Rubrik Zero Labs’ recent study accentuated several hard truths we think are important and warrant a response from Rubrik’s CISO Advisory Board.
First, let’s confirm what many of us have already discussed: It’s not fun to be a CISO right now. There’s an overwhelming amount of expectation—from the board to business unit owners—to figure out how to grow and use data, but also keep it secure, and figure out what happens when it’s not. CISOs are responsible for the security of data, but often lack the controls around how it's created, stored, and managed at scale.
The truth is cyberattacks are just as big of a threat if not bigger than ever before. Meanwhile, data is growing and diversifying at such a rapid clip that it’s a monumental task just to get your arms around how much there is and where it is—not to mention figure out how vital it is (or isn't) to the business.
Then there’s the recent artificial intelligence breakthroughs. AI will likely help solve some of today’s issues, but AI also places enormous pressure on CISOs. First, AI is completely dependent on data. This puts an even greater emphasis on being able to protect data. Second, AI is a key factor in an already growing problem. AI generates data. Lots of it and automatically. How much data, where it sits, and how to protect it—these are all issues that CISOs will need to grapple with. One critique we have of Rubrik Zero Labs’ recent research is there wasn’t enough attention paid to this rapidly growing challenge. Put simply, it’s hard to understand the next five years if we are not deeply studying AI.
The report does focus on optimism and its role in decision-making. CISOs aren’t always known for being an optimistic bunch. Despite the recent focus on cybersecurity at the top organizational levels, these same organizations—if not in their words, than in their actions—tend to be overly optimistic about their future. Organizations might have board level discussions about cybersecurity, but cybersecurity teams remain challenged by resources and talent while tackling larger and larger challenges. For instance, the benefits of AI are at the forefront of everyone’s mind, but who has their pulse on the downsides of limitless data creation and what that means for cybersecurity? If it’s not the CISO now, it will be shortly.
Additionally, as CISOs grow in visibility, they’re often asked to evaluate and make decisions well outside of their core expertise and are often ill-equipped to handle on their own. This trend is likely increasing with recent SEC changes and DORA expansion.
Given all of this, how is today’s CISO going to be able to manage all these factors and protect their organization a year or five years down the road? A hard truth: If CISOs stick to what we’ve been doing, we won’t. There will just simply be too much data, too many places, without enough capability and visibility to secure it properly. However, if we make a few small changes now, we can be in a fundamentally different position. As Rubrik’s CISO Advisory Board, we believe this research points to actionable areas demanding a CISO’s attention to shape a better future.
These are our recommendations.
The viewpoint affects the decisions. To make quality decisions about protecting your data you should know (1) how much data you have, (2) where it is, (3) and how important it is to the organization. The scale and diversity of data makes this a tall order, especially across hybrid environments.
If you focus on these three questions now: (1) How much data do we have?, (2) Where is it?, (3) And how important is it? You create options and speed when you will need it most. If a breach occurs and you’re unsure what data was affected, let alone how important it is, you will spend a significant time answering these questions in moments where time is a luxury and resources become scarce. Understanding the data lay of the land before a crisis will speed up response times and demonstrably improve the quality of crisis decision-making.
It’s becoming increasingly clear that standard infrastructure and perimeter security designed for prevention is a goal we’ll never fully achieve. Even the most secure organizations have been compromised and that means any of us can be compromised.
Accepting this fact actually puts CISOs at an advantage. If organizations adopt an “assume breach” mentality, then we lower the goal from pie-in-the-sky to something more achievable. The question goes from “How can we prevent anything bad happening ever?” to “How can we limit the impact of a negative outcome and work as quickly as possible to rectify it?” This is a much more achievable standard to maintain.
As the report recommendations suggest, you can reduce the amount of data you protect. With less data to protect, you have a better-defined scope of protection and also save money and time should you need to recover that data. This also allows for higher levels of protection for more critical datasets and app workflows. This sounds simple–and it is–but it creates space to move in tight bottlenecks.
Democratize Security Decisions
CISOs are strapped for resources–let’s tell you something you already know! We’ve all seen the statistics on the talent shortage at virtually every conference or forum. What gets less attention is the growing scope of the CISO role and respective teams. Executive leadership and boards want to know how secure the business is, but they also want to know the business impact from a breach. Evaluating and managing risk shouldn’t land solely in the lap of the CISO. Today’s CISO needs to be proactive in partnering with colleagues to assess different scenarios, assign decision owners, and work on resolving associated risks.
Convincing colleagues to contribute to an effort outside their traditional role can be a tough sell. But that’s why reports like this from Rubrik Zero Labs are important. It’s one thing to paint a picture of astronomical data growth. It’s another to put a number behind it and ask a colleague, “How is this going to affect our cloud cost in the next five years?” Making the issue and the risks real will elicit the right reactions and allow for meaningful, shared paths forward. It also creates situations where multiple leaders own different data security decisions and the subsequent risk management.
Once the CISO has a combined team plan, everyone is in a better position to make the right decisions for their respective teams, understand who owns a decision and why they own these decisions, and puts the overall organization in the best position to protect their data.
Prepare for AI
We can debate if AI is overhyped at the moment, but it’s an unavoidable technology. It has profound benefits for attackers and defenders alike.
The CISO at any organization must plan for the right use cases for AI within their organization, specifically cybersecurity and data security capabilities. Generative AI in particular, is well suited for a number of automation and efficacy tasks defenders struggle with today. CISOs should find–and share–the best use cases and also failed efforts. Along with defense, the CISO task includes anticipating the most likely ways attackers can use the same technology to overcome infrastructure security measures that previously limited their actions. We must also think through how AI can be used to understand and leverage stolen data if an attacker is successful.
As you’re aware, the CISO role is evolving, sometimes faster than we’re prepared for. But by following these recommendations you can shortcut some of the risks headed your way while enabling your business to be not only more security minded, but just smarter about its data overall. We look forward to taking this journey together and sharing more lessons learned.