CISOs must keep an eye on all fronts of IT security. The problem is that these are often quite confusing. […]
CISOs have many topics in mind, from building a secure infrastructure to defending against ransomware attacks to domestic crime. Given the abundance of responsibilities, it should not be surprising that even the most conscientious CISO overlooks some critical points. The following eight areas are often forgotten, but should be high on the agenda of chief information security officers.
Customers or service providers are difficult to monitor and are often targeted by cybercriminals who want to expand their attacks.
Myke Lyons, CISO at Collibra, advises CISOs to work closely with their partners to ensure that their level of security meets the requirements: “There is no clear or easy way, but evaluating vendors, libraries, third-party processes and connectivity to vendors is critical. Governance is crucial.“
After years in the job, many CISOs get stuck in the daily grind and then focus almost exclusively on meeting the basic requirements for corporate security and keeping their heads down as much as possible – an attitude that inevitably leads to problems. “If a CISO is not innovative, it can quickly happen that it has to fight to stay relevant in the midst of a growth phase,” warns Noah Beddome, CISO at online retailer Opendoor.
A CISO that fails to innovate will harm both the organization and its own reputation over time, the manager says: “We must motivate our teams and ourselves to turn our thoughts into proposals and not be afraid to fail. Requests for comments get discussions going, and even if the end result does not live up to expectations, it can lead to great progress“.
To protect something that you do not fully understand is impossible. The organizations that did not know exactly how much and what data their company stores where were among the victims of the most notorious cyber attacks and data breaches in the past. “It’s critical to know which data you inherited when you started and which ones continue to spread,” says Marlys Rodgers, CISO of CSAA Insurance Group.
According to Rodgers, CISOs should also fully understand the amount and scope of data beyond their direct control: “Knowing who has your data and what control measures are applied to it is just as important as the data over which they have direct control. Knowing your data footprint also means knowing how and where to plug the leaks, ” says the manager“
CISOs should focus on building a culture of support to lead their teams to success. “Effective cybersecurity is largely the result of the right culture and a developed environment. This starts with the leaders at the top,“ says Joe McMann, CSO of the management consultancy Capgemini.
McMann suggests CISOs analyze their security operations and consider a change of direction if their teams fail to address key risk areas or do not cooperate cooperatively – even with management support. “Finally, CISOs need to ensure that their teams work with strategic partners who can help them achieve these goals and align with the overall culture and strategy,” he adds.
The threat landscape is constantly evolving. “Focusing on a point-by-point assessment is understandable from a tactical point of view, but it usually misses the strategic goals that CISOs should address,” says Doug Saylors, director of cybersecurity at the Information Services Group.
Many CISOs focused so much on the tactical aspects of security that strategic considerations fall behind. “If you add security after the fact, there are likely to be significant gaps that make companies vulnerable to zero day exploits,” he notes.
Saylors estimates that 80 percent of the CISOs he works with focus on tactical rather than strategic objectives. “The other 20 percent have held a CISO role for more than ten years and understand the importance of the strategy and the impact on the business,” he says.
The security expert recommends taking the role of the CISO to a strategic level and reviewing how the company has performed over the past 16 to 18 months. Based on the findings, the cybersecurity roadmap can be updated. “If necessary, you should leverage vendors in the market who can help manage commodity security capabilities to free up resources for the CISO and senior cybersecurity engineering positions and gain a strategic advantage,” says Saylors.
Investments in security tools, cyber experts and incident response processes must not lie idle. They need to be tested regularly to make sure they work. “CISOs are investing in tools and professionals to configure these tools and develop processes and procedures to detect and prevent attacks,” said Andrew Turner, executive vice president at consulting firm Booz Allen Hamilton. But all too often, the effectiveness of these tools and plans is only really tested when it is too late.
Turner advises implementing continuous testing programs at multiple levels, from table exercises to technical tests, such as Purple Teaming – a security methodology where teams collaborate to maximize cyber capabilities through continuous feedback and knowledge transfer.
Security, IT and business teams often work in separate silos, which prevents effective communication and quick troubleshooting. Fostering collaboration, combined with a system-wide monitoring strategy that aligns with business objectives, can help CISOs integrate enterprise security more effectively.
According to Gregg Ostrowski, CTO at AppDynamics, CISOs must drive teamwork and innovation, and take a leadership role that influences the culture of each team. “By aligning better with the CIO and other business leaders within a company, CISOs can foster an environment where security and IT teams work in tandem, leading the brand to success.“
Insufficient threat awareness is detrimental to the security planning of companies. Failure to adequately monitor threat trends may result in technologies, services, and practices that are not clearly related to actual risks and threats. “The organization is then rich in technologies, but poor in security,” warns Alicia Lynch, CISO at SAIC, an IT service provider for the government sector.
The manager recommends establishing a process that defines the collection and filtering of trustworthy information about important trends observed in the wild. The insights gained could be merged with in-house information to identify vulnerabilities that need to be addressed. “Without a mature methodology to filter the noise and focus on the points relevant to your business, CISOs will miss important security-related information,” Lynch warns.
This post is based on an article from our US sister publication CSO Online.
* John Edwards is a freelance writer.