dimensional. There is no longer a defined exterior, and the attack surface has now vastly expanded.

While most CISOs view this expanded attack surface as challenging, most seem to have a good grip on their own attack surface. They know where their cloud assets live and which servers are exposed to the internet. However, when they realize their attack surface includes the immediate attack surface of their entire supply chain? That is when things get intimidating (and frankly scary) to manage.

What else did CISOs talk about?

  1. Mergers and acquisitions: Bringing in a new company brings along all of their risk and past cybersecurity habits. 
  2. CISOs often have a target on their back, when being the main representative of security for an entire organization.

June 15th Tampa, FL CISO Exec Net

Could’ve taken a flight from Fort Lauderdale, but decided to Uber to Miami and take a nonstop to Tampa with a rare upgrade to First Class (for a 45 min flight). Great city, less humidity!

This was the first time where we heard about global events being a challenge for CISOs, particularly due to the Russia/Ukraine war. Other common CISO challenges include patch management and staying on top of updating older systems that may break applications (but this isn’t news to them!) However, with patch management, it isn’t necessarily the CISO that can enforce that action. Many application owners within the company come back with “we can’t update that, it will break our application!”

As a CISO, what do you do in this situation? If you force the upgrade, and the application breaks, you’re now a CISO that caused a system malfunction. But if you leave the application unpatched, the company is now at a higher risk. Our RSI™ calculation shows that poor patch management is often one of the most common avenues for bad actors to gain access to a company’s systems. Bad actors know that operating systems aren’t updated when they should be, so they capitalize on that delay.

The best way to prioritize overarching patch management implementation is education and awareness by the whole company, typically led by a dedicated CISO.

Bad actors sometimes attack people first using phishing techniques or “urgent messages” from the CEO. This CISO group seemed to have more of a focus on those things, plus attack surface management. No one was implementing techniques poorly but a large group wanted to vastly improve. CISOs that are actually attending these kinds of events and learning from their peers are less often the ones forgoing proper security implementations.

I was able to grab dinner with a friend from Space Command in Tampa, as well as some customers! Oh and there was a nonstop back from Tampa to Phoenix. (No, not first class.)

June 22nd Minneapolis, MN CISO Exec Net

Not my first time in Minneapolis. But I still did a risk assessment of where I was going to eat – looking for open-air, sports bar, local frequented restaurants – but my assessment was far off! It was loud with less than amazing food, but sometimes risk assessments don’t quite get the job done. (Continuous monitoring, my friends! Things change.)

Sadly, no time to get to a Twins game.

The meeting was very good – a good representation of CISOs, some with lots of experience, some newer to the field. The whole concept of third parties came up again here as well – it’s all about the cloud and outsourcing of services. At this event, the CISOs all believed they were doing well, but still needed to do better – these are the strongest CISOs when it comes to keeping their organizations safe.

A lot of the newer CISOs had a lot to learn, but a LOT of potential, and while some didn’t have the title of CISO, they had roles that matched. The newer CISOs said that unknowns (not knowing what you don’t know) and lack of knowledge was one of the biggest threats. This is all part of having to learn your new environment as a new CISO. One reason Black Kite is so helpful for CISOs is that our platform reveals the unknowns in their third party ecosystems, highlighting changes that need to be made.

Privacy laws and the FTC were also mentioned, just adding more challenges to the CISO role. In fact, Black Kite, alongside Linnea Solem from Shared Assessments, conducted a webinar detailing the changes in security regulations led by the GLBA, and how the update to a 20-year-old regulation impacts banking and other related organizations.

Everyone seemed to think that having a federal privacy law was a good thing.

Finally back home.

June 28th Nashville, TN CISO Exec Net

But not for long! I was off to Nashville. As we decided where to go to dinner on Broadway Street, (pre-early morning flight), somehow electric scooters came into play, and my risk assessment told me to head back to the hotel. The only non-stop to Phoenix was pre-dawn, so the cross-city scooter rides went on without me.

At this event, once again, attack surface came up, particularly with concerns about people phishing and scams. SaaS tools were discussed as well, exponentially increasing attack surface but being crucial to getting things done efficiently. What are the unknowns in acquisitions? How does security work with vendor procurement?

There were many more virtual CISOs this time, as more regulations like FTC and GLBA came into play this year , and more companies needed solutions to kick off their security practices. Remote CISOs obviously have to travel and be flexible, but remote-first jobs are becoming very popular amongst CISOs, especially after the pandemic adaptation. This allows for a bigger pool of higher caliber people to hire. (A very good thing!)

Overall, it is incredibly valuable for these CISO groups to all gather in one room and discuss the ideas, struggles, and successes they’ve faced over the past year. Each meeting allows for veteran CISOs and newer CISOs to share perspectives with each other, and grow stronger together as a cybersecurity community. I’m already looking forward to the next series!

Check out other events we are participating in for the rest of 2022.