Wade Lance is the Field CISO for Synack.
Picture this: You’re seated at a dinner table surrounded by a dozen security leaders. Appetizers are on the way, and the conversation starts to pick up. Your neighbor says something about the Russia-Ukraine conflict, while across the table, a few CISOs engage in a lively discussion about something they read in the Wall Street Journal.
As field CISO for Synack, I’ve attended many such dinners with executives from a range of industries. The events offer a venue to speak frankly about security wins and challenges. Each CISO I’ve met on the road has brought unique perspectives on their most pressing cybersecurity concerns. Without naming any names, here are four themes I picked up on:
Disaster readiness is urgently needed. To say Log4j was a wakeup call would be an understatement. Many CISOs were left scrambling to find on-demand expertise needed to respond to the open source vulnerability that seemed to be everywhere when it first appeared in the news last December. They lacked surge capacity to meet their cybersecurity needs at a critical time, as nation-state threats started exploiting Log4j before their own overworked teams could find and fix it. One idea is to have a relationship with a Pentesting as a Service (PTaaS) partner so that surge capacity is immediately available in the same model that most organizations have with Incident Response partners.
Continuous penetration testing is great (on paper). Wouldn’t it be nice to have someone watching your back, ready to spring into action and find vulnerabilities at the drop of a hat? Sure, but is continuous pentesting really possible, let alone affordable? Getting to a place where top security researchers are constantly assessing their networks can seem like a mirage for organizations struggling to find cyber talent to fill 9-to-5 roles. But continuous development requires a new approach to security testing, so security leaders are looking at their options.
Auditors can be as motivating as malicious hackers. In 2022, it’s a truism that compliance does not equal security. CISOs understand that divide, but that doesn’t make it any easier to navigate. They need to keep auditors happy and keep hackers at bay if they want to stay off the front page of the Wall Street Journal as the next victim of a major hack. That means scaling security teams to juggle both shifting regulatory requirements and constantly evolving cyberthreats. Easier said than done.
Ditch the swag. OK, I’ll admit this one hurt a bit to hear. I love a YETI tumbler as much as the next security pro. But I also understand why CISOs–who know what’s at stake in our cyberthreat landscape–aren’t itching to wear branded socks or apply a Synack patch to their suits. This is a serious business!
…
By the time I steer the conversation back to Synack, I’ve heard fascinating and sometimes provocative viewpoints from the people on the front lines of security leadership. (At one dinner, I was flabbergasted when I heard an executive claim, “We’ve never had any breaches and don’t really consider ourselves a target.”) Here’s what Synack brings to the table:- Surge capacity. For the Log4js of the world, our global Synack Red Team of 1,500+ elite security researchers stands ready to bridge the cyber talent gap, augmenting your own organization’s infosec capabilities when major vulnerabilities drop. But this relationship needs to be in place before the next new vulnerability is discovered to engage researchers immediately, instead of waiting to get through the onboarding process with a new vendor.
- Diverse perspectives. Synack Red Team members hail from over 80 countries and bring a depth of knowledge that can’t be replicated by in-house pentesters. Your diverse security needs call for diverse answers that just aren’t available from smaller, local teams.
- Continuous and on-demand pentesting. Our Synack Platform is a one-stop shop where you can harness the talent of our Synack Red Team to find and remediate vulnerabilities that matter, generate clear, actionable reports, check off security tasks to assist with compliance and scale up tests as needed to keep up with your software development process.
Related reading: CISOs and Boards Come Closer to Seeing Eye-to-Eye • Cybersecurity Needs To Be on Every Board of Directors’ Agenda • Banking on Synack: Success in Financial Services Security
