CIOs and CISOs: Conflicting Mandates, Shared Goals

The root of the tension between CIOs and CISOs stems from their differing mandates. CIOs are tasked with driving digital innovation, ensuring the smooth operation of IT systems, and supporting the organization’s business goals. On the other hand, CISOs are primarily responsible for securing the enterprise, managing cyber risks, and safeguarding critical assets. This divergence creates friction, as security measures can often be seen as impediments to the CIO’s mandate for agility and speed.

David Gee, who spent decades navigating this dynamic, notes, “The tension is almost inevitable. CIOs are under immense pressure to innovate and deliver new capabilities at speed, and that’s often where the friction with CISOs arises. Security, by its nature, can slow things down.” He points out that while CIOs understand the need for security, they often see it as a secondary priority when compared to digital transformation initiatives. “It’s not that CIOs don’t care about security; it’s that they view it as something that can conflict with the business need for speed,” Gee adds.

CISOs, meanwhile, have a very different perspective. Their focus is on minimizing risk, ensuring compliance, and building a security-first culture. Gee explains, “As a CISO, your job is to protect the organization from evolving threats, and that often means introducing friction. CISOs are the ones who have to say ‘no’ when things move too fast or when shortcuts are taken. That can be difficult for a CIO to accept, especially when they’re measured on how quickly they can deliver new services.”

Despite these conflicting objectives, both CIOs and CISOs ultimately serve the same goal—ensuring the organization’s success. “The challenge,” Gee says, “is getting both roles to recognize that they are on the same team, working toward a shared outcome. Security and innovation don’t have to be at odds; they can actually complement each other.”

Overcoming the Tension: Fostering a Culture of Shared Responsibility

One of the key insights Gee offers for bridging the divide between CIOs and CISOs is the need for shared responsibility. Rather than viewing security as a barrier to innovation, CIOs need to embrace it as an enabler of long-term success. Gee highlights the importance of reframing the relationship between these two roles: “It’s not about one role winning over the other. It’s about integrating security into the fabric of digital transformation from the start. When both sides see security as a shared responsibility, the conversation changes.”

Gee points to his experience at HSBC, where he implemented a strategy to foster collaboration between IT and security teams. Early in his tenure as CISO, he organized a series of cyber briefings for key stakeholders, including the CIO and other senior IT leaders. “It wasn’t just about reporting on risks,” Gee recalls. “It was about creating an open dialogue where everyone could ask questions, voice concerns, and contribute to the solution. When people are engaged and feel like they have a stake in the outcome, they’re more likely to buy into the security agenda.”

Gee emphasizes that transparency and communication are crucial for building trust between CIOs and CISOs. “The biggest mistake organizations make is treating cybersecurity as a siloed function. The CISO can’t be the only person responsible for security, just as the CIO isn’t the only one responsible for innovation. Both need to work together to create a strategy that balances speed and safety,” he explains.

At Macquarie, Gee built on this approach by ensuring that both the CIO and CISO were aligned with the board and executive leadership. “It’s about creating a shared narrative,” he says. “If the board sees cybersecurity as a foundational part of digital transformation, it sets the tone for the entire organization. The CIO and CISO need to be united in delivering that message.” This alignment, Gee believes, is critical in creating a culture of shared responsibility where innovation and security go hand in hand.

Cybersecurity as a Competitive Advantage

One area where Gee sees alignment between CIOs and CISOs growing is in the recognition that cybersecurity can be a competitive differentiator. “In the past, security was often seen as a necessary evil—something that you had to invest in, but that didn’t add direct value,” he explains. “But that’s changed. Today, organizations that can demonstrate strong cybersecurity practices have a significant edge in the market, especially when it comes to earning customer trust.”

CIOs, in particular, are starting to recognize the value of security in building resilient, customer-centric services. “Digital transformation without security is a recipe for disaster,” says Gee. “If you’re rolling out new technologies or services without considering the security implications, you’re not just risking a breach—you’re risking your reputation. Customers want to know that their data is safe, and organizations that can offer that assurance will win in the marketplace.”

Gee points out that this shift in thinking is leading to more productive conversations between CIOs and CISOs. “CIOs are beginning to see that cybersecurity is not just a cost center—it’s an investment in the future. It’s about building trust with customers, protecting the organization’s intellectual property, and ensuring that digital initiatives are sustainable over the long term.”

Collaboration Beyond the Enterprise: The CISO Community

The complexities of today’s threat landscape require collaboration not just within organizations, but across the broader cybersecurity community. Gee is a strong advocate for greater information sharing among CISOs, particularly when it comes to third-party risks. “No organization operates in isolation anymore,” he explains. “We’re all part of a broader ecosystem, and the threats we face are often interconnected. Sharing intelligence and collaborating with other CISOs is essential if we’re going to stay ahead of the attackers.”

