[BreachExchange] Top 5 Tactical Steps for a New CISO

Destry Winant destry at riskbasedsecurity.com
Fri May 8 10:48:05 EDT 2020


https://securityboulevard.com/2020/05/top-5-tactical-steps-for-a-new-ciso/

A CISO must get a strategic and tactical bearing on their new role,
company and the security program they are inheriting, leading and
developing. This article will focus on the tactical priorities for a
CISO that will help lay a strong foundation for success. Previously,
we discussed five key steps to lay an initial strategic foundation on
which these will rely.

Know the Business’s Operational Surfaces

In the previous article, we introduced the criticality of
understanding the why, how and what the business is and does. The
business does business or operates on its operational surfaces, such
as cyber, facilities, personnel, vendors and informational. These
surfaces are often arranged in the order of external (public) facing
to more internal (non-public, or business) facing, and are the
foundations of security control deployment. Because a larger breach is
usually a chain of subordinate breaches (often tunneling across
surfaces), it is critical that security controls are deployed in
surface-wide and cross-surface, latticework ecosystems. When done
well, this can dramatically increase security performance and decrease
overall cost to achieve. The better you understand and cover these
surfaces, the better your security capability can control breach.

Know Your Business’s Assets

In the previous article, we introduced the importance of business and
stakeholder crown jewel assets. It should be security’s goal to
protect these from a security breach and associated impact. These
crown jewels typically consist of myriad subordinate operational
assets such as people, information, devices, applications, networks,
facilities and vendors. And these assets lie on—and even across—the
operational surfaces discussed in the previous section. In fact, it’s
typically these assets that threats seek, or leverage and breach, as
part of a breach chain. Further, many security controls are applied
directly or indirectly to these assets (to control breach). It follows
that to apply controls to these assets, there must be asset
inventories that are accurate and complete to both serve as an
“in-scope” list as well as to gauge cost to cover the scope. Asset
inventory quality and completeness are foundational to right-sizing
and justifying budget, security control quality and, therefore,
security program performance. Unfortunately, incomplete asset
inventories are a top weakness facing most security programs. In fact,
mismanagement of asset inventories introduces downstream problems of
critical measurement error into all further security performance
metrics, KPIs, reporting and executive beliefs and expectations.

Know Your Control Portfolio

A CISO must combine the above, and the strategic elements, to paint a
clear picture of the actual impact exposure of the business. You want
to understand and answer questions such as:

What security controls have we deployed? The CIS Top 20 is a great
starting point because it’s well-aligned to “real world” SecOps
deployments, teams and budget allocations.

On what operational/threat surfaces have we deployed them? And are we
covering all the surfaces evenly, or are we stronger/weaker in some?

To which assets on these surfaces have we deployed them? And how
complete is that coverage?

These will lead to a next set of questions:

How is control deployment aligned to crown jewels?
What controls have we overbuilt, underbuilt or forgotten?
What are our strengths and greatest control development opportunities?
What is our relative ability to predict, prevent, detect, respond,
recover from attacks and breaches across the asset surfaces?
How well do our controls work together as a team? What are our team
strengths and greatest opportunities?

A fundamental principle of war and sports is to play to your strengths
and your opponent’s weaknesses to best maximize your odds at an
expected outcome. Ensure you can easily manage the common attacks of
the many, before the sophisticated attacks of the few.

Know Your Resources

In the previous article, we discussed the importance of knowing your
working and total budget. This is a key starting resource that makes
your people, technology and vendor resources possible. From the
previous section, we noted you should scope out the quantity and
capability level (quality) of resources that you need to [re]deploy to
the necessary controls to cover in-scope assets. You will want to
calibrate your existing resources to best meet those prioritized
needs, but this structured approach simplifies further budget planning
and justification. But, to gain these resources, they must be
calibrated and justified to a result, or executives will have a
difficult time justifying these resources—which are relatively
scarce—versus many other business units also pitching for funds.

Know Your ‘Must-Haves’ and Your ‘Nice-to-Haves’

Enumerate your in-scope surfaces, assets, controls, control deployment
to surfaces and assets, resources, services, products and projects.

Map these to “must-haves” versus “nice-to-haves” versus, “Why do we have this?”

This will feed into the strategic plan and help prioritize budget and
resource requests and reallocations, justify opportunities with
current resources and justify opportunities with greater resources—or
demonstrate capabilities if resources are reduced.

Ultimately, the better you understand your tactical resources and
capabilities as a CISO, the better you can inform your strategic
options, pitches and justifications.


More information about the BreachExchange mailing list