CISO Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

CISO

Proving ROI in cyber security

960 640 Guest Post

Research shows that almost half of businesses have reported cyber security breaches or attacks in the last 12 months. Amongst these businesses that identified breaches or attacks, more have experienced these issues at least once a week so far this year.

Moreover, the unprecedented events of recent months have seen the number of attempted data breaches continue to rise, with cyber hackers using the increase in remote working and individuals’ fears over the coronavirus to their advantage. In fact, a survey showed that 50% of organisations were unable to guarantee that their data was adequately secured when being used by remote workers.

The issue is serious and many businesses are stepping up their cyber security strategies accordingly, with CIOs and their teams increasingly taking a seat at the executive board table. But one thing is still lacking: cyber security ROI. To truly engage with a strategy, board members need to see ROI from every department of an organisation, and cyber security is not exempt from that. However, demonstrating business value in areas such as compliance, risk management or data assurance, has always been challenging. 

Consequently, data security has historically been looked upon as a necessary cost of doing business. However, this no longer needs to be the case. As CIOs, CISOs and network security teams mature into their C-Suite role, proving the value of data security is now both a realistic and achievable corporate objective. Frank Richmond, Vice President Sales Europe, Certes Networks, explains just how CISOs and CIOs can get the Board on board… 

Cyber security as a strategic investment

Today’s current network and data security approaches focus primarily on keeping the cyber hackers out with threat detection and vulnerability management at the core. But modern CIOs and CISOs want – and need – more than this when reporting to the Board; they want “provable security”.

Securing data should be a strategic investment in an organisation’s risk strategy and should quantifiably contribute to the overall value of the business. CISOs expect their network security teams to be equipped with tools that will enable them to make real-time changes to applications based on observable network flow. They want to see that securitypolicies are being enforced properly and, most importantly, prove that their security strategy is actually effective.

To put this into practice, cyber security should be quantifiable, measurable and outcomes-driven. It shouldn’t just be a case of successfully keeping a cyber attacker out of the network after a single breach; a successful cyber securitystrategy is effective only when it is continuously putting data security first and measuring impact against key performance indicators (KPIs) that will instantly show Board members how imperative the strategy – and the technology behind it – really is.

In order to truly demonstrate the effectiveness of the organisation’s security strategy, CIOs and CISOs need to be able to visualise and understand their data, the associated applications, workloads and behaviour, with real-time contextual insight. This, in turn, will enable this understanding to be passed on to other executive Board members. 

The real value of cyber security

Armed with this insight, organisations can then take actionable steps not only to measure the effectiveness of their security strategy, but to gain deep understanding into how to enhance their security posture and to manage and enforce policies. With a data-driven approach to cyber security, the guesswork can be removed and CISOs and CIOs will be able to clearly demonstrate to the Board that ROI has been achieved.

With buy-in from the Board, data security is now more than a ‘necessary cost’, and is instead a fundamental of business operations. The businesses that succeed in enforcing this way of thinking will then truly be able to continuously evolve their cyber security practices to keep their data safe.

The rise of the Chief Cybercrime Officer

960 640 Stuart O'Brien

Matt Cable, VP Solutions Architects & MD Europe, Certes Networks, discusses the role of the CCO and how the CCO and CISO should work in harmony to achieve the common cyber security goals…

The TalkTalk data breach in 2015 was monumental for the cyber security industry. At the time, data breaches were hardly new, but this particular breach resulted in UK MPs recommending that an officer should be appointed with day-to-day responsibility for protecting computer systems from cyber attack.

This governmental guidance was not a consequence of the size of the breach. With the personal details of 157,000 customers accessed, including bank account numbers and sort codes of over 15,000 customers, it certainly was not the largest the industry had seen. Rather, the guidance resulted from the way in which the immediate situation and the following aftermath, were handled.

In most organisations, the responsibility of following this guidance has historically fallen to the Chief Information Security Officer (CISO), with support from the CEO. In the wake of the TalkTalk data breach in particular, the CISO was given ‘free rein’ to strengthen the organisation’s cyber security capabilities.

The many faces of the CISO 

Yet, the role of the CISO was not a new concept. In fact, the CISO dates back to 1994 when Steve Katz was hired to run the world’s first formal cyber security executive office, and was subsequently given the title of CISO. Unsurprisingly, the role has many aspects to it, from security operations, cyber risk and cyber intelligence, data loss and fraud prevention, security architecture, identity and access management, programme management and compliance and governance, to name but a few.

Recently however, the role has come under increasing scrutiny and with the rise of cyber crime and the sophistication of cyber attacks, it’s easy to see why. Research shows that over two-thirds of organisations have experienced at least one security breach in the past year and that the majority of both CISOs and the entire C-Suite believe the CISO is ultimately responsible for the response to a data breach. However, with so many ‘hats’ to wear and multiple day-to-day responsibilities, it is clear to see why, with the increasing threat landscape, many organisations feel that it’s time to add another role to the C-Suite. 

Enter the CCO 

Enter the Chief Cybercrime Officer (CCO), whose remit will entail ensuring the organisation is cyber-ready and who will bear the responsibility of mitigating breaches, taking the lead if a breach does occur and providing the necessary link between the Board and the rest of the company to mitigate risk and work collaboratively to resolve issues as they arise.

With the need for cyber security to become far more central to C-Suite strategies, this new role should ease the load on the CISO and ensure the organisation can get one step ahead of hackers in the cyber crime race. However, organisations must take into account the need for both the CISO and CCO to work in harmony, with clearly defined roles and support from the Board. 

