The role of a Chief Information Security Officer (CISO) revolves around risk. Specifically, the CISO’s job is to identify, manage, and, where possible, mitigate risks in a manner consistent with the enterprise’s business goals. The CISO continually evaluates the enterprise’s technical and information assets against the probability and consequence of any given attack, and, based on this quantitative analysis, allocates protective resources to those assets. The CISO also promulgates, trains, and evaluates the implementation of personnel security best practices, ensuring that employees are thoroughly versed in the identification and avoidance of threats that can lead to a breach.
While a relatively new role within enterprise leadership, the CISO has assumed an outsized importance due to the potential for a “perfect storm” resulting from a breach or other successful attack. An enterprise on the receiving end of an incident may not only suffer data loss, physical destruction, and service interruption, but also devastating reputational damage compounded by regulatory sanctions. However, such devastation is avoidable, as risk is the inverse of opportunity, and the CISO plays a pivotal role in “making lemonade” out of the risk “lemons”. According to Gartner analyst John Wheeler, “By proactively assessing risk appetite and the value of the desired business outcome, CIOs and chief information security officers (CISOs) can transform digital risk management into a competitive advantage.”
Here are five ways CISOs are working to improve cybersecurity across their enterprises:
- Integration of Automated Security Tools
The volume and scale of cybersecurity threats is overwhelming. A talented information security team operating in a traditional, manual mode simply doesn’t have enough hours in the day to identify, manage, and respond to current and emerging threats. Fortunately, there is a wide array of automated security tools that can be integrated into the information security team’s processes. These tools are force multiplier that can dramatically improve the speed with which the team finds, assesses, and eliminates the latest threats and gathers forensic data to support breach investigations.
Integration between tools is a critical, but often overlooked, element. Security tools are often narrowly focused and siloed in deployment, leaving the CISO to manage a range of disparate, disconnected tools. As a result, the information security team often spends an inordinate amount of time deriving information from the various data provided by the different tools. This takes time and distracts the team from its primary objective of protecting the enterprise. Selecting tools that provide an integrated view, seamlessly amalgamating information from many inputs in a “single pane of glass” can help the CISO to more rapidly gain broader situational awareness as to the enterprise’s cyber health.
- Thinking Strategically about the Business
CISOs must also consider business strategy, goals, and objectives, and the role they’ll play in supporting that path. It’s not enough for the CISO to be a technician. She must also be a skilled program manager, with a suite of project management tools that enable her to present a holistic, integrated view of how the organization is managing its risks. This is especially important when the CEO, CIO or Board of Directors needs a cyber health assessment that includes proactive risk management strategies and efforts. CISOs that have only held developer roles or focused primarily on hardware or data center management should consider business or management education to expand their strategic thinking skill set to more effectively support the executive team.
- Improving Communication Skills
The CISO role also requires excellent communication skills and the ability to present risks in a non-technical manner to a broad audience. The CISO, in many ways, is a change agent, responsible for creating a proactive risk management plan. The plan is only as effective as the CISO’s ability to convey its seminal points and implementation, and to gain the enthusiastic support of enterprise decision makers. Consequently, the CISO must acquire and hone written, graphical, and presentation skills. More importantly, the CISO needs to internalize the mantra that “if she can’t communicate it, it doesn’t exist.”
- Improving Training Effectiveness
Cybersecurity incidents often start with people. Employees might use weak, infrequently cycled, passwords. Vendors, partners, and other third parties are often given unrestricted access to the enterprise network. Staff might fall victim to phishing schemes, clicking on a malicious link that expose the entire enterprise. People are the weak link, and a CISO must include training her risk mitigation plan. The CISO needs to gain consensus for resourcing this training from the CIO and the CEO, and the Board, all of whom must stress the importance of improving security practices across the enterprise. The CISO should carefully review training feedback to identify and remediate gaps in personnel related security measures. CISOs must also develop insight into employee behavior as it relates to security, and develop bold, innovative, and measurable strategies to fix the problems identified.
- Ensuring Data Privacy and Compliance
Regulations such as the European Union’s far-reaching General Data Protection Regulation (GDPR) have organizations scrambling to emplace safeguards necessary to meet the regulations’ requirements. Managing data to meet compliance regulations is a difficult and cross-disciplinary task, requiring that the CISO work in concert with other business unit managers. It’s the operational leadership who can provide insight into where information is stored, and which information is a critical part element of successful operations. Remaining in compliance requires the synchronization of several strategies, including: the implementation of access controls, improving cooperation among partners, and maintaining continual awareness of evolving compliance regulations.
The number of cybersecurity incidents continues to rise, and actively planning for and mitigating these occurrences has a direct relationship to an enterprise’s continued viability. CISOs that have leadership’s support in tackling cybersecurity issues aggressively and an intimate understanding of the business can significantly improve the enterprise’s resiliency. And they’ll greatly improve the value they and their information security team generate for the business.