CISOs are navigating an ever-more challenging and complex world as the level of cyber risk heightens. Taking control of this difficult situation means being sure of priorities. Here Christine Bejerasco explores the issues that should be high on every CISO’s list of strategic priorities.
Have both a top-down and bottom-up strategy
While CISOs and their teams are tasked with designing the cyber security roadmap of the organization, when the rubber hits the road, some of these best laid plans will be hindered by a lack of budget, lax enforcement, and an overabundance of information that is often not remembered by teams in the organization who are not regularly exposed to it. As such, if CISOs stay in their not-so-ivory towers drafting policies, standards, and requirements, they will end up alienating their role from the realities of the business.
This is why, in addition to a top-down strategy, a bottom-up approach is also valuable. It would help the CISO’s cause to have representation from the major units and supporting functions of the organization to understand what the assets are that they are handling in their processes, if there are potential threats related to those, and what protection capabilities could be put in place. Having a boots-on-the-ground approach can be quite eye-opening and can enable the CISO to brainstorm with the units and come up with solutions that are practical and effective.
Shape the path for people to succeed
Most of us are vigilant and effective at spotting cyber security issues when we are well-rested. However, at the end of the day, when people are tired and are about to go home, that phishing email might not look very ‘phishy’ at all. So, beyond training, what are the guardrails that we can implement to lessen the chance of people making mistakes? In CISO vocabulary, these are called controls. The more automated they are, as well as non-intrusive during normal usage, the more effective they are. Preventive technologies can be pretty effective when it comes to such controls. However, before deploying these technologies, it’s essential to understand how it will impact the daily processes of the people for whom this will affect. And it’s important to understand human behavior as well.
Consider building a secure-by-design organization
A secure-by-design organization is one where cyber security is baked into the processes, systems, services, and ways of working for the people. The utopic scenario would be such that CISOs would not even be needed at some point because the organization simply adds cyber security as one of the requirements for everything they do. While that may bring fits and giggles to today’s CISOs, it’s a lofty target that if it gets embedded into the organizational culture, could make a CISO’s life so much easier.
In this secure-by-design organization, it’s necessary to strengthen the cyber security muscles of every employee. Humans are not the weakest link here, they are the organization’s strongest asset. Threat modelling when building code, processes, systems, and services is as natural as breathing in this type of organization. People bring the attacker mindset to the operations that organization does, and when there’s a need to accept risks, they do so fully knowing what the potential impact could be, and by revisiting those risks at a certain deadline.
In this organization, the teams and individuals take ownership for cyber security in their areas and understand that they are accountable for those.
Link your cyber security solutions to business outcomes
At the end of the day, a CISO function is a supporting function for the business. The reality is that if the business goes bankrupt, there is no need for a CISO function. From the increased reality of a business going bankrupt due to a cyber compromise, to the need to find the right kind of compliance certifications and standards to externally show a company’s cyber security posture, the purpose of the CISO’s existence is not only to improve the chances of the business’ survival, but also to externally demonstrate that the business is secure.
Come budgeting season, it becomes a glorious pain for CISOs to defend the investments for the solutions they need to secure the organization, as well as the external cyber security certifications they need to acquire to increase the organization’s attractiveness as a supplier. This is why knowing what business outcomes these investments are supporting is essential, because if the proposal gets rejected, the decision-makers know exactly which business outcome is at risk.
Learn and speak the board and executive team’s language
Technology is only a part of the equation. CISOs must act as advisors for disparate business units and interpret their needs when it comes to putting forward the case for additional budget and resources to boards and other key stakeholders.
Being able to speak the board’s language and demonstrate the value of cyber security with metrics and data that is meaningful is important. CISOs need to have information that sets the value of cyber security in the context of the wider objectives of the business and how, ultimately, it will benefit the organization.
Whilst there is growing awareness amongst boards of the importance of security in reducing risk and ensuring compliance, CISOs need to present the value of security as a business enabler and revenue driver. This will facilitate an organization to become more agile and competitive.
Moreover, board members are personally liable for the risk management of their organization, so if the security investments are not bringing clarity to the core question of whether the security controls match the perceived security threats, then the security team is perhaps not helping the board to do their job. Communicating security’s value as a catalyst for driving top-line growth and improving bottom-line results will help to shift perceptions that security is more than a cost centre.
Christine Bejerasco is Chief Information Security Officer at WithSecure.