Welcome to the first edition of Voices of the Market!
Voices of the Market is a new Wing blog series for founders to understand what chief level officers at large enterprises are thinking about, prioritizing, and working on. Wing has an extensive network of senior executive relationships through our primary research, exclusive summits, and startup financings, and our intent for this series is to provide unique insights and unfiltered visibility into B2B decision makers’ mindsets and views.
In this first edition, we focus on cybersecurity. Last week Wing held the fourth annual Wing Security Summit with Chris Inglis, National Cyber Director for the United States, as a keynote speaker and 180 CISOs as participants on an invite-only basis. In addition, Wing held 36 research meetings at RSA Conference 2022 with CISOs across Fortune 500 corporations and new tech unicorns.
What are CISOs focused on? What are top priorities, and what are the biggest uncertainties? We divide this post into eight sections, each of which includes selected, anonymized quotes from CISOs. The sections are: cyber incident reporting, public/private partnership, software supply chain, small- and mid-sized businesses, cloud, minimum security standards, cyber insurance, and Ukraine War.
1. Cyber Incident Reporting
A prominent topic on the minds of CISOs was the upcoming regulations on cyber incident reporting. CISOs generally agreed that the regulations come from “good intent” as the government could benefit from visibility on nation-state and cyber-criminal activity. Michael Philips pointed at RSAC to a “data gap.”
However, we also found significant concerns on the specifics: what is a reportable incident, to whom is the incident to be reported, and when does the shot-clock start? In addition, we found skepticism on the ability and likelihood for the government to actually generate benefit for itself or for the CISO community.
- “What constitutes an incident, how many places do I have to disclose to, and how do I decide when to start the clock?”
- “Reporting something that you do not understand is a recipe for disaster.”
- “I submit information but never hear anything back.”
- “How will incident reporting scale and will the government be able to handle the large volume?”
- “I spent the weekend reading the SEC rules and realized that it was written by someone who has never been in the thick of an incident.”
2. Public/Private Partnership
On a broader basis, CISOs expressed positive yet uncertain views on the partnership between the public and private sectors. CISOs overwhelmingly commended the federal government security leadership of Chris Inglis, Jen Easterly, and Anne Neuberger, as well as the associated new initiatives in partnership with companies and CISOs.
Questions arose, though, on the government’s use of “carrots vs. sticks” - collaboration vs. enforcement - and on the lack of harmonization across government agencies. A few CISOs also indicated a concern of CISOs being hit with unexpected personal liability. As stated by Steve Zalewski, “every CISO needs to make sure the CISO title is covered in their company’s D&O policy.”
- “There is an inherent tension. How do you have a partnership with your regulator?”
- “Where is the government our partner, and where is the government our overseer? The answer is both, but I’d like to know the circumstances under which I am in each.”
- “I feel like a hockey goalie with no defensemen on the ice. I don’t feel like I have a lot of government help but I’ve got a lot of oversight.”
- “Every 3- or 4-letter agency has different cybersecurity questions, audits, and assessments. How can we make these more consistent and ease the reporting burden?”
- “There has been a flurry of regulatory activity, often with bespoke methods by individual agencies. Why aren’t we using a standard process or framework?”
- “When will oversight lead to punitive action, and will CISOs be increasingly held personally liable?”
3. Software Supply Chain
With SolarWinds, Kaseya, and now Log4j, the software supply chain was a key focus area for CISOs. Many CISOs agreed that SBOM (software bill of materials) is a starting point, although several CISOs questioned whether SBOM would be effective and feasible in practice. On a broader point, one CISO questioned whether the software supply chain should be viewed as a problem that can be solved.
- “Are SBOMs in a dynamic cloud the solution to combat supply chain security challenges and threats?”
- “SBOM will not be able to capture the edge cases in which vulnerabilities actually occur in practice the most frequently.”
- “Supply chain is a predicament where you mitigate risks, not a problem where you reach a solution.”
- “What is the integrity of code along the supply chain, and what is the ability to quickly determine vulnerabilities as the supply chain becomes more complicated?”
- “Is the government open to creating a government-sponsored testing of supply chain companies’ application controls and building a UL Lab type certification process?”
4. Small- and Mid-sized Businesses
Numerous CISOs drilled in on the structural security risk in small- and mid-sized businesses. SMBs have a larger attack surface than large enterprises but have significantly more limited security resources and budgets. Wendy Nather and Jeetu Patel re-emphasized at RSAC the need to lift everyone above the “cybersecurity poverty line.”
- “What more should we be doing to help small and medium organizations that are part of critical infrastructure in light of the rise in supply chain cyber-attacks?”
- “What is the equivalent of Social Security or the Small Business Administration for small businesses in cybersecurity?”
Continued cloud growth and migration was another key topic for CISOs. Multi-cloud and hybrid-cloud security was a “top three” issue for numerous CISOs in our conversations. There was also the now age-old debate on whether the cloud is more, as, or less secure than on-premise.
- “Cloud providers’ CISOs are building great security solutions but cloud services are still in stovepipes. What are cloud providers’ responsibilities in multi-cloud security?
- “Cloud risk is amplified because you have the ability to design cloud security that is more assurant and automated but conversely you have the ability to flip one feature flag and remove all the security.”
6. Minimum Security Standards
A few CISOs challenged the role of the government in placing minimum security standards, primarily through federal contractor requirements for commercial hardware and software systems. MFA was a specific topic of debate.
- “Saying to the world that you have to implement MFA is insufficient. MFA is not a destination, it is a demarcation.”
- “What is the ideal role of the federal government in ensuring minimum quality and security by software and hardware design standards?”
7. Cyber Insurance
Cyber insurance was an ‘animated’ conversation among CISOs. Insurance companies have materially adjusted their approach to cyber after a series of ransomware payments and claims over the past few years. CISOs in our conversations were at times exasperated about the process and challenge in attaining cyber insurance coverage.
- “Are we going to an automotive OBD II model for cyber insurance?”
- “What went wrong with cyber insurance and can it be a force for positive change?”
- “CISOs are complaining about the process. The fear is that claims reimbursement will be curtailed through the rise in survey questionnaires.”
8. Ukraine War
US corporations have yet to see a substantial increase in Russian-backed cyber attacks due to the US support for Ukraine. Topics with CISOs included the when and whether the attacks would increase and why the attacks have been muted thus far. A few CISOs questioned what the boundaries are for US government intervention in US corporations’ infrastructure - on behalf of the US corporations but without their expressed consent or knowledge.
- “How do you manage technology teams in a war? My team did not sign up to be in essence in the military but we are in effect now.”
- “CISA has socialized their Shields Up campaign to emphasize a higher level of vigilance and preparation should cyber activity increase. Do you anticipate a time when the shields will metaphorically come down?”
- “What are the boundaries of acceptability for the FBI’s use of Rule 41?”
Security is a unique industry in its joint mission and purpose. Direct competitors work collaboratively with each other, and fellow CISOs know, respect, and partner with each other. The need for innovation and the opportunity to create new legacy companies - the next Palo Alto, the next Crowdstrike, the next Snyk - are only amplified by the themes, debates, and uncertainties at this year’s RSA Conference. One CISO commented to us, “even if the market is taking a hit, security budgets aren’t going down; they are going up.”