The Humble CISO

If 2021 has taught us a few lessons, then the one I would like to stress on this last day of the year is that we will do a much better job at keeping our organizations safe if we approach the task with full appreciation of its tremendous difficulty.

The past year taught us that you can have all your information security policies in order, have a tight control over your human resources and assets, you can be wide ahead of the game in applying cryptography, your business continuity management is first class, your compliance is something that comes out easily, almost as a side product of the overall high level of security in your organisation, and you even found a way to get a grip on the most challenging thing of all: user access management.

And then, highly evasive attackers come and leverage your supply chain. Or the supply chain of one of your suppliers. This year saw some of the most sophisticated and protracted intrusion attacks of the decade: SolarWinds got hacked, a sophisticated supply-chain attack on Kaseya distributed ransomware across its customers. A hacker group in China infiltrated governments and small businesses for months. The Israel NSO Group staged a mind-blowing, chilling, highly sophisticated attack on iMessage, turning a mundane exploit of an integer overflow within the 30+ years old JBIG2 image decoder into a logic gate emulator that serves as a mini yet full-featured “virtual machine”.

All of this shows the intrinsic limitations of the human mind and our current approaches to the task. So, for 2022, the main challenge might be to learn How to Become Very Humble CISOs.