Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/19/2018
10:30 AM
Nik Whitfield
Nik Whitfield
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Steps to Success for New CISOs

You've been hired to make an impact. These tips can help set you up for continued success.

There are two fundamental truths for anyone working in security. The first is that there is an increasingly sophisticated threat landscape, making it impossible to be 100% secure. The second is that humans are human, and mistakes will be made, but potential errors have increasing impacts.

Combine these two truths with rapid technological change and the need for organizations to stay relevant in the digital age, and the role and importance of the CISO must evolve significantly. Without doubt, cybersecurity is now a boardroom discussion. If you're a CISO,  you've been hired to make an impact, and with any new leadership role, it's difficult to balance the business, your goals, and the relationships you're forming. The following will help set you up for continued success.

1. Use and Automate Data 
Don't fly blind. You want quick clarity on security performance and the measures, controls, and frameworks you're using to define this. Don't assume any person or system is able to give you the full picture. There are several options available, all of which come with pros and cons. Audits from large consultancy firms are popular but will only give you a single snapshot in time, meaning that the conclusions will be out of date almost immediately. 

And of course, static manual audits aren't automated. Any reporting to show improvement, monthly status requests, or even ad hoc insight requests from your board will require your team to deliver manual updates or another audit. This route is expensive. You could see much of your hard-won budget going toward audits or manual reporting rather than improving security.

Be aware of the manual reporting process. Gathering, cleansing, and unifying data to connect the dots isn't straightforward. The battle to find out what information has been missed is never-ending. The result is information that may or may not give you an accurate view, and quickly, you could be back where you started. Automation brings tangible benefits: speed, reduction in error, and greater insights as computers may well capture things teams can't see in the pressure to complete the task. 

2. The Devil Is in the Inventory
Understanding what you have and should be protecting seems obvious, but this often is a challenge. Clarity on what you have (devices and apps), where it all is (region or business line), and who is using it (identity) is critical for making fast, accurate decisions. Make sure your approach leverages and cross-references data from across HR, business, security, and IT to capture as many devices as possible. 

It's essential to have a breakdown of devices by, at least, technology and business attribute aligned to your business strategies, such as region or product line, to understand your exposures and measure your risk

3. A Risk-Based Approach 
Without insight into your risk appetite, you can't start to drive a risk-based approach to security or even begin to understand if you have the right budgets or ROI measures in place.

Once you've established this risk appetite, determine your level of acceptable cybersecurity risk, and what controls you need in place to support this. To do all of this effectively, you must break down communication silos and connect the dots across the executive suite to security and IT. The goals are getting alignment against agreed acceptable risk, and creating an operation plan that focuses your limited resources on the areas of remediation where there is the most significant return.

4. Remember Relationships 
As the role of CISO evolves, it's becoming a key conduit between the business, IT, and risk teams. It's inherently an interdepartmental/interdisciplinary role and, due to the nature of the relationships, one that tends to govern by influence. This requires trust. Working off a single source of trusted data becomes critical to building that trust.

All teams that touch the security process need to be aligned behind and feeding into a single source of trusted data. If not, time and effort will be wasted on arguing over the validity of the data, creating setbacks in any security improvement process. 

5. Spokesperson for Cybersecurity
You will elevate your role within the business if you can communicate the plain facts about security, risk, and compliance with confidence to get buy-in for your plan and strategy. When providing information to the C-suite, it's vital to remember this team is accountable, too, and can help ensure that the entire company is appropriately prioritizing your initiatives. Make sure you have the technology and procedures in place to be able to provide timely, accurate, and appropriate information to stakeholders. The last thing you want to do is report improved results to the board only to retract this information at the next meeting because you didn't have the full picture due to incomplete data.

Three key indicators will help you avoid pitfalls: timeliness, accuracy, and appropriateness. You can't be 100% secure, but you can be 100% sure of your position.

By solving the data challenge and moving to a risk-based approach, modern CISOs address the basics of enterprise cyber hygiene and drive a more aggressive approach. An ever-improving cycle of data gathering, insight, and efficient use of resources will create a machine that will automate improvement and improve security, allowing you to build key relationships based on trusted, accurate data.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Nik Whitfield is the founder and CEO at Panaseer. He founded the company with the mission to make organizations cybersecurity risk-intelligent. His  team created the Panaseer Platform to automate the breadth and depth of visibility required to take control of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...