The cyber security market is overwhelmed by buzzwords. Artificial intelligence, machine learning, blockchain – all this attacks CISOs from every possible angle, from webinars and conferences to the media. Most vendors fall into the trends, forgetting about customer needs for the sake of a technology race. Unfortunately, the main problems for CISOs still lie within the borders of security basics.
New technologies will never bring any value to your company, unless you get your basic security right. While attackers and threats get more sophisticated, the level of security awareness at the board level often leaves much to be desired.
Here are five recommendations that you, as a CISO, can take advantage of to get maximum return on your cyber security efforts.
1: Know your assets
Before you start making strategic security plans, it is very important to find out what IT assets and data you have, where they are located and how critical they are. This may sound like obvious advice, but in fact, not every company can handle this task. The research carried out by Kenna Security showed that most companies spend up to 15 hours per week, using more than 15 different tools, but are still able to discover only 60%-70% of the assets.
Lack of visibility prevents organizations from setting the right goals, which means they fail even before they start. The main challenge here is to discover the maximum number of assets within the minimum period of time. There is no one-size-fits-all solution yet, but it may lie somewhere in between an automated data discovery solution enforced with recon techniques (used by hackers to discover subdomains, resources and properties) and hiring a full-time employee responsible for the process.
2: Develop cloud security skills
As more organizations migrate to the cloud, data security becomes a pressing issue. Cloud security is not easy, but possible to achieve, and needs a holistic approach for success. Start with major decision makers and bring key stakeholders, including CISO, InfoSec and application teams together into one agile group. This will greatly contribute to developing a cloud security strategy and improve cooperation.
The next step involves a mix of new and old technologies. Combine network penetration testing, dynamic application security testing, automated patch management, vulnerability assessment with UEBA and SIEM solutions for cloud services, and cloud access security brokers (CASB). In addition to that, leverage security services offered by cloud providers. This combination of management decisions and technical expertise will greatly add to your security efforts.
3: Focus on identity not perimeter
Gradually network perimeter security disappears, clearing the way to an identity perimeter concept. Your employees can now work remotely from home or business trips, so your security measures should be adapted accordingly. Set protection of user identity as your ultimate goal and develop a security strategy to support it. Start with multi-factor authentication (MFA) that will allow you to minimize risks of account hijacking, especially in case of phishing attacks, and with CASB to intercept and monitor data traffic between your network and cloud platform if you use cloud services. Finally, raise security awareness among employees. Thus, everyone will understand their personal responsibility for data security in the company.
4: Speak the language of C-levels
Lack of budget has always been an ever-present issue for IT. However, CISOs could have been more successful if they understood that their board of directors speaks the language of money. If you want to convince the C-suite to increase your funds, get ready to talk about business benefits and financial risks. When getting ready for your speech, make sure you can evaluate and explain the following measurements:
- Baseline: How much money you can you afford to lose and what breach probability is acceptable for your company?
- Situation 1: You have made zero investments. How much money will the company lose in case of a breach? What is the likelihood of a breach in this case?
- Situation 2: You have made investments. How much money will the company lose in case of a breach? What is the likelihood of a breach in this case?
Before the meeting, calculate the cost of risk reduction measures and be ready to explain in detail how the security team will spend it. Consider a risk assessment solution to articulate a clear plan.
In addition to talking about negative outcomes, support your statement with business benefits. Think strategically and explain how business can leverage technology. For example, if internal business processes become more efficient, cycle times will be lower, and business will gain more opportunities for innovation. In turn, the satisfaction rate of customers and stakeholders will rise, and transparent processes will simplify proof of compliance. Overall, the company will reduce costs and increase revenue and profitability.
5: Make compliance your BFF
Get the compliance department, if there is one, on your side. Compliance requires teamwork, so IT security teams can achieve more ambitious goals if they work together.
To survive in 2018 and beyond, CISOs should be aware of security and business risks, be able to prioritize security efforts, and do not hesitate to talk money and argue your position. Accept that there is no single technology solution to address all threats and solve all issues at once. You will never be 100% secured, but you can make your company a tough nut to crack.