Aligning to boundaries

With both the CISO and CCO working towards keeping the company’s data safe from cyber threats, it is essential for each role to be clearly defined. This definition may look different to each organisation: each role, and the teams working with them, should have clear parameters and responsibilities so that in the event of a data breach, the organisation clearly understands the steps that should be taken, and who should take them.

In practice, this should make every CISO breathe a big sigh of relief. Many CISOs would identify cyber security as the greatest risk within their role, and when they’re also trying to juggle multiple other responsibilities, it’s a lot to have on their shoulders. With the CCO focused on the system architecture and the CISO focused on the security of the information within the organisation, there should be no reason that both roles can’t work collaboratively towards keeping the organisation safe.

Making decisions 

With both roles working in tandem, the next step that organisations need to take is ensuring the CISO and the CCO have enough influence with the Board to make critical decisions and resolve issues immediately. By ensuring that all members of the Board have visibility of the entire cyber security strategy and that the strategy is regularly reviewed and updated in line with new threats and intelligence, the CCO and CISO can be given the responsibility to report and respond to incidents and make rapid decisions on behalf of the business. In the event of a data breach, removing unnecessary approval and authorisation steps ensures that the organisation can respond quickly and put remediating measures in place to minimise potentially catastrophic repercussions.

In a world where cyber security threats can’t be ignored, now is the time for the structure of organisations to truly be considered. Has cyber security been given enough prominence at Board level? Can decisions be made quickly? Can space be made for both the CISO and CCO to work in harmony? By asking these questions and making changes, organisations can ensure they are in a far better position to keep their data safe and protect their reputation.

Most Urgent CISO Skills 2020: Reporting, Avoiding Burnout, More collaboration

960 640 Guest Post

By Jake Olcott, VP of Government Affairs, BitSight

Since the creation of the first CISO role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, with the majority of companies including a cybersecurity-specific role in their C-suites.

As cybersecurity has gone from niche issue to mainstream business concern, the CISO has become more important. And, although many CISOs come from purely technical backgrounds, new challenges have forced them to take on the responsibilities of business leaders.

As a result, the most important CISO skills are not necessarily technical in nature. Business skills like collaboration, communication, and management are just as critical for CISOs as they aim to reduce cyber risk in an increasingly fraught threat landscape.

Here are some of the most important CISO skills for 2020:

Collaboration

Cybersecurity is collaborative. The most efficient team of SOC analysts in the world can’t prevent incidents if employees in other parts of the organisation aren’t trained on good security hygiene. CISOs can’t give their teams the resources they need if their Board and fellow executives don’t understand security challenges and allocate the necessary budget.

Shockingly, however, only 22% of companies say their organisation’s security function is integrated with other business functions.

CISOs in 2020 and beyond will need to build collaboration skills in order to act as ambassadors for the cybersecurity program. Communicating security priorities to other departments and across lines of business or distributed workplaces is a challenge but gaining their buy-in is essential to maintaining effective security.

Avoiding burnout

CISOs don’t have it easy. 91% of CISOs say they suffer from moderate or high stress, and 27.5% of CISOs say stress affects their ability to do their jobs. CISO burnout is real, and it can create new security risks as well as personal challenges.

Strange as it might seem, one of the most important skills for CISOs is making sure they don’t become victims of burnout themselves.

One aspect of avoiding burnout is stress management. Exercise, meditation, and other stress-reducing activities can be very helpful. However, personal stress management isn’t going to be enough to stem the burnout crisis. CISOs can also consider advocating for policies in their organisations that reduce the likelihood of job stress, such as workplace wellness programs or limiting after-hours email notifications.

Increasing employee engagement 

CISOs aren’t the only cybersecurity professionals at risk of burning out. 65% of SOC professionals say stress has caused them to think about quitting.

As the cybersecurity skills shortage drags on, the most effective CISOs will be the ones who make sure their best employees stay on long-term.

With a 0% industry unemployment rate, the market pressure is on the employer to keep employees happy, not the other way around. That means security leaders must hone their people management skills and keep a finger on the pulse of employee engagement.

There are many techniques for increasing employee engagement, and each CISO will need to figure out what will work best in their own organisation. Some effective techniques include:

  • Increasing the frequency of employee/manager meetings
  • Giving employees several avenues for giving feedback, including anonymous suggestions
  • Adding more social time to the schedule, or hosting company-sponsored parties or group activities
  • Recognising high-performers with awards and prizes

Communication and reporting 

When reporting to the Board, other executives, or even third-party auditors, CISOs need to make sure they get the messaging right.

One of the most important CISO skills is being able to translate complicated technical concepts into easy-to-understand language. When others can actually wrap their minds around the challenges of the cybersecurity program, they’re more likely to buy in and provide support.

On a basic level, CISOs can improve their communications by avoiding information-dumping and scare tactics. Turning in a 100-page report full of metrics the Board doesn’t understand isn’t useful. Similarly, warning of worst-case-scenarios can backfire when it creates a reactionary approach to security.

Further, CISOs should take a risk-based approach to cybersecurity reporting. In practice, that means making sure KPIs contain context about the actual risk posed to the organisation. In addition, CISOs should understand each data point’s impact on larger business KPIs and objectives.

Following a risk-based approach to reporting can help CISOs demonstrate the effectiveness of their programs, advocate for new initiatives, and improve overall security.