Oct 30 2023

Proactive Boards Lead to Flexible CISOs as Companies Prepare for What’s to Come

Category: CISO,vCISOdisc7 @ 1:25 pm

In the leadership and communications section, Proactive Boards Enable More Reliable Cyber Governance, CISO Best Practices for Managing Cyber Risk, The Evolution of Work: How Can Companies Prepare for What’s to Come?, and more!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw-326

Oct 14 2023

Best implementers of InfoSec program

Category: CISO,Security program,vCISOdisc7 @ 11:48 am

Best implementers of InfoSec program (ISMS) are those who possess both management and leadership capabilities…

CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

2020 Cybersecurity CANON Hall of Fame Winner

Todd Fitzgerald, co-author of the ground-breaking (ISC)2 CISO Leadership: Essential Principles for Success, Information Security Governance Simplified: From the Boardroom to the Keyboard, co-author for the E-C Council CISO Body of Knowledge, and contributor to many others including Official (ISC)2 Guide to the CISSP CBK, COBIT 5 for Information Security, and ISACA CSX Cybersecurity Fundamental Certification, is back with this new book incorporating practical experience in leading, building, and sustaining an information security/cybersecurity program.

CISO COMPASS includes personal, pragmatic perspectives and lessons learned of over 75 award-winning CISOs, security leaders, professional association leaders, and cybersecurity standard setters who have fought the tough battle. Todd has also, for the first time, adapted the McKinsey 7S framework (strategy, structure, systems, shared values, staff, skills and style) for organizational effectiveness to the practice of leading cybersecurity to structure the content to ensure comprehensive coverage by the CISO and security leaders to key issues impacting the delivery of the cybersecurity strategy and demonstrate to the Board of Directors due diligence. The insights will assist the security leader to create programs appreciated and supported by the organization, capable of industry/ peer award-winning recognition, enhance cybersecurity maturity, gain confidence by senior management, and avoid pitfalls.

The book is a comprehensive, soup-to-nuts book enabling security leaders to effectively protect information assets and build award-winning programs by covering topics such as developing cybersecurity strategy, emerging trends and technologies, cybersecurity organization structure and reporting models, leveraging current incidents, security control frameworks, risk management, laws and regulations, data protection and privacy, meaningful policies and procedures, multi-generational workforce team dynamics, soft skills, and communicating with the Board of Directors and executive management. The book is valuable to current and future security leaders as a valuable resource and an integral part of any college program for information/ cybersecurity.

Previous articles on the subject of Chief Information Security Officers (CISOs)

Previous articles on the subject of Virtual Chief Information Security Officers (vCISOs).

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: isms, security program

Sep 20 2023

The matters that may keep the Information security Officers up at night

Category: CISO,vCISOdisc7 @ 1:46 pm

DISC InfoSec previous posts on CISO topic

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISOs

Aug 22 2023

The complex world of CISO responsibilities

Category: CISO,vCISOdisc7 @ 9:26 am

A Chief Information Security Officer (CISO) is vital for safeguarding an organization’s digital assets. They oversee sensitive data security, combat cyber threats, and uphold data integrity. The CISO devises security strategies, partners with stakeholders, and addresses vulnerabilities. The Help Net Security roundup showcases insights from experts through recorded videos, highlighting the pivotal responsibilities and challenges that characterize the role of CISOs.

Complete videos

  • Josh Yavor, CISO at Tessian, offers a personal perspective on dealing with burnout as a CISO.
  • Kaus Phaltankar, CEO at Caveonix discusses how in today’s complex multi-cloud landscape, the role of CISOs is more crucial than ever.
  • Daniel Deeney, CEO at Paladin Cloud, discusses how companies face difficulties identifying security threats within cloud environments.
  • Chris Groot, General Manager of Cove Data Protection at N-able, discusses enterprise CISOs’ challenges with disaster recovery.

DISC InfoSec previous posts on CISO topic

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: CISO

Aug 20 2023

State of Virtual CISO

Category: CISO,vCISOdisc7 @ 1:44 pm

Cynomi Study Reveals Number of MSPs Providing Virtual CISO Services Will Grow Fivefold By Next Year

The frequency of cyberattacks is increasing, particularly targeting smaller businesses. However, most small and mid-size companies cannot afford a full-time security professional. To address this, they are turning to vCISO (virtual Chief Information Security Officer) services offered by Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). These services provide access to external cybersecurity experts at a lower cost than hiring an in-house CISO.

