[BreachExchange] 5 Questions CISOs Should Ask Themselves

Destry Winant destry at riskbasedsecurity.com
Mon Apr 8 04:11:01 EDT 2019


https://www.cisomag.com/5-questions-cisos-should-ask-themselves/

CISOs are the cornerstone for managing the high-level risks of data
security, which means they’ve got a lot on their plates. Detecting
responding and protecting against threats requires them to maintain
compliance standards select a strategic mix of technologies manage a
strong security team and empower the company’s broader workforce to
act effectively. (No pressure, right?)

The good news for CISOs is they’re not alone; there are tools that can
help. Here are five questions CISOs should ask themselves to make sure
they have the right tools and systems in place to better protect their
company’s data people and reputation.

How much of our cyber approach is dedicated to proactive threat
hunting vs. ongoing response?

As any C-level executive working in 2019 can tell you, the days of
simply waiting for incidents to bubble up no longer holds water.
Organizations are realizing that proactive threat hunting is the key
to stronger protection and better understanding vulnerabilities. But
for many, dedicating headcount to threat hunting versus incident
response is not always possible. Putting out the biggest fires will
always be necessary, but when these fires consume the majority of a
team’s time, there are limited resources left to proactively look for
potential weaknesses in the organization.

Having a security platform that consolidates and contextualizes all
endpoint and server events can enable smaller teams to tackle both
threat hunting and quick incident response.

How often does alert fatigue impact our team’s ability to fully
investigate events?

Alarm fatigue is real. We see it in our personal lives, healthcare,
and just about all modes of transportation, and the consequences can
be dire. Cybersecurity is not immune. As sophistication grows in UBA,
DLP, and EDR technologies, the number of alerts, false positives, and
notifications will continue to overwhelm security teams (nine out of
10 security practitioners report an inability to triage all potential
threats). In an IT security survey by the Ponemon Institute, more than
37 percent reported facing more than 10,000 daily alerts; more than
half of those alerts were false positives. What happens when there’s
not enough time in the day to address every alert and an actual attack
is overlooked?

Have we asked vendors the hard questions about their machine learning and AI?

If you’re playing buzzword Bingo while reviewing your vendors, it
won’t take long to hit a winner. But differentiating between who’s
slapping machine learning onto their platform vs. who’s building tools
that allow machine learning to continually improve efficiencies are
two very different things.

Ask your vendors the hard questions. Please explain your algorithms in
detail. What are the specific trends and patterns targeted? Does the
tool capture its own data? If not, how do you determine the
reliability of the data? How do your algorithms react to data
imperfections? And, can you show me how it really works? Dig deeper
and it will quickly become clear when machine learning is going to
offer true value and when it’s simply marketing speak.

Have I checked all of the boxes for GDPR compliance?

The last year has been the most compliance-focused in the industry’s
short (albeit intense) history. As such, security teams have had to
shift time and resources to keep pace with new regulations. No longer
do fellow executives ask their CISO ‘Are we secure?’ They’re now
asking ‘How much will we be fined if we’re breached?’ GDPR has brought
an additional set of regulations, expectations, and opinions to the
industry.

“Quietly working out a plan will no longer be an option.” – Jacek
Materna, on GDPR

In the case of a breach, Article 30 states that you need to have
adequate data records for real-time auditing by a supervisory
authority. And the 72-hour rule adds to the urgency of identifying the
who and the what in a short amount of time. This means two things: you
need to collect a lot of data on your users and you need to be able to
find it quickly. Can your team do both today?

When (not if) a breach occurs, how quickly could we respond and control damage?

Managing day-to-day threat response across numerous platforms is a
headache. When a breach occurs, that headache becomes a migraine.

If you’re one of the companies suffering from the growing security
talent shortage, allocating additional resources to respond to a
breach is not always an option. Consolidated endpoint and server
visibility is crucial in minimizing the time to resolution and
containing the impact of the breach. But above all else, technologies
must enable you to get the most out of the resources you have
available today to ensure the fastest recovery.


More information about the BreachExchange mailing list