Gee recounts his experience attending industry forums, such as the FSI Congress in Singapore, where he and other CISOs discussed the challenges they were facing with third-party security. “We sat down and asked ourselves, ‘How can we protect ourselves collectively?’ It’s not just about protecting your own organization—it’s about working together to create shared defenses. That’s where the power of the CISO community really comes into play.”

This collaborative mindset is something Gee believes should extend to the relationship between CIOs and CISOs. “When CISOs are transparent about the challenges they face, and when CIOs are open to understanding those challenges, it creates an environment where both roles can succeed,” he says. “It’s about building a coalition—both within the organization and across the industry.”

The Vendor Conundrum: Aligning Solutions with Strategy

Another challenge that complicates the CIO-CISO dynamic is the flood of security solutions offered by vendors. While technology is a critical enabler of both digital transformation and security, CIOs and CISOs often find themselves overwhelmed by the sheer volume of solutions being pitched to them. “Every vendor claims to have the ‘silver bullet’ for cybersecurity, but the reality is that no single solution can address all of an organization’s needs,” says Gee.

He advises both CIOs and CISOs to be strategic in their approach to vendor relationships. “It’s about understanding where your organization is in its security journey, and choosing solutions that align with your long-term goals,” Gee explains. He emphasizes the importance of selecting vendors who understand the unique needs of both the CIO and CISO. “Vendors need to recognize that the CIO and CISO have different priorities, but those priorities aren’t mutually exclusive. The best vendors are the ones who can demonstrate how their solution fits into the broader business strategy, not just the security strategy.”

For Gee, the key to managing vendor relationships is trust. “CISOs and CIOs are bombarded with vendor pitches every day, and it’s easy to get lost in the noise. The vendors who stand out are the ones who take the time to understand your challenges, listen to your concerns, and offer solutions that are tailored to your specific needs. It’s not just about selling a product—it’s about building a partnership.”

Embracing a Unified Approach

As cyber threats continue to evolve and the pace of digital transformation accelerates, the relationship between CIOs and CISOs will remain pivotal to enterprise success. David Gee’s insights offer a roadmap for overcoming the natural tension between these two roles, emphasizing the need for collaboration, shared responsibility, and a unified approach to security and innovation.

For enterprise-level CIOs and CISOs, the takeaway is clear: the divide between security and technology is no longer sustainable. By fostering open communication, aligning their strategies with business goals, and embracing a culture of shared responsibility, these executives can not only bridge the gap but turn it into a source of strength. As Gee puts it, “When CIOs and CISOs work together, they’re not just protecting the organization—they’re driving it forward.”

The Extent of the Outage

The outage has had a significant impact, causing major disruptions in various sectors. Financial institutions have reported system failures, preventing customers from accessing their accounts and conducting transactions. Airports worldwide, including those in the United States, Australia, and Europe, have experienced significant delays and cancellations due to the disruption of essential IT systems. Airlines have had to revert to manual check-in processes, causing long lines and frustration among travelers.

Media outlets have also been severely affected. The Australian Broadcasting Corporation (ABC) and several other media organizations have experienced major network outages, affecting their ability to broadcast and publish news. This incident has highlighted the widespread reliance on cybersecurity services like those provided by CrowdStrike.

CrowdStrike’s Response

In an interview with Jim Cramer on ‘Squawk on the Street,’ George Kurtz, CEO of CrowdStrike, addressed the incident. “First, I want to personally apologize to every organization, every group, and every person who’s been impacted by this,” Kurtz said. “We understand the gravity of the situation. This was not a code update; it was a content update that caused an issue only in the Microsoft environment.”

Kurtz explained that the problem was identified quickly and a fix was deployed. “We rolled back the problematic content file, and many organizations are beginning to recover. Systems that can be rebooted are coming back online and working,” he said. However, he acknowledged that some systems might take longer to recover fully, and CrowdStrike is working with each affected customer to ensure they return to operational status.

The Nature of the Problem

Kurtz elaborated on the nature of the issue, explaining that the content update involved a single file that drives additional logic on how CrowdStrike’s software detects bad actors. “This logic was pushed out and caused an issue specifically in the Microsoft environment,” he said. The update led to widespread crashes and the infamous “blue screen of death” on many Windows systems.

When asked why the update was not phased in gradually, Kurtz responded, “Traditionally, these updates go out in a phased approach and undergo extensive testing. We started seeing issues and pulled it back quickly. Not all of our customers were impacted—Mac and Linux systems were unaffected.”

