How to become a Chief Information Security Officer – CyberTalk

How to become a Chief Information Security Officer – CyberTalk

EXECUTIVE SUMMARY:

The Chief Information Security Officer (CISO) role is cyber security’s most powerful and influential. As a CISO, the responsibility for all aspects of an organization’s data security falls on you. Beyond securing data, CISOs also heavily contribute to shaping business strategy and helping the business become cyber resilient.

The CISO role is commonly considered the highest rung on the cyber security career path ladder. Nonetheless, it’s actually never too early to start planning a path that enables you, as a CISO, to join the board. An increasing number of boards are looking for members with cyber security expertise.

Why CISOs are in demand

In the past, IT security largely fell under the purview of other senior IT leaders, such as the Chief Technology Officer (CTO) or the Chief Information Officer (CIO). These leaders would collaborate with security experts to secure the digital perimeter. But nowadays, such limited initiatives are practically laughable.

At present, businesses face constant threats from motivated and persistent cyber criminals. In the last five years, cyber fraud has increased by almost 500% and the cost of a hack can easily soar to as much as $4.45 million.

That’s why opening a position for and appointing a CISO makes sense. A CISO can offer comprehensive cyber security strategy advice and can oversee plan implementation. In turn, this reduces the probability of cyber threat-related financial losses, productivity gaps and litigation.

CISO compensation

In general, the CISO position is well-paid. Due to high demand and a limited talent pool, top-tier CISOs have commanded salaries in excess of $2.3 million. Nonetheless, executive remuneration may vary based on industry, company size and specifics of a role.

Chief Information Security Officer: The role

The CISO typically manages a team of cyber security experts (sometimes multiple teams) and collaborates with high-level business stakeholders to facilitate the strategic development and completion of cyber security initiatives.

The primary responsibilities of a Chief Information Security Officer include:

  • Elevating the cyber security infrastructure. A CISO typically works with a security team to optimize and implement new cyber security tools.
  • Incident preparedness. A CISO is also in charge of developing incident response and disaster recovery plans – which should be drill-tested and accessible to a wide variety of stakeholders.
  • Developing secure business strategies. The CISO engages in dialogues with other C-level leaders to determine how to plan for the future. To that effect, CISOs need to know their environments well, think strategically, and work together with others.
  • Managing regulatory compliance initiatives. The vast majority of enterprises today maintain sensitive data belonging to customers, whether that’s credit card data, healthcare data, or location-related data. A CISO must ensure that the business adheres to relevant laws around data protection at all times.

How to become a CISO

Businesses want to hire someone who they can trust to reliably protect data and keep the business running smoothly. If you want to become a CISO, become someone trustworthy. There are a variety of ways in which to gain credibility as a trusted cyber security professional in the field.

1. Get the education. While experience in cyber security does count for a lot, and while smart and talented people do ascend to the CISO role without extensive formal schooling, it can pay to get the right education.

Most enterprises will expect that a potential CISO have a bachelor’s degree in computer science (or a similar discipline). There are exceptions, but an undergraduate degree is often used as a credibility benchmark. These days, many businesses will also expect that a CISO have a postgraduate qualification, such as a Master of Science in Cybersecurity (MSCS).

2. Develop real-world experience. When it comes to real-world experience, most CISO roles require a minimum of five years’ time spent in the industry. A potential CISO should maintain broad knowledge of a variety of platforms and solutions, along with a strong understanding of both cyber security history and modern day cyber security threats.

3. Obtain leadership experience. In essence, the CISO role is a leadership role. The bulk of your energy will go into developing a world-class cyber security team and enabling the staff to deliver on your cyber security strategy. That said, CISOs need excellent people skills; the ability to manage, support and communicate with a team. CISO roles often require a minimum of seven years’ worth of management experience.

4. Become qualified as a Chief Information Security Officer. One of the biggest obstacles for many along this career path is the jump from management to executive leadership. But there are ways to make bridging this divide easier. For example, obtain a qualification that will help. These days, there are a multitude of executive-level education courses that you might consider. Alternatively, the Certified Chief Information Officer (C|CISO) qualification could be a great choice.

5. Develop your strategic vision. When a company wants to appoint a new executive, they’re looking for a visionary leader who can steer the company towards future success. Carefully consider the strategic vision that you can bring to the table, ahead of applying for a role. Highlight your abilities to drive growth and innovation.