A report by Cynomi, based on a survey of 200 executives in the U.S. and Canada, shows the rising demand for vCISO services among SMBs and how MSPs and MSSPs are responding to this demand. The report reveals that 84% of those not currently offering vCISO services but plan to do so by the end of 2024. The number of providers offering these services has been consistently growing, with 8% in 2022, 28% in 2023, and a projected 45% in 2024.

MSPs and MSSPs are motivated to offer vCISO services due to anticipated increased revenue, higher margins, easy upselling of other cybersecurity services, and enhanced client engagement. Although they foresee challenges such as limited in-house security knowledge and a lack of skilled cybersecurity personnel, vCISO platforms help mitigate these concerns.

Cynomi, a leading vCISO platform provider, aims to conduct annual studies on the growing trend of the vCISO role. They have also created a directory of prominent vCISO service providers to help SMBs find trusted security partners, offering details about services and technology platforms used by each provider.

DISC InfoSec Previous posts on vCISO

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: CISO, Cynomi, vCISO

Aug 19 2023

How CISOs break down complex security challenges

Category: CISO,vCISOdisc7 @ 2:34 pm

In the provided article, the author, who is a Chief Information Security Officer (CISO), discusses the challenges and strategies related to maintaining technical expertise while effectively communicating complex cybersecurity issues to stakeholders in a comprehensible manner.

The author emphasizes the importance of understanding the intricacies of technology in order to secure it effectively. This philosophy has driven the author to stay up-to-date with technology trends, collaborate with other security experts, and maintain a deep connection with their technical teams. The author also highlights the value of using simple metaphors to explain complex concepts, leveraging their strong technical background to convey information in a way that is easier for non-technical stakeholders to grasp.

In the context of managing cyber resilience efforts across an enterprise, the author draws parallels to managing different types of risk, categorizing them as good and bad risks. Good risks are those that contribute to business growth and innovation, while bad risks are associated with lacking proper planning and security measures. Balancing these risks requires strong relationships across the organization and constant communication.

The article also discusses the impact of digital initiatives and rapid digital transformation on the CISO’s role. While digital transformation can enhance efficiency and lower risks, challenges arise when new technologies like cloud or SaaS services are introduced without a clear understanding of their security implications. Collaboration between technology vendors, cybersecurity companies, and leadership teams is essential to address these challenges.

In the face of external events that test organizational resilience, the author presents four key principles for effective leadership: communication, agility, constant learning, and adaptability. These principles help leaders navigate uncertainties, learn from experiences, and handle change more effectively.

For a newly appointed CISO tasked with explaining complex cyber regulations to the board, the author suggests researching the backgrounds and industries of board members to tailor explanations to their perspectives. Comparisons to regulations in related industries or significant news events can help the board better understand the issues and recognize the CISO’s commitment to understanding the regulatory landscape.

In summary, the article underscores the need for CISOs to balance technical expertise with effective communication, employing metaphors to simplify complex concepts, and building strong relationships to manage cyber risks across the enterprise. It also highlights the challenges and strategies associated with digital transformation, organizational resilience, and succinctly communicating complex regulations to the board.

DISC InfoSec previous posts on CISO topic

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog


Aug 02 2023

How CISOs can succeed in a challenging landscape

Category: CISO,vCISOdisc7 @ 8:04 am

How CISOs can succeed in a challenging landscape Reimagining operational resilience and recovery in 2023

#CISOs face mounting demands to develop information security strategies that effectively safeguard their organizations against an ever-evolving threat landscape. A strong information security stance is imperative, but the requirements for security and risk management are intricate and distinct for each organization. The alignment of business priorities and suitable solutions may not always be apparent, while swift results and cost-effective measures are crucial.

Chief Information Security Officer

CISSP training course

In what situations would a vCISO or CISOaaS Service be appropriate?


Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

How to Start Your Own Cybersecurity Consulting Business: First-Hand Lessons from a Burned-Out Ex-CISO

InfoSec tools | InfoSec services | InfoSec books

Tags: How CISOs can succeed

Aug 02 2023

From tech expertise to leadership: Unpacking the role of a CISO

Category: CISO,vCISOdisc7 @ 7:45 am
In your opinion, what are the key characteristics of an effective CISO? How do you balance technical expertise and leadership skills?

A CISO needs to wear many hats across the business and juggle many competing priorities. They need to be a customer support representative, a product partner, a manager, a visionary, a strategist, and of course, a security expert.

