ISMG Editors: How Will the Role of CISO Evolve in 2023?Also: Community Impact of Hospital Ransomware Attacks; Cybersecurity Market Trends Anna Delaney (annamadeline) • December 9, 2022
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including the evolution of the CISO role, ransomware attacks targeting hospitals and their regional impact, and trends in customers' buying behavior.
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Marianne Kolbasuk McGee, executive editor, HealthInfoSecurity; and Michael Novinson, managing editor, business discuss:
- Highlights from an interview with former CISO David Pollino about how the role of the CISO will evolve in 2023 into a true executive-level role within more organizations;
- Recent ransomware attacks targeting a trio of Brooklyn safety-net hospitals and how shutdowns affecting electronic health records, patient portals and other systems have led to criticism for lack of transparency from the community;
- A roundup of recent earnings calls and what vendors including CrowdStrike, Okta, Zscaler and SentinelOne are seeing when it comes to customers' buying behavior, especially among the small- to medium-sized business segment.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Nov. 25 edition discussing the rise of info-stealing malware and the Dec. 2 edition discussing how the Twitter breach may be worse than advertised.
Anna Delaney: Hello, welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this is our weekly conversation between members of the editorial team around some of the top themes and stories in the industry right now. This week I'm delighted to be joined by Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor of HealthcareInfoSecurity; and Michael Novinson, managing editor for business. Great to see you all. Tom, it's been a interesting year for the CISOs, has it not? Two contrasting yet important news stories dominated the headlines this year, which will no doubt, we think continue to impact CISOs in 2023. I know you had a chat with our good friend David Pollino. Recently, former CISO, PNC Bank, of course. You discussed how the role of the CISO might evolve next year.
Tom Field: Yeah, and as part of our year ahead conversations, talking with some of our global advisors and I spoke with David about the CISO role, about the stories that have had the most impact this year, you hinted at those. I'm sure you're talking about Joe Sullivan, and about Mudge, and what we've heard about security practices at Uber and Twitter and the repercussions. David makes the point that usually when stories such as these come up, the CISO community off walks to one side of the story. That wasn't the case with these. They weren't the only big influential stories in a year full of big influential stories. So we talked to about that in this interview. I also asked him, how he sees the role evolving further, as we go into 2023, and just some days from now. So I'd like to share an excerpt of David's response when I asked him about the evolution of the CISO role.
David Pollino: For many years, CISOs have continued to struggle to do the best they can with limited resources. I mean, let's face it, security professionals have to be right all the time where the criminals only have to be right once to be able to have a significant incident or breach. The Joe Sullivan, the Uber as well as the Twitter cases have just highlighted the fact that, exactly what CISOs are doing. In some cases, not necessarily adequately funded in the organization, maybe not well-positioned in the organization, not having the right level of influence, as well shining the light on some of the incentives that goes around the business do not always promote the best behavior for security executives. So I think what we'll continue to see is the security role - not been the part of IT - which has been the trend for quite some time, but also maybe it being a real executive level role. Most companies will have some sort of executive committee, some sort of senior leadership team with the top ranking executives of the team or of the company, I think more you'll see that CISO being promoted to that particular organization. I think DocuSign is one of the companies that kind of was getting out there and elevating that role ahead of many other as well as more regular communication with board members and higher expectations for board members to be conversate on security issues.
Field: There you go. Can I tell you, Anna, this is reminiscent and Marianne I bet you remember this as well? You go back a few years, and we'll say how many; but you go back a few years, and we're having these exact same conversations about the CIO, and how the CIO had to get out of the basement so to speak, and leave MIS behind and have a legitimate seat at the senior executives table. What goes around comes around, we're having those conversations about the CISO now.
Delaney: Do you know that the Joe Sullivan case has come up in virtually every roundtable that I've moderated in the U.K. since the verdict? It's generally such a heated discussion. Is that the same in the U.S., Tom?
Field: It is, and it reminds me of almost 10 years ago, after the Target breach, anywhere you went in the world, whether there was a Target store there or not, you would have the conversation about Target. That's because that was the first time a business executive was held accountable for a breach. Comparable here. The first time we've seen a CISO held accountable for actions taken or not taken during a breach and this has repercussions. This is something that people ask what you're thinking about and wondering if when things go bad, whether their company truly has their backs.
Delaney: Let's see what 2023 brings. Well, thank you, Tom.
Field: You will have many opportunities to have these conversations. Things you can't even imagine now.
Delaney: Yeah, for sure. Marianne, what is the latest when it comes to hospital ransomware attacks?