Related resources

  • What is a BISO? – Learn more
  • Cyber security training for C-level executives – Here
  • Engage with CISOs and security leaders to tackle the toughest security challenges – Here

The Future of Serverless Inference for Large Language Models

Recent advances in large language models (LLMs) like GPT-4,  PaLM have led to transformative capabilities in natural language tasks. LLMs are being incorporated into various applications such as chatbots, search engines, and programming assistants. However, serving LLMs at scale remains challenging due to their substantial GPU…

Emerging trends: How to protect your Software Defined Vehicle – CyberTalk

Emerging trends: How to protect your Software Defined Vehicle – CyberTalk

Micki Boland is a global cyber security warrior and evangelist with Check Point’s Office of the CTO. Micki has over 20 years in ICT, cyber security, emerging technology, and innovation. Micki’s focus is helping customers, system integrators, and service providers reduce risk through the adoption of emerging cyber security technologies. Micki is an ISC2 CISSP and holds a Master of Science in Technology Commercialization from the University of Texas at Austin, and an MBA with a global security concentration from East Carolina University.

In this highly informative Cyber Talk interview, Check Point expert Micki Boland provides an analysis of Software Defined Vehicles, describing their advantages and flaws, along with actionable security best practices that can keep software safe.

Help our readers understand what benefits the Internet Connected Software Defined Vehicle provides to drivers, automakers and public transportation systems:

For a variety of stakeholders, the continued development of connected vehicles offers several key benefits. I’ll briefly outline them below:

1. Driver’s perspective:

  •    Improved driving experience by optimizing routes.
  •    Enhanced personal safety through real-time information about road hazards, construction zones, and weather-related dangers.
  •    Access to rapid emergency services and roadside assistance on demand.

2. Vehicle manufacturer’s perspective:

  •    Ability to offer road hazard services and monitor vehicle telemetry data.
  •    Delivery of software updates for infotainment and onboard systems.
  •    Monitoring of vehicle health and providing consumers with access to vehicle statistics.
  •    Enhances vehicle safety with features like crash avoidance systems.

3. Public transportation systems and public safety:

  •    Communication with intelligent transportation systems to improve infrastructure.
  •    Integration with smart city infrastructure to enhance public safety and reduce traffic-related fatalities.

Connected vehicles are not just a concept; they are a reality. Many vehicles already transmit telemetry data to auto makers and third parties, allowing for software updates and remote monitoring. Additionally, across the globe, efforts are underway to establish communication between vehicles and traffic management systems, contributing to the development of smart cities.

Is my Software Defined Vehicle vulnerable to hijacking, vehicle theft and the hacking of systems and software? Is it also capable of invading my privacy?

Threat actors are actively seeking to hijack core system functions in order to steal cars. You may have seen recent media reports about two auto manufacturers susceptible to hijacking via the vehicle USB port. This is a TikTok challenge and has resulted in vehicle thefts and crash deaths. One manufacturer is offering financial compensation to owners suffering from vehicle theft.

It does not stop there. Sam Curry, a web application security researcher, published fascinating results in a January 2023 report (here). Sam and team found many automotive vulnerabilities related to everything from the telematic (telemetry) platforms, automotive APIs and infrastructure, including cloud infrastructure and DevOps platforms, customer accounts, and the vehicles themselves. Hackers have breached Tesla infotainment systems and even injected code into vehicle headlights!

Attacking the vehicle has long been the subject of hacker conferences. In real life, hacks range from manipulating the vehicle: unlocking it, engine start/stop, flashing headlights, finding vehicle location by VIN number to track vehicle, hijacking the vehicle owner’s online account, hacking telemetry APIs to stealing data. Additionally, commercial fleet management platforms have been the subject of hacks that exploit vulnerabilities in the web and that exploit vulnerabilities in the APIs hosting these applications.

Hackers inject code into vehicle headlights: https://www.thedrive.com/news/shadetree-hackers-are-stealing-cars-by-injecting-code-into-headlight-wiring

Hackers breached Tesla Infotainment system: https://www.securityweek.com/tesla-hacked-twice-at-pwn2own-exploit-contest/

At present, why aren’t Internet Connected Software Defined Vehicles sufficiently secure?

Securing connected vehicles is a critical concern for the cyber security industry, auto makers and suppliers, third party fleet management providers, 5G network providers, and 5G device makers — all of which are involved in various aspects of the Internet Connected Software Defined Vehicle ecosystem. To tackle this multifaceted challenge, the automotive industry is taking a comprehensive approach, with a focus on cyber security, standards, architecture, communication protocols, and the perspectives of auto manufacturers.

Where are we really when it comes to Software Defined Vehicle cyber security?

1. Cyber security focus:

  •    The U.S. places significant emphasis on Software Defined Vehicle cyber security, with the automotive sector and its partners actively engaged.
  •    Events like the Annual Automotive Cybersecurity Detroit Conference bring together key industry stakeholders, including manufacturers, government bodies, standards organizations, and Tier 1 suppliers.

2. Automotive standards for cyber security for the lifecycle of Software Defined Vehicles:

  •    ISO/SAE provides essential standards for cyber security engineering in road vehicles.
  •    ISO/SAE 21434:2021 offers a comprehensive framework for managing cyber security risks throughout the vehicle lifecycle, from concept to decommissioning.