I have found that some of the most important characteristics are to be friendly, honest, and emphatic. Being a friend to the organization and people you work with, rather than leading with just policies and demands, is critical to getting more done and the success of your team.

It may sound counterintuitive, but a good CISO must get out from behind the technology and understand the people they are serving. Of course, you must maintain a high level of technology knowledge, but if you find yourself only sitting in front of a firewall console, you’re probably in the wrong job.

Given the rapid rate of technological change, how should CISOs approach building an organization’s security posture?

With the more-rapidly-than-ever changing environment, you can rarely rely solely on multi-year strategies or multi-quarter roadmaps. You must be ready for constant change and quickly adapt to it.

CISOs must create a security strategy built around anticipating outcomes and a feedback loop to gather information during incidents, assessments, threat analysis, and research. The information gathered should then be turned into metrics which will give insights into if the strategy is working, and, if necessary, how to evolve the strategy.

In today’s business environment, a CISO must communicate complex security issues. How can you ensure you’re understood by all stakeholders, including those who aren’t as tech-savvy

Though CISOs play a lead role in managing an organization’s security posture, it is important that cybersecurity efforts manifest as a shared responsibility across an organization. From new hires to the C-suite, cybersecurity should be a communicated priority for all employees. Everyone should care about security, and if they don’t do it, it’s because they don’t understand something about the situation or ask.

Just as much as a CISO needs to learn about the business, they must also educate other business leaders on what’s out there and the landscape of evolving threats. Then, it’s important to connect these threats and the solutions back to the goals of that part of the business so teams can fully understand the role they can play in mitigating risk.

With declining trust in institutions, how can CISOs help organizations build and maintain trust among customers, employees, and stakeholders?

It’s important to prioritize security and proactively communicate initiatives with stakeholders. However, building and maintaining trust isn’t a one-size-fits-all approach. CISOs must possess the ability to effectively communicate and educate all stakeholders about the specific cyber risks relevant to their organization while also proactively outlining how it is prepared to address those risks. Implementing robust, proactive security measures and emphasizing the protection of sensitive data will reassure customers, stakeholders, and employees alike that their information is secure. Swiftly acting on emerging and existing security threats also reinforces trust and demonstrates an organization’s proactive efforts in addressing threats before they become detrimental.

The role of a CISO encompasses a wide range of responsibilities, including compliance, disaster recovery, and stakeholder management. How can a CISO effectively manage such a diverse portfolio of tasks?

There are three ways I manage competing priorities: Focus, transparency, and accountability. A CISO must focus on the tasks that have the biggest ROIs, and not get distracted by the noise. Leading with transparency will make it clear to everyone within the organization why we are making changes or asks. And finally, security posture and response can only be improved when accountability is clear. And not just accountability of the security team, but accountability from across the organization where everyone understands the responsibility.

By making data-driven decisions and conducting continuous risk assessments, CISOs can strategically allocate resources to high-priority tasks. The delicate balance lies in leading these various aspects while leveraging the expertise of a skilled team to ensure comprehensive security protection across the organization. By staffing a knowledgeable team of security experts and empowering them to take ownership of their day-to-day responsibilities, CISOs can focus their time on providing strategic and executive-level oversight on key issues.

Given the constantly evolving threat landscape, how can a CISO maintain its technological expertise while focusing on leadership and collaboration?

From a leadership standpoint, the CISO is so much more than just security. It’s truly a business leader position, they are collaborating with the other business leaders to share the same resources. CISOs must understand the organizational goals, the customer needs, and the capacity of each team to prioritize security in collaboration with product management, IT leaders, CTO, etc.

CISOs must maintain fundamental technology knowledge but rely on the team’s subject matter expertise for deeper technical aspects. It’s important to find the right training, like CISSP, and vendor-specific certifications, without overwhelming yourself.

Chief Information Security Officer

CISSP training course

In what situations would a vCISO or CISOaaS Service be appropriate?


Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

How to Start Your Own Cybersecurity Consulting Business: First-Hand Lessons from a Burned-Out Ex-CISO

InfoSec tools | InfoSec services | InfoSec books

Tags: role of a CISO

Jul 31 2023

How the best CISOs leverage people and technology to become superstars

Category: CISO,vCISOdisc7 @ 9:48 am

Superstar CISOs stand out from the rest due to their acute understanding of the growing threat landscape and the shortage of cybersecurity skills. However, they refuse to succumb to despair and instead leverage their existing assets effectively, notably by recognizing an overlooked security resource: their development teams.