Marianne Kolbasuk McGee: I was at the HIMSS Cyber Forum in Boston this week. There's a variety of different themes that kind of popped up as I was speaking with a variety of various healthcare security leaders from across the country, but then also listening in on some of these sessions. When it comes to the hospitals and ransomware attacks, some of the conversations sort of focus on not only the lack of preparedness that many organizations still have to deal with ransomware attacks, they do prepare for some outages that might occur, whether it's like an update of software, or maybe some kind of glitch, but then the systems are up again, in a few hours, or maybe a day or so, and people can kind of transition back and forth. But the problem still, for many entities when they experience a ransomware issue, where systems could be down for weeks, or maybe even months, when it comes to electronic health records and e-prescriptions and patient portals, so on and so forth, is that they're not prepared for these long outages. Their patients certainly aren't prepared to be disrupted in terms of maybe having appointments scheduled, rescheduled or postponed or cancelled, but the area hospitals are not prepared, and that the hospitals should be taking a sort of a broader approach to incident response to not only become more comprehensive and well-rehearsed, if something happens to their organization, ransomware attack directly hitting them, but what happens if a hospital in the region has an incident and we've seen lots of that. The area hospitals often wind up unexpectedly accepting diverted patients from ambulances, they might get transferred out of a facility if they're needing to receive some sort of care to all of a sudden this other hospital because they're hit, and they don't have access to EHRs can provide. But just transferring these patients over creates a new bowl of problems for these regional hospitals. I was speaking with Christian Dameff, who is an emergency physician at a clinical informatics at the University of California, San Diego. He's studied the impact of the ransomware attack last year on Scripps Health in San Diego. He was saying that hospitals if they do have an incident response plan, great, make sure they're updated, but you have to expand into this whole idea of regional thinking. He says that it's not uncommon. All hospitals have to have some sort of plan for like mass casualties, an unexpected surge in patients because if there was some sort of physical crisis or catastrophe or accident, or God forbid something else, but when a neighboring hospital has a ransomware attack, and you're seeing the surge of patients, suddenly, you might not be able to access any of that patient's recent or prior history in terms of their medical records, because that other hospital has been cut off, they're not able to share, and then in the bigger picture, there could be a situation where cloud-based service providers in the area are unable to provide imaging data, they might be unable to calculate these complex calculations for cancer treatments, radiation treatment, chemo, other things like that. So, you're not only getting a surge in patients, but you're going to be cut off from getting their information. It's pertinent looking ahead for these hospitals to be thinking more broadly, in their incident response plans. Again, Dr. Dameff's thinking is that it's a mistake to just think of ransomware response, like a mass casualty sort of incident, because it's beyond that. There's many more nuances that need to be recognized. So I thought that was interesting, because, again, we're seeing so many of these incidents, and then you do hear about the impact that it has on a region.
Delaney: While tough times, but as you say, regional thinking sounds positive. So hopefully, there'll be some improvements there. Moving on, I think you're going to be sharing a roundup of recent earnings calls and what vendors are seeing when it comes to customer buying behavior. Tell us more.
Michael Novinson: We've heard over the past week and a half, we've heard from the largest vendors outside of the network firewall space we've had, we've heard from the CEOs of CrowdStrike, Octa, Zscalar. Then most recently, SentinelOne about what they've seen over the past quarter. One topic was on the mind of the entire investment community and that is the impact of the economic slowdown on these large, important security companies. Certainly some similar themes across all four of those, some nuances and some areas a difference as well. So one thing that we are hearing consistently was in the small and mid-sized business space, that there seemed to be a pause on spending, that they're more cost conscious that security would make up a larger percentage of their budget. Companies were either delaying purchases or in some cases particularly often send the one highlighted, some scaling back of purchase. It's not, of course, that they're not going to have a firewall or they've not had the antivirus software, but maybe some of the additional modules. I know, Tomer Weingarten of SentinelOne had brought up things like remote script execution or endpoint firewall controls or endpoint management, and some of the modules for that where buying activity slowed down a little bit. People are still getting their endpoint protection to EDR, maybe they don't do these add-on modules. The impact seems to be less at the large enterprise area. That's largely in part or that's in part because security is going to make up a smaller percentage of the overall budget for larger companies, as well as the fact that more of the spending is driven by regulatory or compliance requirements. So there's less flexibility there. So what we've seen at the large enterprise is, some companies are choosing to focus more there. SentinelOne was talking about that when they look at their pipeline of prospects, they're trying to put focus on the Fortune 500 and the Global 2000, which is a little different than them historically. They have made a name for themselves in that mid-market, and even into that SMB space with CrowdStrike, further up market, they want to focus on. The large enterprise to feel the spending, there's going to be more predictable right now. Then also that there is a push from all of these companies, what all these companies do is they're constantly rolling out new modules, and new capabilities that they're trying to get larger deals with more modules on there. I know Zscaler talked about this. That's something that's very important to investors. It's a metric called net retention rate, which essentially, they want to see the number, investors want to see north of 120%. So essentially means that if an existing customer spent $100 with you in 2022, then they're going to spend 120 in 2023, which is either adding on more users or in a environment like the current where people aren't hiring as much. It's about upselling to existing customers, that's easier than landing on that new customer. So our companies are focusing more on that large enterprise space and trying to find ways to minimize the impact but big picture, I mean, everybody made it clear. Except maybe for Twitter under Elon Musk, people aren't walking away from security. There's a need for security technology. It's a question on the margins. Do we buy this ancillary capability now? Or do we wait six months or 12 months? Do we buy additional seats now? Or do we wait until we hire people to fill those seats? That's where we're seeing most of the activity.
