Be honest – how many of you CISOs out there are relying on a kind of “Fingers Crossed” approach when it comes to protecting your most valuable organizational assets?
If you are nodding quietly in answer to this question, you’re not alone.
We get it. The role and responsibilities of the CISO have changed dramatically since the role’s inception in the 1990s.
20 years ago, CISOs were focused on securing and defending the network perimeter. This meant ensuring firewalls were configured properly, vulnerabilities were patched and anti-virus software was up to date.
Boy, has the role changed…The responsibilities have grown almost exponentially. I think this remark describes the evolution rather well:
“The role is almost a unicorn – technical, but with people skills. Executive-level, but with project management capabilities. Laser-focused prioritization but with broad overview knowledge and understanding.”
Today’s CISO needs to be intimately acquainted with all the regulatory requirements pertaining to their industry, geography and data sets. They need to safeguard the vast amounts of sensitive data, identify and block all IT security threats – whether originating internally or externally – and ensure staff have the knowledge to spot and block sophisticated social engineering attempts.
And I haven’t even touched upon the sheer complexity of today’s network infrastructure and the myriad of systems, apps and devices they are expected to keep securely available for authorized users.
Reading this, it occurs to me that CISOs who’ve adopted a lets-pray-we-don’t-get-it strategy are not just putting the company, its business partners, employees and customers at risk, there is also the huge personal risk of being fired or “appropriately reassigned.” A CISO is the perfect scapegoat here.
And for every fair dismissal or reassignment, I’m willing to bet there is a smart, hard-working, well-intentioned CISO that gets caught in the crossfire, simply because of his/her job title.
Recently, at a SecureCISO Boston conference, TBG Security asked attending CISOs a number of questions around mitigating risk and improving IT security postures. Here’s a handful of questions that were asked, along with a synopsis of answers received:
Q1: What is your biggest obstacle to improving your security?
The three most popular answers here were:
- Lack of staff
- Lack of expertise/training
- Lack of budget
CISOs really need to think hard before accepting a role that does not allow them to do their jobs properly. Lack of staff, training and money are key to erecting a strong defense. InfoSecurity is touted as a number one concern for many organizations, but without these three components, a CISO cannot even bring in specialist information security consultants to assess the risk to business critical assets and help CISOs formulate a cost-effective plan to prepare for disaster.
Q2: What are you and your organization’s top issues concerning digital threats
- Brand impersonation, abuse and reputational damage
- Government, industry penalties associated with breach or non-compliance
- Phishing and malware attacks on employees and customers
Answers to this questions varied widely. CISOs, as we’ve established, have a lot on their plates to worry about, including compliance, cyberattacks, and reputation damage. Depending on the assets you need protect, the industry you are in and the regulations you need to follow, priorities and focus will differ.
Q3: How do you measure risk within your environment?
- Vulnerability scans
- System exposure analysis
- nothing enterprise wide yet
Most respondents did not feel they had a proper handle on their risk posture. Sadly, making everything more difficult for the CISO, there is no out-of-the-box approach. We recommend CISOs bring in experts that will first listen carefully to your requirements before making recommendations. Simply performing a standard pen test to prove your vulnerability helps no one. Every organization and system is vulnerable somewhere.
It is key is to nail down a clear and specific information security strategy that fits your requirements and reduces your organization’s (and your personal) risk exposure. A risk assessment should always be tailored to what your organization must protect.
Q4: Why do you believe your most valuable information assets are secure?
Almost every response we received to this question differed. Some said they chose to believe that they were secure, which was a bit shocking. One CISO, for instance, replied to this question with “Just do.”
Others admitted that they either had no confidence or minimal confidence in the security of their most valuable information, citing they aforementioned money, training or lack of talent as one of the primary culprits.
We can only hope that stakeholders are made properly aware of the situation. Stakeholders would be wise to pay attention when a CISO raises the alarm.
With October being National Security Awareness Month, the time is now to begin listing all the business-critical assets within your organisation. Once you know what to secure from unauthorised access, you can build realistic disaster scenarios for stakeholders to help drive the problem home. The hope of course is that you get them to stump up the resources you need to do (and keep) your job.
Want to discuss any of these elements more in depth? Give the info security and compliance experts at TBG a call – they’re here to help.