The Second CISO Revolution

Numerous changes have taken place in recent years with regard to the organizational function of Chief Information Security Officer. CyberArk CEO Udi Mokady argues in an interview that the function is undergoing a revolution and that the CISO is currently required to deal with risk management aspects as well

CyberArk CEO Udi Mokady at Cybertech Tel Aviv 2019 (Photo: Gilad Kavalerchik)

The organizational function of CISO (Chief Information Security Officer) started as a function in charge of managing information security technologies. A few years ago, with the introduction of automation into this activity and in view of the transfer of systems and applications to the cloud, the function underwent a first revolution which compelled the CISO to be knowledgeable about the business activities of the organization. The CISO was required to think how the information security technology can contribute to the profitability of the organization and to the value of its shares.

Now, CyberArk CEO Udi Mokady argues that the CISO function is undergoing another revolution, as it is required to provide the management with risk management in connection with the information security activity. In other words, the CISO is required to manage the technology, come up with ways to make money out of it and point out the expected risks facing the business processes of the organization. By all accounts, this is a fairly complex undertaking for one person.

Mokady, who was responsible for the acquisition of Conjur in 2017, stresses the importance of the information security field switching to code, or in the professional jargon – Security by Design. This has been the hype in the professional discourse recently. Essentially, it aims to assimilate the deliberation over information security as early as during the development of the application or the physical product. One of the primary environments responsible for implementing this principle is the DevOps layer. "This compels the CISO to understand the development environment and the operating environment so as to provide the management with quality risk management," says Mokady in an interview with Cybertech.

CyberArk's decision to go for the entire value chain of the application, including involvement in the DevOps world, with an enterprise product and more recently also the quiet launching of a cloud computing service has made its mark. CyberArk has finished the last quarter with 4,450 clients. "The exploitation of the authorizations of human and non-human elements within the organization has remained at the center of almost every major attack," Mokady explained to analysts after the publishing of CyberArk's reports for the last quarter. "In this new and more complex environment, manager accounts are created at a faster pace. The granting of access to those accounts has also expanded at an unprecedented pace."

Reinforcing the Connection with the Developer Community

Another point Mokady raises involves the question of how to enable the CISO to ease some of his workload. Assimilating the information security aspect as early as during the DevOps stage can reduce the attack surface in subsequent stages of the application development process and save the CISO some work. "To be efficient, the CISO should be involved in all of the stages of the organizational digital transformation. In reality, it does not always work that way. Anyone who's interested should know about DevOps, as otherwise he will be out of touch of processes taking place within the organization," explains Mokady.

"He is the functionary within the organization who gets up every morning thinking information security. He is indispensable, but he must understand the entire technology. He is the link between the technology and the organization's business with regard to the information security aspect. No one else can point out the risks in this content world except the CISO."

At CyberArk they explain that the choice of open code reinforced the connection with the Company's developer community. The Company has even established a dedicated organ that works opposite the developers. "This is a content world with its own rules and language," explains Mokady. "Our ability to interface with the DevOps process has positioned us at a different place as far as the developers are concerned. It is a complex process and you must be aware of the range of tools taking part in it in order to interface with them."

Another move the Company made last summer was the quiet launching of a Software-as-a-Service (SaaS) solution in the cloud, aimed primarily at small businesses. "This has been an opening shot for us," explains Mokady. "We have not yet specified any business objectives for our cloud product. At the same time, it is a part of our business roadmap in the long run. This has been a strategic decision for us. The major clients are still apprehensive about transferring the keys to the cloud, but that is the global trend – have everything transferred to the cloud. We want to be ready. Our working assumption is that demand will exist for an enterprise product and for a cloud service. Existing clients of the enterprise version who wish to install the product in public cloud infrastructures as their own private cloud can already do that. We support every one of the major public clouds."