[BreachExchange] Why CISOs Need Partners for Security Success

[Destry Winant]

https://www.bankinfosecurity.com/blogs/cisos-need-partners-for-security-success-p-2730

CISOs need to work with partners in other departments to help ensure
the success of major security projects, says John Pescatore, a
director at the SANS Institute, which offers cybersecurity training
and certificates.

In a presentation at the RSA Conference 2019 in San Francisco,
Pescatore offered a good example of how this works.

Inform the COO that reducing downtime by adding security can have a
positive return on investment.

When the security team at health insurer Aetna was looking for ways to
ensure the success of its efforts to implement the Domain-based
Message Authentication, Reporting and Conformance, or DMARC, for email
delivery and authentication, it collaborated with the chief marketing
officer to gain buy-in.

The security team showed the CMO that DMARC would not interfere with
the company's marketing plans and email blasts to customers. Once the
DMARC protocol was ultimately implemented, it actually improved email
campaign click-through rates, apparently because customers knew they
could open emails without fear of phishing attacks or spoofing,
Pescatore explained

More Work to Do

More and more CISOs are buying into the strategy of involving members
of the C Suite as well as other leaders in key projects, Pescatore
said.

For instance, CISOs at power plants and other large manufacturing
facilities are working with COOs to show how business results are
affected when systems are offline due to a ransomware attack or
another type of cyberattack, clearly demonstrating why there's a need
for better security to improve reliability and resistance in the face
of an interruption.

In his presentation, Pescatore offered four examples of how CISOs can
work with C-Suite:

- Convince the CIO that security can enable IT cost reduction. For
instance, reducing permissions for employees to download applications
can make PCs and other equipment more secure by reducing malware
downloads while cutting down on call desk time.
-Inform the COO that reducing downtime by adding security can have a
positive return on investment. This relates back to the example of
better protection against malware and ransomware within power plant
facilities.
- Show the CMO that improved privacy can help increase click-though
rates as part of email marketing campaigns.
- Demonstrate to the head of human resources that offering data
security training to staff members so they can take on new roles can
save money because recruiting and retaining security professionals is
so difficult.

When CISOs want to add strong authentication and encryption into
various enterprise projects to help better the overall security
hygiene, Pescatore added, they should first demonstrate to the members
of the C suite how those steps can help the business and improve ROI.

DevOps

Another area where CISOs face challenges and must collaborate with
others is building security into the DevOps process.

One of the challenges with creating a good DevSecOps strategy, for
example, is that security can sometimes slow down the application
development process. The security team may not understand the goals of
the development team and may lack the skills to keep up with the rapid
pace of application development, Pescatore explained.

"So the slowdown is really two things," Pescatore told me after his
presentation. "The first is not understanding how the business works.
It's about saying no to everything when sometimes there's no risk that
anyone will care about. The second is skills - the security team might
not be up to the task of going as fast as the other side."

Monitoring Third Parties

For some projects, CISOs must work with other departments to make sure
the software they want to use meets security requirements.

CISOs should use security scorecards and other tools to help rate the
software, carefully assessing the risks that it might pose to the
company, Pescatore suggested.

He pointed out that Boeing made nearly 1,000 third-party software
providers that it used as part of its supply chain undergo an
authentication process to ensure security. Nearly 700 were able to
complete the task immediately - it was all a matter of asking.

"When it comes to the players we are not used to dealing with, and we
don't have the right checks in place, what should we do?" Pescatore
asked. "You need to create those standard approaches in order to make
it work."