Skip to main content

Endpoint police: The lead investigator

Over the past decade or so, the role of the CISO has only grown in importance. From humble beginnings working perimeter security, the CISO’s focus used to be almost entirely fixed on making the company firewall as impenetrable as possible.

However, as company data has increasingly migrated away from ring-fenced corporate data centres and onto endpoint devices such as workstations and laptops, this has become an increasingly futile task.

Rising through the ranks

As the lead investigator in the endpoint police department, the CISO has been forced to adapt not only to changes in the ways in which data is stored, but also to the changing nature of cybercrime. The most lucrative type of crime is now electronic, as evidenced by the high-profile breaches of American retail store, Target, and more recently of internet service provider, TalkTalk in the UK. Any organisation suffering a similar high-profile breach can end up paying huge sums of money in damages if mission-critical data is lost, not to mention suffering damage to the company’s brand and customer relationships.

In our globally connected economy, data security is arguably more important than physical security, and this places the spotlight directly on the CISO. It is a significant responsibility, but a good CISO knows how to protect and serve. In fact, according to research from the Ponemon Institute, companies with a CISO in place experienced reduced costs from a data breach.

This is because having a CISO leading the security force provides a company-wide focal point for data security. Making sure that the data security message is spread beyond the key task force and throughout the company as a whole, to keep all employees up to speed with data security practices, is a key element of the CISO’s role.

Assessing the threat

There is more to being a Lead Investigator than just raising awareness. Whilst a CISO might not play a direct role in the practical implementation of a data security and threat response plan, he or she must oversee the entire IT department, ensuring that the Police Officer and the Forensic Investigator have the requisite tools at their disposal to handle a breach incident as quickly and efficiently as possible.

Like a forensic intelligence officer briefing the department, the CISO informs other members of the force about possible or probable threats, their severity and the resources and actions required to protect against and mitigate each. However, the CISO knows that this is a ultimately a losing battle, and at some stage a data breach is going to occur.

The thin digital line

At some stage, the worst happens. A cyber attack breaches company defences, and this is where the CISO really comes into their own. Acting as the linchpin of the investigation, in the aftermath of a breach, the CISO must liaise with stakeholders from above and below their pay grade in order to ensure that damage is minimised across every front.

Working in partnership with the Marketing and PR teams to keep the media (public) up to date with the latest developments in the case, whilst mitigating reputational damage as far as possible is one element of this. If the missing data is subject to governmental oversight or legislation, consultation with the legal team is imperative, not least in order to establish the extent to which a company must disclose details in the aftermath of a breach. Furthermore, the CFO must be kept abreast of how much a breach is likely to cost, and when the aftermath is likely to end.

Over the years, the experience of the Lead Investigator stands them in good stead to perform the role they know best - drawing conclusions from the aftermath of the incident and implementing plans to prevent a similar breach from happening in the future. However, none of this is possible without the ability to cast a forensic microscope across the entirety of a network, endpoint devices included, in order to identify the source of a breach.

Without endpoint intelligence and threat protection software, a CISO is like an investigator without a torch - fighting an invisible battle in the dark.

Other articles in the series:

Endpoint police: The police officer

Endpoint police: The forensic investigator

Jon Brooks, UK Director for Code42

Image credit: Shutterstock/wk1003mike