[BreachExchange] What CISOs should focus on when deciding on a strategy

[Destry Winant]

https://www.helpnetsecurity.com/2019/05/13/ciso-focus-strategy/

The effectiveness of an organization’s security strategy and
implementation can sometimes be difficult to assess. Michael Hamilton,
President and CISO of CI Security, says looking at a number of key
performance indicators can help.

Most of these a CISO wants to witness trending down:

- The incidents/time
- The cost/incident
- The time to incident detection
- The time to incident close
- The number and severity of compliance audit findings (if there are
no legal compliance requirements, audits can be made with a framework
such as the NIST Cybersecurity Framework or CIS Critical Controls in
mind)
- The number of risk management and compliance audit corrective actions.

In fact, the only thing a CISO should want to see trending up is
accuracy in budgeting.

Deciding on a strategy

CISOs whose organization is in the middle of a major digital
transformation effort and want to make the transition as smooth as
possible should do everything they can to achieve a successful
collaboration with the CIO.

One reasonable strategy that won’t break the bank is starting with
policy that is applied consistently across the organization regarding
standards and oversight for the technology procurement process.

“‘Sell’ that to governance as a way to transfer the cost of security
to technology vendors by creating procurement requirements that
address security – upgrade paths, time to patch release, no
unchangeable factory defaults, etc. Vendors will (ultimately)
respond,” Hamilton counsels.

“Focus then on managing the impact of technology compromise through a
focus on detection and response – admitting that all this new junk is
increasing the attack surface and it has to be watched, and small
fires put out before they burn down the house.”

And for that day when a security breach becomes reality and the CISO
has to explain (i.e., justify) to the board their investment strategy,
he advises them to explain that all controls in place were based on
measured risk, that regulatory compliance status was reported and
known, that there were audit artifacts to support that, that there is
insurance to cover losses, and that all funding was to cover those
activities and other areas of focus (consultants, managed services,
maintenance payments on security technologies, training/conferences
for staff, etc.).

“I would point out that (as they have undoubtedly explained to
executive management), a security event is expected given the range of
threats to which the organization is exposed, and that, with their
focus on detection and response, they are as prepared as possible to
minimize the impact of the event as they execute on their response
plan,” he notes.

CISO challenges

To become a CISO, one needs to have an advanced degree (preferably
part technical and part business), but the job also requires
budgeting, people management, strategy, audit survival, executive
influence and communication skills that one can really only learn by
working through them in real life, Hamilton opines.

“The best qualification is experience in as many of those skills as
possible, as evidenced by the number of roles a person has held along
their information security journey,” he says.

Another must is making an effort to get to know and understand the
people in the various leadership positions.

“Most organizations are federated into departments or agencies, which
have different business functions, cost centers, and assets to
protect. Meeting the leadership and learning as much of the detail
around each of those business units, departments, or agencies tends to
smooth the governance process and improve your influence when making
business or regulatory cases for controls. Leading your staff is most
effective if you’ve been in their seats and have authentic empathy for
the tribulations of their roles,” he maintains.

CISOs are facing a variety of challenges. Among them is a pronounced
problem affecting the whole infosec industry: the dearth of security
professionals who are good, long-term full-time employees.

This employee gap can be closed with the help of full-service
(consulting and managed) security service providers and, as a result,
CISOs may end up managing a far more virtual team than accustomed to,
Hamilton points out.

“I also believe that given the current threat environment and the
potential to become collateral damage in a nation-state act requires a
different type of planning than that to which we are accustomed.
Public policy (including military policy) will become more important
to business and should be watched closely. Finally, privacy is now a
main driver of information security, and the increasing expectations
of consumers, shareholders, and international regulators will be added
to the pile of concerns,” he concludes.