For episode 11 of The CIO Evolution, I was delighted to welcome Kevin Dawson, the President and CEO of ISA Cybersecurity to the podcast. We were joined by Zscaler’s own Sean Cordero, host of the CISO’s Gambit podcast and CISO - Americas. The result was a fascinating dissection of some of the issues CIOs face when sourcing – or outsourcing – their security solutions.
As a recently retired global CIO, I’m all too familiar with the challenges CIOs face patching together solutions to defend against evolving cyber threats. Inevitably, a tool or platform becomes utterly ineffective after it’s been compromised by a threat actor or neglected by a vendor. Emerging technologies offer attractive alternatives, or are at least backed by the marketing dollars to make us believe they are.
CIOs constantly scan the market, anticipate future trends, and adjust their cybersecurity solutions to maximize value, effectiveness, and risk mitigation. But without a coherent strategy, can we keep this from becoming a game of cybersecurity Whac-A-Mole?
To tackle that question, the panel discussed the factors they rely on when assessing solution longevity and when to use strategic outsourcing to prevail in the cat-and-mouse game of cybersecurity.
Companies saddled with technical debt often don’t approach the acquisition phase of new security tools correctly, said my guests. Using a risk lens approach to procuring solutions is far more effective than grasping blindly, according Dawson.
Companies need to determine, "what the actual risk profile of the organization is," he said. Then, identify the gap in protection and, crucially, focus on the governance after they implement the tools.
Chasing solutions to new threats while giving little thought to governance, implementation, and sustainability often wastes capital and results in partial protection at best. Endpoint solutions were used as an example. Despite significant advancements in capabilities by market leaders, many companies are continuing to implement solutions from lagging vendors.
Cordero then raised the topic of cyber insurance, commonly thought of as a strategic tool for CIOs to mitigate risk. But cyber insurance has changed dramatically in recent years. The process of acquiring it is still antiquated and fraught with issues. Many providers still grant policies based on dubious self-assessments of their security capabilities, a process Cordero called "a joke."
"When I think about legacy, outdated things, it's absolutely the technology," he said, "but also processes."
With many insurers seeing a 1:4 loss ratio, cyber insurance is becoming harder to acquire. Initial, flawed policies are giving way to stricter renewal and qualification processes. Insurers now often require third-party audits, assessing capabilities and effectiveness upfront as a prerequisite for coverage.
Accelerated by Merck’s recent lawsuit win against its provider, the cost of cyber insurance is rising and the coverage is getting narrower – many providers have excluded ransomware already. The days of self-attestation are coming to an end.
Next, the panel tackled the merits of outsourcing security responsibilities to third-party organizations for independent digital forensics and assessments. Each new vendor, the panelists noted, increases exposure to supply chain attacks, prompting concerns about security evaluation criteria and frameworks for mitigating added risk.
Thankfully – perhaps due to a spate of high-profile supply chain attacks in recent years – "third-party risk assessments are actually a little bit ahead of insurance carriers in evaluating companies," Dawson said.
The panel concluded by observing that outsourcing and cloud migrations are concentrating risk. These trends will require automated risk assessment tools and more diligent processes for CIOs to effectively manage third-party risk.
“It’s a time for introspection and action,” Cordero said. CIOs must decide how best to deploy their talent. Some have turned to outsourcing key functions.
“Companies are looking for outcomes” when outsourcing technology, people, and processes to reach outcomes at sustainable prices, added Dawson.
Managing cybersecurity portfolios in a sustainable, cost-effective way is one of the top challenges facing CIOs today. Investing in new security tools using a risk-adjusted approach is emerging as a best practice. It will also require increased outsourcing of skills and services, and the extent to which cyber insurance will play a role remains to be seen. CIOs will need to walk a fine line to balance it all.
Listen to the complete discussion to hear how the modern CIO can win in the high-stakes game.