Renee Tarun - Fight Fire with Fire: Proactive Cybersecurity Strategies for Todays Leaders

1. Chapter 3
2. Chapter 6
3. Chapter 10

RENEE TARUN

Deputy CISO, Fortinet

Copyright 2022 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada.

ISBN: 978-1-119-85426-5 (hardcover), 978-1-119-85427-2 (ebook), 978-1-119-85433-3 (ebook)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2021943299

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Illustrations: Chloe Mosbacher

Cover Image: Adobe Stock/knssr

Cover Design: Wiley

To my family, Brett, Ryan, and Rebecca, for their continuous support and inspiration.

Renee Tarun, Deputy CISO, Fortinet

Renee Tarun is the deputy CISO at Fortinet. She has over twenty-five years of experience in information technology and cyber within the US Intelligence Community, Department of Defense, and law enforcement as well as private-sector entities around the world.

Renee has focused on enterprise security, compliance and governance, and product security at Fortinet. Prior to joining Fortinet, she served as Special Assistant to the Director of the National Security Agency (NSA) for Cyber and as Director of NSAs Cyber Task Force, where she shaped agency strategy as well as national cyber policy for the White House.

In addition, Renee served in many other roles concentrating on development and engineering, cyber strategy, operations, resourcing, and relationship management for the NSA, the Department of Defense, and the US Secret Service.

Renee is a board member for the George Mason University Volgenau School of Engineering and is co-author of Cyber Safe, a book aimed at keeping children safe online.

This book has been a collaborative team effort involving many diverse cyber leaders and experts from across government and the private sector. It would not have been possible without their insightful contributions and thought leadership. Their dedication and energy continue to push boundaries and make our cyber world safer and more secure.

I would like to thank the entire Fortinet team for supporting me in the creation of this book, and for providing me with the opportunity to share insight and knowledge that will help guide technology leaders around the world.

Sonia E. Arista

Marianne Bailey

Fatima Boolani

Beth-Anne Bygum

Laura Deaner

Lisa Donnan

Suzanne Hartin

Susan Koski

Jenny Menna

Mel T. Migrio

Sanju Misra

Terry Roberts

Maria S. Thompson

Anne Marie Zettlemoyer

RENEE TARUN

Digital transformation and the ever-changing threat landscape have significantly altered the role of chief information security officers (CISOs) and security decision-makers.

Traditional CISO responsibilities such as patch management and incident response are as critical as ever, but today's CISOs must also concern themselves with supply chain risks, myriad privacy regulations, and 5G. In addition to fighting traditional and emerging threats, CISOs also face the stress of the skills gap: not having enough people to do the job.

These challenges interwoven with network security are forcing CISOs to take a more holistic approach to balancing risk, security, and strategic business enablement.

Technology is not the only approach to solving the quagmire of security challenges we face. Security leaders must address people, processes, and technology, synthesizing them to create security solutions that manage risk while advancing business objectives at the speed of today's economy.

As CISOs, we must become fluent in the language of the business. We must influence others to change their mindsets, habits, and approaches to technology and behave in ways that maintain security. We need a cultural shift that enables everyone to adopt effective, ongoing processes to keep our organizations safe. Security must be embedded into vendor selection, employee onboarding, and product development. Security awareness training must be continuous to match the cadence of the threats we face.

We need security leaders who understand the value of the latest technology, but even more importantly who have the skills to develop relationships that bring people together and the discipline to create repeatable processes.

Today's security leaders face considerable stress. The CISO role has a high turnover rate, with an average tenure of just twenty-six months. Fundamental changes are needed to empower us to lead effectively, attain a better work-life balance, and manage the inevitable stress of our roles. The answer is not working longer hours; 95% of CISOs are working an average of ten hours more a week than their contracts stipulate.