Addressing the Liability and Future Prevention

Cramer pressed Kurtz on the potential liability facing CrowdStrike due to the widespread disruption. “You offered an apology, which to me suggests culpability and potential lawsuits from airlines, networks, and banks. What is the liability facing CrowdStrike?” Cramer asked.

“We have to sort out what that all looks like,” Kurtz replied. “Our focus right now is on our response and getting our customers back up and running. We will do a thorough review of how this happened and ensure it doesn’t happen again. Past that, we’ll deal with any legal repercussions.”

Recovery and Future Measures

The recovery process is ongoing, with CrowdStrike providing detailed guidance through its tech support and blogs. “Many systems are coming back online after a simple reboot, but some may require more manual intervention,” Kurtz explained. “We are working on ways to automate these fixes to minimize manual efforts.”

Kurtz also addressed concerns about the interaction with Microsoft’s systems. “We need to do a detailed analysis to understand the negative interaction with the Microsoft operating system. This includes identifying specific operating system versions or patch levels that were affected,” he said.

Industry Reactions and Expert Insights

Cyber expert Katherine Manstead emphasized the significance of the outage. “This incident highlights the interconnected nature of our digital infrastructure. A single point of failure in a widely used security solution can have ripple effects across multiple industries and geographies,” she said.

Manstead explained that CrowdStrike’s software is integral to many critical infrastructure organizations and major corporations. “CrowdStrike provides security monitoring and detection, which are essential for protecting against cyber threats. In this instance, a bug in their update caused widespread disruption,” she added.

Moving Forward

As organizations work to restore normal operations, this incident serves as a stark reminder of the vulnerabilities in the digital world. It underscores the importance of robust contingency plans and redundancy measures to ensure resilience against such disruptions.

CrowdStrike’s swift response and ongoing efforts to resolve the issue highlight the importance of effective incident management and communication strategies. As the global recovery unfolds, this event will likely prompt a reevaluation of cybersecurity practices across industries to better prepare for future challenges.

“This is a wake-up call for the entire cybersecurity community,” Manstead concluded. “We need to learn from this event and work collaboratively to enhance the resilience of our digital infrastructure. The lessons we take away from this incident will be crucial in preventing similar disruptions in the future.”

Aeon is openSUSE’s “just works” Linux distro based on openSUSE Tumbleweed. Aeon is designed to simplify the process of running and administering Linux.

Aeon uses transactional updates “to provide atomic updates utilising the power of btrfs snapshots. Your system is updated inside a new snapshot leaving your current system unaffected.” As a result of this approach, updates are downloaded and applied in the background without impacting the current system until reboot, at which point the updated system is active. If an update fails for any reason, the updated “snapshot” is discarded and the system continues running.

Continuing its approach of providing a “just works” experience, Aeon’s developers are introducing FDE by default to provide comprehensive security.

Full Disk Encryption is planned to be introduced in the forthcoming release candidate of the Aeon Desktop to enhance data security for its users. The feature is expected to be included in the upcoming Release Candidate 3 (RC3).

Full Disk Encryption is designed to protect data in cases of device loss, theft or unauthorized booting into an alternative operating system. Depending on the hardware configuration of a system, Aeon’s encryption will be set up in one of two modes: Default or Fallback.

The developers outline the Default Mode for FDE’s implementation:

The Default Mode is the preferred method of encryption provided the system has the required hardware. This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset with PolicyAuthorizeNV support (TPM 2.0 version 1.38 or newer). In this mode, Aeon Desktop measures several aspects of the system’s integrity. These including:

• UEFI Firmware
• Secure Boot state (enabled or disabled)
• Partition Table
• Boot loader and drivers
• Kernel and initrd (including kernel command line parameters)

These measurements are stored in the system’s TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally. If discrepancies are found, users are prompted to enter a Recovery Key provided during installation. This safeguard ensures that unauthorized changes or tampering attempts are flagged.

Fallback Mode exists for computers that don’t support TPM, requiring the user to enter a password on boot (not the password to log in, but the password that is required immediately on boot to unlock the disk). The developers address concerns that the Default Mode’s TPM implementation is less secure than manually entering a password:

Contrary to initial concerns, Default Mode is not less secure than Fallback Mode despite not requiring a passphrase at startup. The strong integrity checks in Default Mode protect against attacks that could bypass normal authentication methods. For example, it can detect changes to the kernel command line that could otherwise allow unauthorized access. Furthermore, it safeguards against modifications to initrd thereby preventing potential passphrase capture in Fallback Mode.

FDE is available on most Linux distros, and all of the major ones. Unfortunately, there are very few that make FDE the default option, with Pop!_OS being a notable exception. Making comprehensive FDE the default for openSUSE Aeon is a good move, hopefully one more distros will embrace.

