CXO / IT Leadership

Why CISOs Should Have an Offensive Mindset

SMRT Corp.'s Group CISO Says Security Data Can Be Used Beyond Threat Intel
Why CISOs Should Have an Offensive Mindset
Shaofei Huang, group CISO at SMRT Corp.

Traditionally, CISOs and security leaders have relied heavily on technology-based controls and maintained a purely defensive mindset. However, combating modern-day threats and attacks requires a new approach that involves taking an offensive stance, utilizing data science to analyze cybersecurity data and investing in the right technology strategically.

See Also: Leader’s Guide I Breaking through with Modern Security

Adopt an Offensive Mindset

According to Shaofei Huang, group CISO at SMRT Corp., the adage "train as you fight, fight as you train" applies to cybersecurity as well. Deploying advanced technology alone to defend against cyberthreats is not enough; it is essential to understand the tactics and thought process of the hackers. Threat defenders only have one chance to secure their systems, and it only takes one successful attack for the attacker to succeed. Therefore, CISOs must adopt an offensive mindset and think like hackers, anticipating their next move, and identifying their target.

Over the past decade, much has been discussed about cybersecurity, risk management, governance and so on, but threats have constantly evolved and become more sophisticated. It's not just about managing risk but about being prepared for a breach. An offensive mindset is necessary to sharpen their strategy and optimize resources.

Given the current economic slowdown, CISOs must make informed decisions about investing in the right controls and technologies to defend their systems. "A crucial aspect of an offensive mindset is automation. Although they may seem separate, investing in automation should be a priority for companies and organizations. The idea of purple teaming, which combines both offensive and defensive tactics, is more effective than just blue or red teaming," Huang says.

A purely defensive mindset to fortify is not enough, as attackers may already be inside the network. Similarly, a purely offensive mindset of finding vulnerabilities is insufficient. CISOs must strike a balance between offense and defense and implement a tight strategy around risk management. Automation is key to achieving this balance.

In the near future, there will likely be an increase in the development of innovative technologies in the field of security orchestration, automation and response.

Threats are becoming complex and unpredictable with the advent of AI. Hackers are not only monitoring defenses but also automating attacks. "We need to be on top of developments such as OpenAI's ChatGPT and prepare for potential challenges that may arise," Huang says. "The current technology investments are certainly not adequate to defend against AI-powered attacks. There is a shortage of skilled and experienced defenders. This is particularly challenging for mid-sized and small companies that cannot afford to hire top CISOs."

Look Beyond IT Security to Address New Threats

Technology investments for cybersecurity must be strategic and consider various factors, including business operations and regulatory requirements. For instance, companies in Singapore and similar countries are required to follow best practices for critical information infrastructure, CII, as outlined by legislation.

Historically, cybersecurity has been managed by the IT function and the CIO, hence, the focus had always been on IT security tools like SIEM, Active Directory security, Microsoft Defender and firewalls. However, the recent shift toward remote or hybrid work has made endpoint security a bigger challenge as companies struggle to keep track of their endpoint footprint.

"CISOs must prioritize robust data protection solutions to secure both outgoing and incoming data and prevent data exfiltration," Huang says.

Technology is expensive and therefore board of directors seek ROI on every buck spent. Only a fraction of CISOs and CIOs understand what they have in their environment. In the field of data science, progress in cybersecurity is slow, and many product vendors prefer to maintain proprietary solutions rather than embrace open-source innovation. The sharing of incident data from logs, SIEM tools, telemetry and other sources could improve threat hunting and overall cybersecurity posture.

"CISOs should consider investing in user and entity behavior analytics and other technologies that make use of cybersecurity data," Huang says.

The concept of zero trust has been widely misconstrued by tech executives. It's essential to have a foundation of trust, something to rely on and verify that foundation. Identity is the core of zero trust. In addition to visibility and automation, we must ask relevant questions, such as why someone is accessing the data and from where they are accessing it. Many technology vendors promote zero trust, but it's merely access control.

"As CISOs, it's crucial to fully comprehend zero trust before implementing it. Otherwise, it's like chasing an illusion," Huang says. "Zero trust can be an effective approach only if it has the necessary components, such as identity and access management. But if the foundation of trust is lacking, there's no point in implementing zero trust. Verifying everything against something trusted negates the purpose of zero trust."

To defend against unknown threats, organizations need an open, data-driven approach to security and utilize technologies that include AI-based automation. Organizations need to focus on continuous monitoring, risk assessment and incident response to defend themselves against cyberattacks, and also inject cybersecurity data into data science tools for deriving intelligence for the future.

Huang has spent more than 25 years in the cybersecurity domain. He served as CISO and director for data science at Land Transport Authority Singapore prior to joining SMRT Corporation, Singapore’s multi-modal public transport operator.

About the Author

Rahul Neel Mani

Rahul Neel Mani

Founding Director of Grey Head Media and Vice President of Community Engagement and Editorial, ISMG

Neel Mani is responsible for building and nurturing communities in both technology and security domains for various ISMG brands. He has more than 25 years of experience in B2B technology and telecom journalism and has worked in various leadership editorial roles in the past, including incubating and successfully running Grey Head Media for 11 years. Prior to starting Grey Head Media, he worked with 9.9 Media, IDG India and Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.