Don't let your kids grow up to be CISOs

Today: As security threats skyrocket and regulations pile up, an already difficult job is getting harder, an Australian Google Cloud customer suffers an outage blamed on an "unprecedented sequence of events," and the latest enterprise moves.

Don't let your kids grow up to be CISOs
Photo by Bethany Legg / Unsplash

Welcome to Runtime! Today: As security threats skyrocket and regulations pile up, an already difficult job is getting harder, an Australian Google Cloud customer suffers an outage blamed on an "unprecedented sequence of events," and the latest enterprise moves.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Life on the hot seat

Knostic founder and CEO Gadi Evron summed up the modern life of a chief information security officer earlier this week at RSA without having to say a word, taking the stage in a t-shirt that read "Chief Incident Scapegoat Officer," according to Infosecurity Magazine. As pressure builds on companies to deal with security threats that seem to grow by the week, someone has to take the fall.

Cybersecurity professionals are in a strange place these days, more confident than ever in the prospect of lifetime employment but under siege as governments, customers, and board members demand accountability for incidents that can be difficult to foresee. A panel discussion at RSA laid out the challenges facing modern CISOs, who are all on guard after the SEC charged SolarWinds CISO Timothy Brown with fraud last year.

At many companies, security executives lack the organizational power to make changes in pursuit of better security.

  • CISOs often report to a CIO, CTO, or even the CFO, which hampers their ability to set budget priorities or push product teams to adopt better security practices.
  • Only 5% of CISOs report directly to the CEO, according to a survey conducted last year, which also impacts the way security issues are presented to the board of directors.
  • "Very few members of the audience, which had a significant proportion of CISOs, raised their hands when asked by [Oracle's David Cross] who had clear documentation of their role and responsibility," Infosecurity Magazine reported.

But when something goes wrong, they're usually the ones in the spotlight.

  • "The heat is (coming) because the reality is that you’ve got these entities in government, who are responding to the huge rise in cybercrime," Evron said, according to Information Week.
  • Former Uber CISO Joe Sullivan spoke about his experience facing charges over Uber's actions during a data-breach incident in 2016, urging CISOs to over-communicate with their bosses when implementing security procedures and keep receipts.
  • "We need to get away from the world where all the decisions were made by the security team. They need to be made at the CEO and board level and they need to sign off on everything,” he said.

The short-term legal pressure seems likely to increase as ransomware attacks become an everyday experience for ordinary people. On Thursday, for example, the Biden Administration said it would require hospitals to follow cybersecurity standards set by regulators, weeks after the ChangeHealth disaster and a day after another ransomware attack hobbled Ascension Healthcare Network.

  • Bloomberg also reported that the administration will impose "minimum cybersecurity requirements for entities that receive money from Medicare and Medicaid," which is a lot of entities.
  • No deadline was set for either measure, but it will be up to the CISOs at those healthcare organizations to implement those requirements.

Given that so many cybersecurity incidents can be prevented with basic steps like requiring employees to use multifactor authentication tools when logging into networks, there's a reasonable argument for the government to set some basic standards to protect consumer data.

  • However, CISOs are increasingly worried that good-faith attempts to secure their corporations could be turned against them when something goes wrong.
  • When those requirements are written, they need to make clear who is legally responsible for cybersecurity incidents and specify how companies can demonstrate their compliance.

Check out the first edition of the Runtime Roundtable! We asked our panel of expert contributors to advise companies on the best ways to limit the impact of ransomware attacks.

Due to an overwhelming number of responses, we have temporarily paused adding new contributors to the Roundtable but plan to add others in the future. If you're interested in sponsoring the Runtime Roundtable, please contact us here.

Not so super

It's been a rough week for Google Cloud customer UniSuper, an Australian retirement-fund manager that suffered a days-long outage after Google somehow deleted its infrastructure. Customers were finally able to access their accounts on Thursday, but transactions still appear to be offline.

In a joint statement with UniSuper, Google Cloud CEO Thomas Kurian confirmed that "the disruption arose from an unprecedented sequence of events whereby an inadvertent misconfiguration during provisioning of UniSuper’s Private Cloud services ultimately resulted in the deletion of UniSuper’s Private Cloud subscription. This is an isolated, ‘one-of-a-kind occurrence’ that has never before occurred with any of Google Cloud’s clients globally. This should not have happened."

Given that no one seems to have heard of a Google Cloud product called Private Cloud subscription, which "includes hundreds of virtual machines, databases and applications" according to UniSuper, the statement raised a few new questions that Google Cloud PR has yet to answer. According to iTnews, UniSuper used Google VMware Engine to migrate to the cloud last year: "the key drawcard for us with moving to the model that we've moved to is it's on the VMware platform, which our team's already used to using," it said.

Enterprise moves

Jitesh Ghai will be the new CEO at Hyland as of May 20th, after serving as executive vice president and chief product officer at Informatica.

Margaret Dawson and Bill Hineline are the new chief marketing officer and field CTO, respectively, at Chronosphere.

Chris Koehler is the new chief marketing officer at Twilio, following almost five years at Box in the same role.

Dan Rosanova is the new chief product officer at Lightbend, joining the microservices development company from Confluent.

The Runtime roundup

Bloomberg uncovered a few more details about Apple's AI server chips, which will be based on its M2 Ultra Mac chip and process AI services coming to Apple devices in the future.

CISA will step in to help NIST process the backlog of software vulnerability data that started to pile up earlier this year.

Carbon offsets "are largely ineffective," according to an unpublished climate research study seen by Reuters that would further tarnish one of enterprise tech's favorite environmental fig leaves.

Oracle's $28 billion acquisition of Cerner hasn't really worked out yet, according to Bloomberg, which said "the software maker has lost at least a dozen of Cerner’s large clients."

Thanks for reading — see you Saturday!

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Runtime.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.