Five secrets of successful CISOs: Communication, regulation, and more
Today’s CISO is bombarded by jargon. Vendors want them to believe that everything from artificial intelligence, machine learning to blockchain is the silver bullet that will solve all their problems. Far from all the marketing and hype the reality is very different. At the end of the day all CISOs really care about is getting the basics of security right.
More often than not they are caught between a rock and a hard place. Attacks and threats get ever more sophisticated yet senior management remains blissfully unaware of the tightrope CISOs continuously have to walk.
Here are five things CISOs can do to get the most out of those cyber security basics.
The discovery of IT assets is crucial to getting security basic right. Knowing what data you have and where it is located is an essential first step. This is often easier said than done. Research from Kenna Security shows that most companies spend up to 15 hours per week on data discovery. Most use more than 15 different tools. Even then they are only able to discover only 60%-70% of the assets.
Such poor visibility stops organisations setting the right goals. They are doomed to failure before they even start. CISOs need a way to discover the maximum number of assets in the least amount of time. As yet there is no one-size-fits-all solution. The answer lies in a combination of automated data discovery software, investigation techniques (used by hackers to discover subdomains, resources and properties) and employing someone to manage the process full-time.
Take internal cloud security measures
More and more organizations are embracing cloud services. As this happens, internal data security measures for cloud become a pressing issue. Preparing for internal cloud security is all about having the right management team and access to the right tools.
A successful cloud security strategy is not straightforward. It begins with taking a collaborative approach. Assemble a team of key decision-makers and stakeholders. It starts with the CISO and includes infosec and application professionals. Working together as a group will improve the chances of developing a successful cloud security strategy as well as improve cooperation.
Internal cloud security also requires a mix of new and old technologies. It takes a combination of network penetration testing, dynamic application security testing, automated patch management and vulnerability assessment as well as UEBA and SIEM solutions for cloud services, and cloud access security brokers (CASB). All this is in addition to the security services available from cloud providers.
Finally, raise security awareness among employees. It is important that everyone understands their personal responsibility for data security in the company.
Secure people, not the perimeter
Cloud environments render the traditional network perimeter meaningless. Instead it’s more about being able to authenticate the identity of remote users. Employees today frequently work remotely from home or while away on business trips. Security measures need to adapt. Protection for user identities is central to a cloud security strategy.
A tool like multi-factor authentication (MFA) can minimize the risk of account hijacking or phishing attacks. Additionally CASB will intercept and monitor data traffic between your network and cloud platform.
Clear lines of communication
IT departments are used to working within tight budgets. But CISOs have come to appreciate there is more chance of success if they have clear lines of communication to the board of directors and can express themselves in terms they readily understand (usually financial). The CISO that frames the conversation in terms of business benefits and financial risks is more likely to get their attention than the one that simply talks about new threats.
The most persuasive arguments focus on metrics, for example:
- Baseline: How much money you can afford to lose and what breach probability is acceptable for the company?
- Situation 1: No investment in IT security. How much money will the company lose if there was a breach? What is the likelihood of a breach occurring?
- Situation 2: Some IT security investment. How much money will the company lose if there was a breach? What is the likelihood of a breach happening?
Furthermore, calculate the cost of additional security measures and explain in detail how the security team would spend any extra budget. Also conduct a risk assessment to help build a concrete case.
Potential negative outcomes along with how investment in new technology will benefit the business should be explained. Examples might include helping internal business processes become more efficient, saving time or freeing up resources for innovation. Other benefits worth mentioning are enhanced customer satisfaction and increased stakeholder returns or how improvements in process transparency will help pass compliance audits. In short the additional outlay needs to help the company reduce costs, increase revenues and boost profits.
Know regulations inside out
If you have a compliance department, work with them closely. Compliance requires teamwork. IT security teams can achieve so much more when they work closely with other parts of the business.
In summary, the secrets of CISO success in 2018 are security awareness, knowing what data is most vulnerable and a plan that identifies which security efforts come first. If necessary, be prepared to state your case for extra budget. Be aware that no single technology solution will address all threats or solve all issues at once. As long as the company is online it can never be 100% secure, but it can still be such a tough nut to crack that it is easier for attackers to go elsewhere.
- » Dealing with insider threats and keeping your enterprise secure: A guide
- » CIO job responsibilities in 2018: Driving business transformation and innovation
- » The Dresner 2018 business intelligence verdict: Highlights and opportunities
- » Forget facial recognition: Let’s use AI to help gauge integrity
- » Enterprise mobility and security: How to build a BYOD policy