Kaspersky is a popular maker of antivirus and security software, but the company is based in Russia. According to Reuters, officials are concerned by how widely used Kaspersky’s products are, including by organizations classified as critical infrastructure providers. The company’s software is also used by state and local governments.

Accusations of close ties between Kaspersky and the Russian government have been growing in recent months. According to CNET, there have been some reports that indicate the company is actively working with the FSB, while others claim that Russian intelligence has hacked the company’s products for its own benefit. Either way, officials are increasingly concerned that Kaspersky’s products represent a growing threat to national security.

“The case against Kaspersky Lab is overwhelming,” said Senator Jeanne Shaheen. “The strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented.”

Given the popularity of Kaspersky’s products, a ban on its software will likely have significant repercussions for organizations and government entities alike.

UHG suffered a devastating ransomware attack in early 2024. Hackers, claiming to be part of BlackCat, claimed to have absconded with six terabytes of data. UHG CEO Andrew Witty ultimately made the decision to pay a $22 million ransom to regain access to company systems.

In the wake of the attack, damning details have emerged regarding the company’s cybersecurity—or lack thereof. For example, as Senator Wyden writes in a letter to FTC Chairwoman Lina Khan, despite multi-factor authentication (MFA) being company policy for all “externally facing systems,” the company had failed to enforce it, leading to a remote server being compromised. To make matters worse, Witty revealed testimony before Congress, that MFA was not in place company wide at the time of his testimony, nor was the policy enforced in all instances.

“In certain situations where you might have, for example, older technologies which have been upgraded, you might — you may have security controls around those systems as a — as a compensatory factor,” Witty told Congress.

Senator Wyden emphasizes the utter lack of good judgment the above statement demonstrates.

The consequences of UHG’s apparent decision to waive its MFA policy for servers running older software are now painfully clear. But UHG’s leadership should have known, long before the incident, that this was a bad idea.

Senator Wyden then takes aim at UHG’s hiring of Steven Martin for the role of CISO, saying he appeared to be unqualified for the role.

One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job. Steven Martin, UHG’s chief information security officer (CISO), had not worked in a full- time cybersecurity role before he was elevated to the top cybersecurity position at UHG in June, 2023, after working in other roles at UHG and Change Healthcare. Although Mr. Martin has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise. Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.

Senator Wyden makes a point of saying that Martin should not be scapegoated for UHG’s failure. Instead, the CEO and board bear responsibility.

Due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG’s cybersecurity lapses. Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses. The Audit and Finance committee of UHG’s board, which is responsible for overseeing cybersecurity risk to the company, clearly failed to do its job. One likely explanation for this board-level oversight failure is that none of the board members have any meaningful cybersecurity expertise.

The senator calls on Lina Khan and the FTC to investigate UHG’s cybersecurity failures—making the point that there are likely many more given how serious this one is—and hold senior leadership accountable.

A Journey Through Cybersecurity

CISA is on the forefront in the war against malware and cybersecurity threats, tracking threats and working with organizations to counter them. The agency’s Malware Next-Gen is a malware analysis platform that uses a combination of methods to identify malware.

CISA’s Malware Next-Generation “Next-Gen” Analysis platform provides automated malware analysis support for all U.S. federal, state, local, tribal, and territorial government agencies. Analysis is performed by a combination of static and dynamic analysis tools in a secure environment and results are available in PDF and STIX 2.1 data formats.

CISA has made the tool available to the public, with the ability to use it as a registered or anonymous user, although only registered users will receive analysis reports.

Please note, the Malware Next-Gen Analysis platform is a U.S. government computer and information system. To receive analysis of any malware samples you submit to this system, you will need to create a user account and consent to monitoring of your activities. Access to this system is restricted to authorized users only and subject to rules of behavior.

Users who wish to submit malware samples without registering may use Anonymous submission. Unregistered users are not required to provide any contact information; however, users who use this submission method will not have access to analysis results.

Users can submit files anonymously here. Users who wish to register can do so at login.gov.

AlmaLinux began its life as a 1:1 RHEL-compatible Linux distro, giving organizations a less expensive alternative to RHEL. When Red Hat announced its controversial decision to restrict access to RHEL’s source code, AlmaLinux pivoted to become Application Binary Interface (ABI) compatible.

A major benefit of this approach is that AlmaLinux no longer needs to wait for RHEL to patch a vulnerability, a point the distro has just proven. AlmaLinux OS Foundation Chair benny Vasquez announced the fix for CVE-2024-1086 on the organization’s website.

In January of this year, a kernel flaw was disclosed and named CVE-2024-1086. This flaw is trivially exploitable on most RHEL-equivalent systems. There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright (Dealing with CVE-2024-1086). In multi-user scenarios, this flaw is especially problematic.

Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a moderate impact. Our users have asked us to patch this more quickly, and as such, we have opted to include patches ourselves. We released this kernel patch to the testing repo last weekend and plan to push it to production on Wednesday, April 3rd.

Vasquez also took the opportunity to assure users that AlmaLinux was not impacted by the recent XZ backdoor.

The entire open source world exploded last Friday as a reporter shared that they had identified a backdoor in the open source data compression utility XZ. Thanks to both the diligence of the reporter, Andres Freund, and the nature of beta and rolling releases being used for testing, this back door was identified much earlier than it might have otherwise been. Because enterprise Linux takes a bit longer to adopt those updates (sometimes to the chagrin of our users), the version of XZ that had the back door inserted hadn’t made it further than Fedora in our ecosystem.

Vasquez concluded by emphasizing the newfound freedom that comes with being a “Red Had equivalent operating system,” rather than a 1:1 compatible one.

Security is a priority at AlmaLinux, and once again we’re patching something we feel is super important. This is part of the freedom that comes with being a community-powered Red Hat equivalent operating system. We appreciate the members of our community that reported, worked to fix, and have tested our security updates.

Betz’s transition from Capital One to AWS was not merely a career move but a testament to the growing significance of cloud-based security solutions. “One of the things, as I spent several years there, that I kept on realizing was how much our work relied on the security of AWS. As you know, Capital One is all in the cloud and has closed its data centers. And so that journey at Capital One, the security work at Capital One with AWS led me to appreciate how incredibly important the technology we bring is to that trust and the security of so many businesses.”

Reflecting on his tenure at AWS, Betz highlighted the subtle yet profound shifts in perspective that come with assuming the role of CISO. “It’s one thing to hear about those conversations about security being Job Zero, the top priority at AWS. It’s another thing to live it, have those conversations, and be challenged by my business and technology partners about whether we are moving fast enough. Are we raising the bar enough? Are we staying ahead of the threats?”

Central to Betz’s approach is the recognition that effective cybersecurity transcends mere technical proficiency—it requires a fundamental shift in mindset and culture. “It does. There’s not a… Well, I mean, I’m in security, so every conversation I have will have that to some degree. But it’s amazing to be in meetings that are not even on security topics. As a senior leader, one of the things I do appreciate about AWS is that they involve security in non-security specific meetings. And I get to be part of those conversations and have other people bring up, ask about security, and think about how we do that better. Just like you said, that culture that is everywhere really, really matters.”

When measuring a security program’s effectiveness, Betz eschews conventional metrics in favor of a more nuanced approach. “It’s an excellent question. And often, when I’m asked that question, people expect me to jump to metrics or measurements. And there’s certainly a slew of metrics and measurements we can use to help describe what’s going on in security. But one of the things that I think is truly a leading indicator is the degree to which the business and the technology organizations see security as an enabler of them achieving their programs.”

In the realm of boardroom discussions, Betz emphasizes the need for security leaders to tailor their communication to the unique dynamics of each board. “That is a great question. And honestly, I have never seen two companies who do it the same way. Part of that is because it’s important to discuss risk within the business context.”

As Betz continues to navigate the ever-evolving landscape of cybersecurity, one thing remains clear: the CISO’s role is more critical than ever. With cyber threats growing in frequency and sophistication, organizations must invest not only in technology but also in the people and processes that form the foundation of effective cybersecurity. At AWS, under Betz’s leadership, the pursuit of security excellence remains steadfast, ensuring that businesses can trust in the integrity and resilience of the cloud.

Repsol’s commitment to the energy transition underscores its proactive stance towards embracing alternative energy sources and reducing carbon emissions. As Quintela explains, this shift necessitates a robust cybersecurity posture to mitigate risks associated with digital transformation initiatives. Quintela emphasizes the need for organizations to balance cybersecurity with operational efficiency, particularly in environments where information technology (IT) and operational technology (OT) converge.

Against the backdrop of an evolving threat landscape characterized by increasingly sophisticated cyber attacks, Quintela outlines three key strategies for critical infrastructure companies:

Understanding Cybersecurity as a Business Risk: Boards of directors must recognize cybersecurity as a business risk and assess its potential impact on organizational operations. This entails quantifying cyber threats and developing specific plans to achieve desired risk tolerance levels.

Staying Aware of Regulatory Requirements: Compliance with cybersecurity regulations, such as the NIS Directive in the EU and the SE Rule in the US, is essential. Boards must remain informed about evolving regulatory frameworks and ensure their organizations adhere to relevant laws and directives.

Investing in Resources and Specific Plans: Boards should support allocating resources and the development of comprehensive cybersecurity plans. This includes ongoing investments in cybersecurity controls and balancing security measures and operational needs.