Delaney: Really interesting trends, Michael, and I'm just curious to very briefly pick up on something you mentioned yesterday. When you were asked to define 2022, you said it is the year of profitability. Just tell us your reasoning or talk to us about your reasoning there.
Novinson: Of course. So these companies - all four of them - have historically lost money hand over fist and investors are okay with that, because they were growing 50-70, in the case of SentinelOne over 100% year-over-year, and the feeling was eventually they'll grow the way to profitability the same way that Amazon did. But this year, the investor community is different. I've heard more discussions over these past 12 months than I've heard it over the past few years combined, in my experience covering technology about path to profitability, controlling costs, managing headcount growth, operating margins, and non-GAAP profitability, GAAP profitability, and trying to find a way if none of these companies are making money on a GAAP basis right now, making it clear to investors even SentinelOne who's lost the most money, they're saying that they expect to reach GAAP profitability in 2024, which is a pretty steep shift for them. So I think all these companies realize that investors will not sustain losses indefinitely, and they've had to make some pretty drastic shifts to their plans to accommodate the investor community.
Delaney: Appreciate these insights, as ever, Michael, thank you. Finally, as the festive season is upon us, I'm going to use Charles Dickens' A Christmas Carol, as an inspiration of this next question. If you recall from the story, Scrooge is visited by the ghosts of Christmas past, present and future. So this week, I want to know who would be your ghost of cybersecurity past. What historical figure has influenced or shaped the industry, in your opinion?
Field: I'm going to go with Steve Katz, who was the world's first CISO. He was appointed CISO at Citi back in 1995, I think and there is still generations of security leaders in power now that learned from him, learned with him, I think the impact he had on security, and still has on the industry is tremendous. If I'm going to be visited by one ghost at the start of the evening, I think Steve Katz would be a good race to have in the room.
Delaney: Good choice. Michael?
Novinson: I'm going to take my inspiration from the business community. To be clear, these people are very much alive, but they are former CEOs - two notable ones - John Thompson, former CEO of Symantec in the 2000s. Then David DeWalt from McAfee and FireEye for a number of years from the mid-2000s to the mid-2010s. They saw the need for consolidation in this industry, they tried to make moves to do that financially combined with Veritas under Thomson. When with DeWalt, he sold McAfee to Intel to try to put security on the chip, tried to combine FireEye and Mandiant in order to bring the product side together with the services and the IRM consulting. None of these worked, all of these acquisitions gotten done. I think it speaks to the challenge and trying to consolidate that innovation tends to happen in smaller, more focused companies. Even though customers have been saying forever, they want to buy from less vendors. It's hard to have a broad platform that's also cutting edge on innovation challenge, the current trap of CEOs are trying to tackle today.
Delaney: Like it. Thank you, Michael, and Marianne?
McGee: I am going to say Barnaby Jack, the late Barnaby Jack, who is or was an ethical hacker, and people kind of along those lines that are still alive and well and hacking things. I think it's important. He did some innovative work early on in terms of hacking ATM machines, and some medical devices. I know, ethical hackers are kind of controversial, but I think they kind of keep companies honest. Hopefully they'll find problems before the bad guy does. I think there's a lot to be said for that.
Field: If your Christmas tree lights go out this year, it's Barnaby.
Delaney: I'm going to go back in time to Ada Lovelace, the daughter of Lord Byron, who wrote the first computer program in the world. So essentially, before, even the first computer was designed, maybe the industry wouldn't have even existed without her. Let's say that. Stay tuned for the ghost of cybersecurity present next week. Tom, Marianne, Michael, this has been such a pleasure. Thank you so much.
Field: Thank you. Have a good week.
Novinson: Thank you.
Delaney: Thanks so much for watching. Until next time.