In the era of DevSecOps hype, it’s common to say that security is everyone’s responsibility. But there are limits to what untrained and unmotivated workers – especially those who don’t work in IT – can do to make their organization more secure against cyberthreats.

For example, in the real world, travelers at a busy airport should feel responsible for reporting an unattended bag sitting alone in a suspicious location. However, they aren’t trained to inspect that bag to look for threats or empowered to take any actions on their own. At a company, it’s one thing to make everyone aware of cybersecurity, and another to educate them to make their organization more secure within the context of their role or to use the defensive tools they already have in place to counter threats and squash vulnerabilities.

For that, companies need to invest in upskilling. It’s far better, and oftentimes easier, to invest in the talented, loyal staff that are already a part of your organization than to try and hire new people from the outside. But even then, putting those learning resources in the best place to get the required results is key.

Developers already understand IT since they write much of the code for the programs being used by their organizations. And they are often ready, willing, and able to upskill in cybersecurity to help make them even more amazing at their jobs. Smart CISOs are tapping into that enthusiasm and providing developers with the education pathways they want and need, with the payoff being a reduction in common vulnerabilities (not to mention less pressure on overworked AppSec personnel).

Making sure developers get the right upskilling and support

The best CISOs know that upskilling is critical to success. But not just any training will do, especially for the development community who already have a good baseline understanding of IT. A “check-the-box” program won’t offer much return on investment and will likely frustrate developers into poor performance and a lifelong hatred of working with security teams.

Likewise, any solution that impedes their workflow, fails to stay agile with enterprise security goals, or cannot deliver the right education at the right time in an easily digestible format, is unlikely to result in foundational security awareness or skills.

Other secrets of superstar CISOs

Exemplary CISOs are also able to address other key pain points that traditionally flummox good cybersecurity programs, such as the relationships between developers and application security (AppSec) teams, or how cybersecurity is viewed by other C-suite executives and the board of directors.

For AppSec relations, good CISOs realize that developer enablement helps to shift security farther to the so-called left and closer to a piece of software’s origins. Fixing flaws before applications are dropped into production environments is important, and much better than the old way of building code first and running it past the AppSec team at the last minute to avoid those annoying hotfixes and delays to delivery. But it can’t solve all of AppSec’s problems alone. Some vulnerabilities may not show up until applications get into production, so relying on shifting left in isolation to catch all vulnerabilities is impractical and costly.

There also needs to be continuous testing and monitoring in the production environment, and yes, sometimes apps will need to be sent back to developers even after they have been deployed. A great CISO, with a foot in development and security, can smooth out those relations and keep everyone working as a team.

Getting other C-suite executives onboard with better security might be an even more difficult challenge, with leadership outside the CISO and CIO normally looking at business objectives and profits before anything else. To counter that, superstar CISOs know how to show a direct correlation between better, more mature cybersecurity and increased revenue, and how it can even provide a competitive advantage against the competition.

It’s not easy being a CISO, and certainly more challenging than at any other point in history. But those CISOs who master that adversity are becoming true superstars within their companies and communities. They competently employ agile developer upskilling, champion security culture, streamline relationships between the traditional rivals of development and AppSec teams, and encourage leadership to foster a security-first approach from the top down.

Chief Information Security Officer

CISSP training course

In what situations would a vCISO or CISOaaS Service be appropriate?


Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

InfoSec tools | InfoSec services | InfoSec books

Tags: CISOs

Jul 18 2023

Stabilizing The Cybersecurity Landscape: The CISO Exodus And The Rise Of VCISOs

Category: CISO,vCISOdisc7 @ 10:50 pm


In today’s evolving digital landscape, the role of a chief information security officer (CISO) is critical. These professionals defend against the rising tide of daily cyberthreats. Yet we’re seeing a trend: Many CISOs are leaving or considering leaving their jobs, a phenomenon coined the “Great CISO Resignation.”

This trend seems to reflect the intense pressure CISOs endure. They face a constant stream of complex cyberthreats, manage compliance issues and struggle with a talent deficit in cybersecurity. Paired with high expectations, many reconsider their roles, which can lead to a leadership gap.

However, this situation opens a strategic opportunity for innovation. As the founder and president of a company that offers virtual chief information security officer (vCISO) services, I’ve seen this model gaining momentum.