3. Auto maker perspectives:

  •    Auto manufacturers face complex challenges in ensuring Internet Connected Software Defined Vehicle safety, cyber security, and privacy throughout a vehicle’s lifecycle.
  •    Key considerations include evolving threats, increased connectivity, complex software ecosystems, Over The Air (OTA) updates, telematics, and data privacy.

What are the remaining challenges in this dynamic and complex systems?

1. Evolving threat landscape: To protect people from evolving vehicle threats, we must continually evolve threat prevention initiatives, which can be tough.

2. Increasing connectivity: Extensive vehicle connectivity expands the attack surface, requiring robust security measures at all entry points.

3. Complex software ecosystem: Managing and securing diverse software components in modern vehicles is essential to prevent vulnerabilities and compatibility issues.

4. OTA updates and patch management: Secure delivery and installation of OTA updates necessitate establishing secure channels and ensuring update authenticity and integrity.

5. Software defined vehicles: The concept of Software Defined Vehicles introduces further security considerations in regards to safeguarding software integrity; not only for auto makers, but also for third party providers of infotainment, telemetry, mapping software, etc.

6. Telematics and data privacy: Telematics systems raise privacy concerns, demanding secure data handling and transmission.

7. Collaboration and standards: Industry-wide collaboration and standards are crucial to effectively address Internet Connected Software Defined Vehicle cyber security complexities and challenges.

Addressing these complexities requires continuous investment in cyber security research, rigorous testing, partnerships with experts, and adherence to industry best practices to ensure the safety, security, and privacy of Internet Connected Software Defined Vehicles.

Can you explain Over The Air (OTA) updates for Software Defined Vehicles?

The hallmark feature of a Software Defined Vehicle is the capacity for Over The Air (OTA) updates. OTA updates are essential for keeping the vehicle’s software up-to-date (similar to patch management for computer systems). These updates are facilitated through the vehicle’s Vehicle Identification Number (VIN) and are applicable to both traditional and electric vehicles.

They are delivered in various ways, including through embedded 5G or tethering with the owner’s mobile device. OTA updates encompass infotainment system enhancements, security updates, feature improvements, and system fixes. Communication during OTA transactions involves data exchange between the vehicle, the auto manufacturer, and third parties, and integration with the vehicle owner’s mobile application and customer web portal.

Can you provide some recommendations to help protect my Internet Connected Software Defined Vehicle?

You can take steps to dramatically reduce the risk to your Software Defined Vehicle as it relates to safety, security, and privacy.

1. Protect the mobile devices connecting to your Software Defined Vehicle with a mobile threat prevention tool, like Check Point Harmony Mobile. If you are connecting your mobile device to your Software Defined Vehicle, you need good mobile threat prevention to block malicious applications, smishing, malicious links, and to defend against man-in-the-middle attacks. And be sure to extend mobile threat prevention to any devices connecting to your 5G mobile WiFi hotspot and/or your vehicle’s embedded 5G mobile WiFi hotspot.

2. Conduct a thorough review your security and privacy settings for your Software Defined Vehicle. Typically, this is done from your vehicle’s command center, mobile application, and online vehicle portal. Understand security and privacy settings, as well as the cadence for security and privacy-related software updates. Limit the amount of information that you share with your auto manufacturer and third parties. Again, your VIN is privileged information and so is your vehicle location.

3. Securely manage your vehicle mobile application. Software Defined Vehicles come with a mobile application associated with the car’s VIN, enabling the owner to view vehicle location and system status’, to request roadside service, and to inform maintenance programs of issues.

Review your mobile application settings and privacy warnings. Know that in many instances, the Software Defined Vehicle owner has limited control of the settings regarding what information is to be shared with the auto maker and its designated third parties. From a physical security perspective, never remote start your vehicle with your mobile application unless you have control of your vehicle’s physical security.

4. Manage the internet connectivity to your Software Defined Vehicle. Only you should determine when your vehicle accepts Over the Air updates. Whether you synchronize your 5G mobile device to your Software Defined Vehicle or have onboard embedded 5G, your vehicle will seek to connect when there is an internet connection available. Many vehicles support software updates over all available communications methods: embedded 5G, Bluetooth and WiFi.

Make sure you do allow automatic software and feature updates only when your vehicle is idle.

Note: Not only does your vehicle want to auto-initiate system and security updates, but it also runs third party software that wants to auto-install feature and security updates. These third party software sources all have potential vulnerabilities. In my case of a 2023 Ford F350, there are 30 pieces of open source software on board this vehicle.

5. Use Multifactor authentication on your Software Defined Vehicle online portal. Enough said!

6. Mind the physical security of your Software Defined Vehicle. Park your vehicle in well-lit and secure environments if possible. If you have a vehicle on the “most wanted” list, apply the security fixes, park in a garage or in another secure environment. Always use situational awareness. If your vehicle is one that has vulnerabilities, get the fixes or get a wheel lock put in place. Some of the auto makers are providing these for vehicle owners.