Integral to effective cybersecurity is the integration of cybersecurity into company culture. Quintela underscores the importance of fostering a culture of cybersecurity awareness among employees at all levels. From business leaders making strategic decisions to frontline staff serving as the first line of defense against cyber threats, a culture where cybersecurity is ingrained in decision-making processes and everyday operations is paramount.

Quintela also discusses the criteria critical infrastructure companies consider when selecting trusted partners to assist in executing their OT cybersecurity roadmap. Compatibility, effectiveness, and innovation are key factors, ensuring that technology solutions are secure, adaptable, and capable of evolving alongside emerging threats.

Quintela’s insights underscore the critical role of cybersecurity in safeguarding critical infrastructure against cyber threats. By adopting proactive strategies, staying abreast of regulatory requirements, and fostering a culture of cybersecurity awareness, organizations can enhance their resilience and confidently navigate the cybersecurity landscape in an increasingly digitized world.

The conversation began with a reflection on the past as panelists reminisced about the early days of the CISO role. “When I started, the CSO role was kind of a unicorn,” remarked one participant. “You rarely encountered someone with that title, and security was often viewed as a utility rather than a strategic asset.”

Indeed, the role of the CISO has undergone a remarkable transformation over the years, transitioning from a technical position to a critical business function. As cybersecurity threats continue to evolve and multiply, organizations increasingly recognize the importance of proactive risk management and compliance.

“In the past, technical skills were a must for aspiring CISOs,” noted another panelist. “But today, while technical acumen is still valuable, the soft skills set successful CISOs apart. Communication, collaboration, and the ability to translate complex security concepts into business terms are now essential.”

The discussion also touched on the growing accountability placed on CISOs, particularly in light of new regulations and mandates. “CSOs today are facing new challenges and increasing workloads,” explained one participant. “They’re being held more accountable for security actions or inactions taken by the business, and the struggle is only going to get harder.”

Despite the challenges, the panelists were optimistic, emphasizing the importance of agility, adaptability, and continuous learning in the ever-changing cybersecurity landscape. “The key to success as a CISO is the ability to evolve and innovate,” remarked one industry expert. “It’s about anticipating future threats, navigating complex regulatory environments, and effectively communicating with stakeholders at all levels of the organization.”

As the discussion drew to a close, there was consensus that the role of the CISO will continue to evolve in response to emerging threats and technological advancements. “The future of cybersecurity is uncertain,” concluded one panelist. “But with the right leadership, collaboration, and commitment to excellence, we can rise to meet any challenge that comes our way.”

In a world where cybersecurity is no longer an afterthought but a strategic imperative, the role of the CISO has never been more important. As organizations navigate the complex cybersecurity landscape, they can take comfort in knowing that they have dedicated professionals at the helm, guiding them safely through the digital wilderness.

Palo Alto Networks surprised the market with a $600 million billings shortfall forecast, signaling cracks in its consolidation strategy. This development had a ripple effect, dragging down other consolidation players like CrowdStrike and Zscaler. However, a closer look at the dynamics reveals different stories for each company.

CrowdStrike’s Impressive Momentum

CrowdStrike’s recent earnings report showcased impressive momentum, with $3.44 billion in Annual Recurring Revenue (ARR), representing 34% growth. The company’s success can be attributed to its platform approach, which leverages AI and encompasses more than just endpoint security. CrowdStrike aims to expand beyond its core endpoint business, with cloud, identity, and next-gen security modules driving growth.

One of CrowdStrike’s key strengths lies in its ability to adapt and innovate, evident in its focus on AI-driven solutions like Charlotte Gen AI. This platform expansion strategy positions CrowdStrike as a formidable player in the cybersecurity space, with a clear path to becoming a next-generation software company.

Challenges for Palo Alto and Zscaler

On the other hand, Palo Alto Networks faced challenges with spending fatigue among customers and difficulties in converting them to its platform. This resulted in the company offering free trials to bridge the gap and retain customers. Meanwhile, Zscaler’s recent earnings report, despite beating expectations, faced scrutiny from analysts, leading to concerns about billing and guidance.

The Power of Platforms

The success of CrowdStrike underscores the importance of platforms in cybersecurity. Unlike traditional product-focused approaches, platforms offer unified solutions that simplify deployment and management for customers. CrowdStrike’s founder-led, mission-driven approach, coupled with its cloud-native architecture and AI capabilities, positions it as a leader in the space.

As cyber threats continue to escalate, organizations recognize the value of investing in robust cybersecurity solutions. While budget constraints may pose challenges, the ROI of cybersecurity lies in reducing the impact of breaches and mitigating associated risks. Ultimately, companies that prioritize innovation and adaptability, like CrowdStrike, are poised to thrive in an increasingly complex threat landscape.