Understanding The vCISO Model

A vCISO is an outsourced security practitioner or provider who offers their expertise to businesses on a part-time or contractual basis. These professionals provide many of the same services as a traditional CISO, such as developing and implementing security strategies, ensuring compliance with regulations, training staff and managing a company’s cybersecurity posture. The key difference is that vCISOs offer these services remotely and often to multiple companies at once.

This model brings flexibility and scalability, allowing businesses to tailor cybersecurity leadership to their specific needs. It also provides access to a breadth of expertise that is often unaffordable in a full-time, in-house CISO.

Leveraging The vCISO Model Amid The CISO Exodus

With the current trend of CISOs leaving their positions, the vCISO model offers a practical solution to maintain cybersecurity leadership. Here are some ways businesses can take advantage of this model:

Plug Leadership Gaps Quickly

When a CISO departs, they leave a leadership void that’s hard to fill quickly, especially considering the shortage of cybersecurity talent. By leveraging a vCISO, businesses can plug this gap swiftly, ensuring continued oversight and direction in their cybersecurity efforts.

Access A Broader Skill Set

vCISOs, often being part of a larger team, can bring a wide range of experiences and skills. They are exposed to diverse security landscapes across industries, which can provide a fresh perspective and innovative solutions to your security challenges.

Cost Efficiency

Hiring a full-time CISO can be prohibitively expensive for some companies. vCISO services, on the other hand, can be scaled to fit budgetary constraints, giving businesses access to top-tier security leadership without as much of a hefty price tag.

Flexibility And Scalability

As your business grows and evolves, so too can your cybersecurity needs. A vCISO’s flexible engagement model means you can scale cybersecurity leadership to match your changing requirements.

Deciphering The vCISO Selection: A Strategic Perspective

Selecting the right virtual chief information security officer is pivotal to the success of your cybersecurity strategy, especially in the wake of the “Great CISO Resignation.” You’re essentially recruiting an outsourced leader who can help guide your organization’s information security infrastructure and strategy, so you need to ensure that they not only have the expertise but that they also align with your organization’s culture and values. Here are some strategic suggestions for identifying the perfect vCISO for your business:

Evaluate Their Background And Experience

Start by examining the vCISO’s professional background. This includes their level of experience in your specific industry, as well as their familiarity with the size and type of businesses like yours. Their past roles and achievements can provide valuable insight into their ability to handle the unique cybersecurity threats and risks your business may face. Don’t hesitate to ask for a detailed track record of their experience and successes.

Assess Their Expertise

Probe into their knowledge of current cybersecurity trends, their ability to create a cybersecurity strategy, their understanding of regulatory requirements that are relevant to your industry and their experience in managing security incidents. You should also ask about their experience with various cybersecurity tools and technologies. A vCISO’s expertise should encompass not only tactical but also strategic thinking and planning.

Understand Their Approach

Get a sense of their management style, communication skills and approach to problem-solving. Cybersecurity is a team effort, so the vCISO needs to effectively work with and guide your in-house team. Are they able to communicate complex security concepts in a way that everyone in your organization can understand? Can they foster a security-first culture within the company?

Determine Alignment With Business Goals

The right vCISO should understand your business strategy and align security strategies to business objectives. They should be able to strike a balance between the necessary security measures and the operational needs of your company.

In what situations would a vCISO or CISOaaS Service be appropriate?


Previous posts on vCISO/CISO

CISO Conversations: The Role of the vCISO

Cybersecurity: The CISO’s View

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services


Jul 17 2023

CISOs under pressure: Protecting sensitive information in the age of high employee turnover

Category: CISO,data securitydisc7 @ 10:29 am

In this Help Net Security interview, Charles Brooks, Adjunct Professor at Georgetown University’s Applied Intelligence Program and graduate Cybersecurity Programs, talks about how zero trust principles, identity access management, and managed security services are crucial for effective cybersecurity, and how implementation of new technologies like AI, machine learning, and tracking tools can enhance supply chain security.

CISOs believe they have adequate data protection measures, yet many have dealt with the loss of sensitive data over the past year. How do you reconcile this apparent contradiction?

The loss of data despite protection measures is not that surprising. We are all playing catchup in cybersecurity. The internet was invented in a government laboratory and later commercialized in the private sector. The hardware, software, and networks were originally designed for open communication. Cybersecurity initially was not a major consideration. That mindset has surely changed due to the explosion of connectivity and commerce on the internet and CISOs are playing a big game of catch up too.

