We regularly conduct Q&As with Fortinet executives to share their key insights and leadership perspectives. Below is an interview with Joe Robertson, Field CISO at Fortinet, which covers OT and IT security, the future of cybersecurity, and advice for today’s CISOs.
You talk to a lot of C-level executives. What are a few common themes that come up as concerns—across industries, enterprise size, etc?
I think the most difficult aspect of the job for a CISO is the breadth and depth of their responsibilities. If it can be attacked, they have to protect it. It can be a very technical job, but at the same time they sit at the executive table. I think of CISOs as being a lot like Janus, the Roman god of gates and doors who is portrayed with two faces looking in opposite directions. But in the case of CISOs they aren’t looking backwards and forwards, but rather up and down within the organization. They have to deal with almost anything having to do with security, from the technical details of security devices, to software development, to DevOps, to protecting workloads in the cloud, to physical access security, and in many cases even to staff safety. But at the same time they have to talk at a business level to other executives and to the Board of Directors. The translation from "geek speak" to "suit speech" is not easy.
What are common pain points for CISOs today?
The one that always comes up is the lack of resources. Of course, there isn’t a manager in any department who doesn’t want more resources. CISOs have a very special problem, however, in that there is a real skills gap in cybersecurity. There just aren’t enough people to do the work. Consulting group ISC² estimates that there is a shortage of almost 4 million skilled cybersecurity professionals around the world. This means that often CISOs cannot count on finding the talent they need on the open market. They have to grow their own. I always see their ears perk up when I talk about the cybersecurity training that Fortinet offers as part of our Network Security Expert Institute, especially the free basic training on good cybersecurity hygiene and awareness, which is appropriate for every employee, technical or not.
Are there any disconnects between CISOs and other business leaders within their organization that may be surprising to the security organization?
The metrics that security teams often think about are things like number of threats mitigated, numbers of devices protected, time to remediation, etc. In other words, activity. But what the executive suite talks about is risk. Risk is a whole different way of looking at the business. The basic equation is likelihood x impact = risk. The trick is putting a number to those variables. But that is the key for CISOs if they are to have a positive impact on the business. If you tell the CEO that a new security device will cost $100,000 and can block a DDoS attack at 10 gigabits per second, so what? You haven’t provided the information needed to make a decision. But if you say “the digital assets we are protecting are worth, say, $5 million, and the new device will reduce the likelihood of a crippling attack to under 1%,” the CEO can decide if the investment is justified, based on the company’s willingness to accept risk.
What does the future of security look like?
It is quite clear that cybersecurity and networking are coming together. You can no longer have one without the other. Networks reach out and touch almost everything, as anything you can think of is becoming “internet connected.” But just as that makes many things very convenient for us in our personal and professional lives, it also makes it convenient for cyber adversaries. The network doubles as a delivery method for convenience (which is good) and malware (which is bad), so it needs to have security embedded in it (which is inevitable). Passing traffic off to a security box isn’t enough; the networking and security stacks need to coexist. One implication of this (one of many, I might add), is that not only must the networking and security teams interact, they are actually going to have to merge. And people who have extensive skills on both sides of the house are going to be in great demand, because the walls are coming down.
How does a security fabric approach protect customers in the future of security?
Threat intelligence is reaching everywhere in the network, and a fabric is the delivery method for this. Just as the warp and weft of a piece of cloth combine to create a pattern, so too the passing of threat intelligence amongst the various devices of a security fabric bring into focus the image of the threats lurking there. We can continue the clothing analogy by pointing out that the tighter the weave, the more waterproof the cloth. The same is true of a security fabric – the closer the integration of the various elements, the more threat-proof the fabric.
How does that intertwine with Operational Technology?
The worlds of Information Technology (IT) and Operational Technology (OT) were long separated, but are becoming intertwined. By OT I am not just referring to Industrial Control Systems, SCADA, etc. Even non-industrial segments like finance, healthcare, and hospitality have more and more sensors, automated systems, and controllers. Think of smart buildings, with access control systems, remotely controlled HVAC, smart sun shades, photovoltaic windows, etc. All of these devices, whether you call them IoT or IIoT (Industrial IoT), are potential vectors for attacks.
Is there specific advice that you find yourself sharing most often in your discussions with other CISOs and CSOs?
I find that most CISOs and CSOs have a strong technical background. They are very good at the "I" and "S" letters of their title. Where many of them are less comfortable is with the "C" and the "O" - being an officer of the company, interacting with executive peers, and reporting up to the Board of Directors. Sometimes this feels more daunting than reacting to a massive DDoS attack. I counsel CISOs to talk in business terms and clearly identify not only situations and consequences, but also likelihoods. One of the most important activities the CISO does is to create a cybersecurity strategy. This necessitates taking an inventory of the assets being protected, and assigning values to them. You cannot do this without working closely with the executives of the organizations that manage and use those assets. Take advantage of this opportunity to understand how they think, what factors are important (or not important) to them, and what terminology they use. I am also a firm believer that what you do at the top gets results at the bottom, so train your executive team in good cybersecurity hygiene. If they walk the walk (and don’t just talk the talk), and if they expect their departments to do so as well, their positive cybersecurity attitude will flow down through the entire organization.
Learn more about the challenges CISOs face in the modern era in the Forbes report - "Making Tough Choices."
Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.