[BreachExchange] Changing The CISO's Mindset To A Fact-Based, Holistic And Multilayered Approach
Destry Winant
destry at riskbasedsecurity.com
Tue Mar 2 10:55:16 EST 2021
https://www.forbes.com/sites/forbestechcouncil/2021/03/02/changing-the-cisos-mindset-to-a-fact-based-holistic-and-multilayered-approach/?sh=11d6189f3c7d
After over 20 years of working in the cybersecurity industry, it has
become abundantly clear that CISOs are being flooded with an endless
barrage of security information. They need to constantly question
their sources of information, their vendors’ security postures, where
to invest their resources, how to optimize their investments and which
vulnerabilities pose the biggest threats to business continuity.
With so many challenges, it has never been more important for CISOs to
change their mindsets from a speculative, compliance-driven and
unilayered approach to a fact-based, holistic and multilayered
approach. Here’s how to get started:
Reassess Preconceived Notions
When assessing the security posture of an organization, CISOs cannot
afford to make assumptions. They cannot think that simply because
certain security measures are in place, their organizations are
unbreachable.
Instead, CISOs need to adopt the mindset of hackers by setting up a
team — or hiring an outside group — that will infiltrate their
organizations, breach their security systems, execute social
engineering campaigns, collect passwords and bypass each and every
security control, all with the ultimate goal of attacking the
organization exactly like a hacker would. This approach would enable
CISOs to better identify their organizations’ most critical
vulnerabilities and prevent real-life attacks before they occur.
Work With Data, Facts And Numbers
CISOs need to stop relying on estimations, guestimations and
speculations when it comes to their organizations’ cybersecurity and
instead embrace a fact-based, data-driven and mathematical approach.
They need to understand their organization’s vulnerabilities, the
probability of those vulnerabilities being exploited and the potential
business impact if such an attack were to be executed.
Armed with facts, data and mathematics, CISOs will be able to optimize
their cybersecurity investments by allocating their resources to the
places that matter most while simultaneously being able to justify
their investments and allocation of resources to their CEOs and boards
of directors.
Look At Your Organization In A Holistic Way
CISOs need to understand that cybersecurity assessments need to be
conducted in a holistic way that takes into account every
organizational asset. Failing to do so fails to take into account the
overall picture of the company’s cybersecurity vulnerabilities.
Looking at security issues in a siloed way, while working with various
products that don't necessarily work together, creates a variety of
problems.
Additionally, they need to understand that there is no “one size fits
all” when it comes to cybersecurity. Every organization needs to be
looked at in a personalized and tailored way that takes into account
its priorities, critical business assets and so on. What is critical
for organization A may be of little or no significance to organization
B — and vice versa.
Implement Multilayered Security Protection
Despite significant cybersecurity budgets, CISOs often fail to
allocate their resources properly. For example, many organizations are
very secure when it comes to their first points of access but aren't
very secure when it comes to their internal infrastructures.
Organizations are often not abiding by basic cyber hygiene, such as
using weak passwords, and as a result, once the initial point of
access is compromised, it is very easy for hackers to move laterally
within the organization. As a result, while their budgets may be high,
their overall cyber resilience is quite low. CISOs need to take a
“back to basics” approach that ensures that their organizations' most
critical assets and crown jewels are protected by many different
layers of defense.
Understand That Compliance Is Not Enough
While CISOs are aware of their cyber risks, they often pursue security
for the sake of compliance over broader and more crucial risk
management. CISOs need to understand that while compliance is a
necessary step toward improving security, it is simply not enough.
They cannot be driven by the concept of compliance or convenient
checklists. Rather, they must take full ownership over their
organizations’ security in a way that does not simply check boxes, but
that takes real, actionable steps toward improving their
organizations’ cybersecurity postures.
As CISOs watch and bear witness to even the biggest companies being
breached as a result of not abiding by basic cyber hygiene, it has
never been more important to take a fact-based, holistic and
multilayered approach toward cybersecurity.
More information about the BreachExchange
mailing list