[BreachExchange] Enterprise Cybersecurity: Three Topics to Discuss With Your CISO

[Destry Winant]

https://www.securitymagazine.com/articles/91566-enterprise-cybersecurity-three-topics-to-discuss-with-your-ciso

As a consumer, I appreciate that many products and services have
become so intuitive that companies can seemingly foresee our needs and
offer future recommendations based on our preferences and prior
behaviors. However, as an executive at a tech company, I also have a
deep understanding of how challenging this can be for businesses to
fulfill the ever-changing needs of customers.

Despite this challenge, it is exciting to be on the cutting edge of
how technology makes this possible by allowing enterprises to make
decisions based on data analysis, automate manufacturing and better
target and deliver to customers through digital channels. With this
growing range of automation and digitalization in place, information
security now plays an important role in the overall organization
strategy, and business leaders need to consider security concerns more
closely than ever.

With this in mind, I’ve spoken to IT security leaders from enterprises
around the world to learn what their concerns are and how their
companies can overcome these roadblocks.

Security and IT – Cooperation or Chain of Command?

The increasing importance of cybersecurity is becoming clearly
reflected in organizational structures as companies tend to have IT
and IT security as two separate departments. Twenty-nine percent of
Chief Information Security Officers (CISOs) say that not reporting to
IT is the number one change in their role and 39 percent ranked it the
second most important, according to a recent survey of IT security
leaders.

Most security heads believe that this is a change for the better as
being separated from IT gives cybersecurity experts more independence
for impartial judgement. However, this doesn’t mean that the teams can
work completely independent from one another. For example, some
security essentials like patching, access control and secure
infrastructure configuration remains the responsibility of IT.
Additionally, if the two departments do not communicate well, the
cybersecurity department may not be informed of new IT initiatives and
cannot asses them in advance to ensure they are protected.

The majority of CISOs consider their relations with IT as positive,
but confirm that there can be conflicts. Some feel that it can be
difficult to determine who has the final say on important matters such
as deciding on patch management routines, the level of flexibility and
access to the systems for remote workforce or shutting down computers
and servers during a possible breach. Since cybersecurity is still
viewed as a bottle neck, security requirements can make it difficult
to launch new IT projects or maximize performance of the information
systems.

To create a well-balanced work environment, businesses should decide
on the right structure for them, taking into account the level of
maturity, budgets for IT and IT security and the size of the workforce
in each department. In some cases, it may not be worth separating the
IT department until you are confident the two departments could work
well together. Additionally, it would be worth considering having an
executive in place who can take charge of making sure both teams make
the necessary compromises.

Is It Enough to Count Blocked Attacks?

It is becoming increasingly important that business find a balance
between exploring new opportunities and minimizing risks, including
those related to cybersecurity. To achieve this, mature enterprises
must incorporate risk assessment and management.

Throughout their career, IT security leaders will see a variety of
metrics to measure the state of exposure to cybersecurity risks. This
includes the number of incidents an enterprise experienced over a
certain period, the amount of threats blocked by prevention solutions,
the number of completed cybersecurity projects or implemented
solutions, how many issues were patched and even the amount of money
allocated to cybersecurity. However, implementing measurable metrics
doesn’t necessarily mean one is assessing cybersecurity risks.

While it is a typical business approach to speak using numbers versus
industry jargon, figures and charts, when used as the only metric, do
not tell you everything about the actual state of security. The
quantitative data should be enriched with qualitative analysis to
determine what cybersecurity risks can affect IT assets and how likely
these situations are.

Cybersecurity risk management is a challenging task, but proves its
worth as it allows companies to prepare for the most likely and
significant risks for business. Risk assessment is key to establishing
accurate plans for further steps on how to mitigate risk and respond.
To achieve this, company leaders need to ask CISOs to calculate
cybersecurity risks and also to participate in the process to bring
their broader business expertise and insights to the discussion.

Is It a Lack of Security Talent or Lack of Education?

The shortage of qualified cybersecurity personnel is seen as an
ongoing problem in the industry, and 70 percent of respondents of the
aforementioned survey of CISOs confirm this. With this is mind, we
spoke with several CISOs to learn what they think about the lack of
talent in the industry.

Interestingly, some of the respondents think that the issue is not
finding the right candidate, but high expectations of a new employee.
CISOs confirmed that business leaders require immediate effect from a
new hire, so they have to look for highly qualified candidates with
unique skillsets instead of developing such talent internally.
Unfortunately, this greatly narrows the pool of candidates as there
are many different technologies and solutions on the market making it
difficult to find a person who has all the necessary skills and
experience.

Another reason why enterprises are reluctant to educate new hires with
less experience is concerns that they would invest in people who
receive elevated training and then leave for a better paying job.
However, given that such security specialists are rare, there is no
guarantee that a skilled professional will not receive a job offer
with more interesting tasks or higher salary.

To solve the issue with this shortage of talents, it is important for
businesses to approve “backup” vacancies in the information security
department that are not related to urgent projects. It is also
important that the new hires will be mentored and given not only
routine responsibilities like log reviewing or first-line alert
monitoring, but also the chance to learn something new and grow
professionally.

It is becoming clear that enterprise security depends not only on
implemented solutions, but also on how well-tuned internal processes
are in terms of communication between departments, hiring, training of
personnel and budgeting. I recommend business leaders pay attention to
these pertinent areas and discuss them with their respective CISOs
before challenges arise in order to make the best decisions for their
organization.