Recent developments in the cybersecurity sector highlight the importance of platform-based approaches and innovation in addressing evolving threats. While challenges persist for some players, those that prioritize customer needs, leverage emerging technologies, and demonstrate resilience are well-positioned for long-term success.

Companies and organizations of all sizes are facing unprecedented cybersecurity threats, with AI increasingly being used to carry out attacks. Google is trying to turn the tables, using AI to help bolster cybersecurity. The company wants to help organizations tackle “Defender’s Dilemma” with its new AI Cyber Defense Initiative.

Phil Venables, Google Cloud VP, CISO, and Royal Hansen, VP of Engineering for Privacy, Safety, and Security outlined the initiative in a blog post:

Today, and for decades, the main challenge in cybersecurity has been that attackers need just one successful, novel threat to break through the best defenses. Defenders, meanwhile, need to deploy the best defenses at all times, across increasingly complex digital terrain — and there’s no margin for error. This is the “Defender’s Dilemma,” and there’s never been a reliable way to tip that balance.

Our experience deploying AI at scale informs our belief that AI can actually reverse this dynamic. AI allows security professionals and defenders to scale their work in threat detection, malware analysis, vulnerability detection, vulnerability fixing and incident response.

The executives outline Google’s three-part plan, including its efforts to foster a “secure by design and by default” AI ecosystem; empower organizations with expansions to its Google.org Cybersecurity Seminars Program and open-sourcing its AI-powered Magika that is used to help detect malware; and advancing AI-powered security researched with $2 million in research grants.

The company has a detailed report available for those looking to learn more.

IronNet surprised the industry when it announced it would file for bankruptcy and shut down. The firm originally launched to much fanfare, boasting former NSA director Keith Alexander as one of its founders.

Unfortunately, experts warn IronNet is just the beginning. The industry’s issues stem from what many see as unrealistic expectations regarding potential growth, setting firms up for disaster.

“We will see more of these bankruptcies with highly leveraged cybersecurity companies, even those with ‘unicorn status’,” Approov CEO Ted Miracco told SC Media, highlighting an IANS Research report showing a 6% expansion in security budgets.

“This is fundamentally incompatible with the large cadre of VC backed companies that expect triple-digit growth figures, especially in this current economic environment,” he added.

Mirraco says the firms that are best-positioned to survive are those that already have a track record of thriving in challenging environments and have a solid focus on innovation and profitability.

“With a fragile economy and a very crowded NDR market, it’s even more critical for those of us in this space to get back to these basic principles,” said Stamus Networks CEO Ken Gramley.

“Looney Tunables” is a GNU C Library (glibc) privilege escalation exploit that grants local users full root access. The flaw was discovered by security researchers at Qualys. Because of glibc’s widespread use, the vast majority of distributions are affected by this particular flaw, according to Saeed Abbasi, Product Manager – Threat Research Unit:

We have successfully identified and exploited this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. It’s likely that other distributions are similarly susceptible, although we’ve noted that Alpine Linux remains an exception due to its use of musl libc instead of glibc. This vulnerability was introduced in April 2021.

Abbasi says the vulnerability poses “significant risks” to Linux distributions and their users:

Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability’s severity and widespread nature. Although we are withholding our exploit code for now, the ease with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits. This could put countless systems at risk, especially given the extensive use of glibc across Linux distributions. While certain distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, many popular distributions are potentially vulnerable and could be exploited in the near future.

Fortunately, Debian, Gentoo, Ubuntu, and Red Hat have already patched the issue. Needless to say, users should update immediately.

Red Hat made the announcement in an email to the list:

This is a notification to inform all subscribers that on October 10, 2023, the rhsa-announce mailing list will be disabled by Red Hat Product Security, and no additional Security Advisory notifications will be sent to this list.

Moving forward, users will need to use their Red Hat account to receive security notifications, or subscribe to the company’s RSS feed:

To continue receiving information about released security advisories, logged-in users that have active Red Hat Subscriptions can set up notifications at:

https://www.redhat.com/wapps/ugc/protected/notif.html

Alternatively, all users can make use of the Red Hat Security Errata RSS feed published at:

https://access.redhat.com/security/data/metrics/rhsa.rss

Or consume security advisories in a machine-readable format at:

https://access.redhat.com/security/data/csaf/v2/advisories/

The company announced the news in a regulatory filing:

On September 29, 2023, given the unavailability of additional sources of liquidity and after considering strategic alternatives, IronNet, Inc. (the “Company”) ceased all activities of the Company and its subsidiaries and terminated the remaining employees of the Company and its subsidiaries. As a result, all of the material business activities and operations of the Company ceased, the Company does not have the ability to satisfy its debts and related obligations, the Company will no longer have the capability to prepare financial statements and other disclosures required for periodic reports for filing with the Securities and Exchange Commission, and the related actual and potential effects on the Company and its subsidiaries will be material and adverse. The board of directors of the Company further authorized the Company to take such actions necessary to prepare for and, subject to final approval by the board of directors to be given at a subsequent meeting, file a voluntary petition for relief under the applicable provisions of the United States Bankruptcy Code (the “Bankruptcy Code”) in the United States Bankruptcy Court (the “Bankruptcy Filing”) as expeditiously as possible.

