There are two fundamental truths for anyone working in security. The first is that there is an increasingly sophisticated threat landscape, making it impossible to be 100% secure. The second is that humans are human, and mistakes will be made, but potential errors have increasing impacts.
Combine these two truths with rapid technological change and the need for organizations to stay relevant in the digital age, and the role and importance of the CISO must evolve significantly. Without doubt, cybersecurity is now a boardroom discussion. If you're a CISO, you've been hired to make an impact, and with any new leadership role, it's difficult to balance the business, your goals, and the relationships you're forming. The following will help set you up for continued success.
1. Use and Automate Data
Don't fly blind. You want quick clarity on security performance and the measures, controls, and frameworks you're using to define this. Don't assume any person or system is able to give you the full picture. There are several options available, all of which come with pros and cons. Audits from large consultancy firms are popular but will only give you a single snapshot in time, meaning that the conclusions will be out of date almost immediately.
And of course, static manual audits aren't automated. Any reporting to show improvement, monthly status requests, or even ad hoc insight requests from your board will require your team to deliver manual updates or another audit. This route is expensive. You could see much of your hard-won budget going toward audits or manual reporting rather than improving security.
Be aware of the manual reporting process. Gathering, cleansing, and unifying data to connect the dots isn't straightforward. The battle to find out what information has been missed is never-ending. The result is information that may or may not give you an accurate view, and quickly, you could be back where you started. Automation brings tangible benefits: speed, reduction in error, and greater insights as computers may well capture things teams can't see in the pressure to complete the task.
2. The Devil Is in the Inventory
Understanding what you have and should be protecting seems obvious, but this often is a challenge. Clarity on what you have (devices and apps), where it all is (region or business line), and who is using it (identity) is critical for making fast, accurate decisions. Make sure your approach leverages and cross-references data from across HR, business, security, and IT to capture as many devices as possible.
It's essential to have a breakdown of devices by, at least, technology and business attribute aligned to your business strategies, such as region or product line, to understand your exposures and measure your risk
3. A Risk-Based Approach
Without insight into your risk appetite, you can't start to drive a risk-based approach to security or even begin to understand if you have the right budgets or ROI measures in place.
Once you've established this risk appetite, determine your level of acceptable cybersecurity risk, and what controls you need in place to support this. To do all of this effectively, you must break down communication silos and connect the dots across the executive suite to security and IT. The goals are getting alignment against agreed acceptable risk, and creating an operation plan that focuses your limited resources on the areas of remediation where there is the most significant return.
4. Remember Relationships
As the role of CISO evolves, it's becoming a key conduit between the business, IT, and risk teams. It's inherently an interdepartmental/interdisciplinary role and, due to the nature of the relationships, one that tends to govern by influence. This requires trust. Working off a single source of trusted data becomes critical to building that trust.
All teams that touch the security process need to be aligned behind and feeding into a single source of trusted data. If not, time and effort will be wasted on arguing over the validity of the data, creating setbacks in any security improvement process.
5. Spokesperson for Cybersecurity
You will elevate your role within the business if you can communicate the plain facts about security, risk, and compliance with confidence to get buy-in for your plan and strategy. When providing information to the C-suite, it's vital to remember this team is accountable, too, and can help ensure that the entire company is appropriately prioritizing your initiatives. Make sure you have the technology and procedures in place to be able to provide timely, accurate, and appropriate information to stakeholders. The last thing you want to do is report improved results to the board only to retract this information at the next meeting because you didn't have the full picture due to incomplete data.
Three key indicators will help you avoid pitfalls: timeliness, accuracy, and appropriateness. You can't be 100% secure, but you can be 100% sure of your position.
By solving the data challenge and moving to a risk-based approach, modern CISOs address the basics of enterprise cyber hygiene and drive a more aggressive approach. An ever-improving cycle of data gathering, insight, and efficient use of resources will create a machine that will automate improvement and improve security, allowing you to build key relationships based on trusted, accurate data.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.