The revelation is an ignominious end to a company that once held quite a bit of promise in the cybersecurity industry.

NordVPN is one of the most well-respected VPN providers in the world. The company is working to deliver even more cybersecurity tools and will use NordLabs to develop and test them, according to a company tweet:

NordLabs by NordVPN is here! NordLabs is a place where cutting-edge cybersecurity tools are born. It will let you try and experience new online security tools, evaluate them, and contribute to overall safety online. Sign up today: https://content.nordvpn.com/47Rq7QP

NordVPN (@NordVPN) — August 28, 2023

Among the areas of focus is using artificial intelligence to provide improved cybersecurity and combat threats posed by bad actors using AI.

One such effort is Project Sonar:

Turning the tables: Employ AI to identify phishing attacks*

Phishing attacks are evolving together with AI technology, and we’re here to beat cybercriminals in their own game. Meet Sonar, a browser extension that detects phishing emails. Install it, open an email, scan it, and Sonar will let you know how likely it is to be a phishing scam. It will also point out which aspects of the email affected that decision and tell you what signs to look out for. **

Phishing attacks are evolving together with AI technology, and we’re here to beat cybercriminals in their own game. Meet Sonar, a browser extension that detects phishing emails. Install it, open an email, scan it, and Sonar will let you know how likely it is to be a phishing scam. It will also point out which aspects of the email affected that decision and tell you what signs to look out for.

Another project is Project Pixray:

Fighting fire with fire: Using AI to detect AI generated images

A talented artist with a vivid imagination or a layperson with unlimited Midjourney credits? No need to count the fingers and teeth — upload images to Pixray and check them for AI-generated content.

The company is looking for feedback to help it identify which projects can become viable options to help keep users safe and secure:

And we are inviting you to join us — by using these experimental tools and giving feedback, you will help us understand which of them have a fighting chance to keep us safe from digital threats. Some tools will work flawlessly, others may have a bug or two, so expect the unexpected.

In a LinkedIn post, Yoran detailed how researchers at his company discovered a flaw in Azure that could “enable an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets. To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank.”

Tenable’s researchers notified Microsoft of the issue in March 2023 when it was discovered. Unfortunately, Yoran says Microsoft didn’t fix the issue:

Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers’ networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service.

Yoran then details the implications of Microsoft’s failure to address the problem:

That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions. Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t.

In one of his most damning statements, Yoran cites Google Project Zero’s research showing that “Microsoft products have accounted for an aggregate 42.5% of all zero days discovered since 2014.”

Microsoft has faced growing scrutiny over its security practices, with Senator Ron Wyden writing a letter last week to the DOJ, CISA, and the FTC asking the agencies to “hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government.”

Microsoft may be the second-largest cloud provider, nipping at the heels of AWS. If the company can’t get its act together when it comes to security, it may soon find itself losing ground in the cloud wars.

According to Wiz researchers Sagi Tzadik and Shir Tamari, the issues stem from Ubuntu’s OverlayFS module. Several years ago, Ubuntu made custom modifications to OverlayFS. When combined with the changes made to the mainline Linux kernel, however, vulnerabilities in Ubuntu were overlooked, as the researchers describe:

The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risks at the time. In 2020, a security vulnerability was discovered and patched in the Linux kernel, however due to Ubuntu’s modifications, an additional vulnerable flow was never fixed in Ubuntu. This shows the complex relationship between Linux kernel and distro versions, when both are updating the kernel for different use cases. This complexity poses hard-to-predict risks.

The researchers say that Ubuntu’s modifications pose serious risks to users:

Our team has discovered significant flaws in Ubuntu’s modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. Linux has a feature called “file capabilities” that grants elevated privileges to executables while they’re executed. This feature is reserved for the root user, while lower-privileged users cannot create such files. However, we discovered that it’s possible to craft an executable file with “scoped” file capabilities and trick the Ubuntu kernel into copying it to a different location with “unscoped” capabilities, granting anyone who executes it root-like privileges.

Fortunately, the researchers say that remote exploitation of these vulnerabilities — labeled CVE-2023-2640 and CVE-2023-32629 — is “improbable,” and local access to a machine is likely required.

However, all users should update their kernel as soon as possible to mitigate these two security issues.