There are a multitude of causes that can account for the exfiltration of sensitive data. The first being that hacker adversaries have become more sophisticated and capable of breaching. The basic tools and tactics hackers use for exploitation include malware, social engineering, phishing (the easiest most common, especially spear-phishing aimed at corporate executives), ransomware, insider threats, and DDOS attacks. Also, they often use advanced and automated hacking tools shared on the dark web, including AI and ML tools that are used to attack and explore victims’ networks. That evolving chest of hacker weaponry is not so easy for CISOs to defend against.

Another big factor is the reality is that exponential digital connectivity propelled by the COVID-19 pandemic has changed the security paradigm. Many employees now work from hybrid and remote offices. There is more attack surface area to protect with less visibility and controls in place for the CISO. Therefore, it is logical to conclude that more sensitive data has and will be exposed to hackers.

The notion of adequate protection is a misnomer as threats are constantly morphing. All it takes is one crafty phish, a misconfiguration, or a failure to do a timely patch for a gap to provide an opportunity for a breach. Finally, many CISOs have had to operate with limited budgets and qualified cyber personnel. Perhaps they have lower expectations of the level of security they can achieve under the circumstances.

As the economic downturn pressures security budgets, how can CISOs optimize their resources to manage cybersecurity risks effectively?

CISOs must enact a prudent risk management strategy according to their industry and size that they can follow to allow them to best optimize resources. A good risk management strategy will devise a vulnerability framework that Identifies digital assets and data to be protected. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity. This includes protecting and backing up business enterprise systems such as: financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel & detection, firewalls, etc.) and policies.

There are measures in a vulnerability framework that are not cost prohibitive. Those measures can include mandating strong passwords for employees and requiring multi-factor authentication. Firewalls can be set up and CISOs can make plans to segment their most sensitive data. Encryption software can also be affordable. The use of the cloud and hybrid clouds enables implementation of dynamic policies, faster encryption, drives down costs, and provides more transparency for access control (reducing insider threats). A good cloud provider can provide some of those security controls for a reasonable cost. Clouds are not inherently risky, but CISOs and companies will need to recognize that they must thoroughly evaluate provider policies and capabilities to protect their vital data.

And if a CISO is responsible for protecting a small or medium business without a deep IT and cybersecurity team below them, and are wary of cloud costs and management, they can also consider outside managed security services.

How can organizations better safeguard their sensitive information during high employee turnover?

This goes to the essence of the strategy of zero trust. Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Organizations need to know everything that is connected to the network, devices & people.

Identity access management or IAM, is very important. IAM the label used for the set of technologies and policies that control who accesses what resources inside a system. A CISO must determine and know who has access to what data and why. If an employee leaves, they need to immediately revoke privileges and ensure that nothing sensitive was removed from the organization. There are many good IAM tools available from vendors on the market.

Certainly, with employee turnover, there are ethical and trust elements involved. Employee insider threats are difficult to detect and manage. Some of that can be addressed upfront in employment contracts with an employee understanding of the legal parameters involved, it is less likely that they will run off with sensitive data.

We’ve seen increased CISO burnout and concerns about personal liability.

Yes, the burnout is a direct result of CISOs having too many responsibilities, too little budget, and too few workers to run operations and help mitigate growing cyber-threats. Now the personal liability factors exemplified by as the class action suit against Solar’s Wind’s CISO, and the suit against Uber’s CISO for obscuring ransomware payments, has heightened the risk. In an industry that is already lacking in required numbers of cybersecurity leaders and technicians, CISOs need to be given not only the tools, but the protections necessary for them to excel in their roles. If not, the burnout and liability issues will put more companies and organizations at greater risk.

How are these challenges impacting the overall efficacy of CISOs in their roles, and what measures can be taken to address them?

Despite the trends of greater frequency, sophistication, lethality, and liabilities associated with incursions, industry management has been mostly unprepared and slow to act at becoming more cyber secure. A Gartner survey found that 88% of Boards of Directors (BoDs) view cybersecurity as a business risk, as opposed to a technology risk, according to a new survey, and that only 12% of BoDs have a dedicated board-level cybersecurity committee.

“It’s time for executives outside of IT to take responsibility for securing the enterprise,” said Paul Proctor, Chief of Research for Risk and Security. “The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve.”

CISOs not only need a seat at the table in the C-Suite, but they also need insurance protections comparable to other executive management that limits their personal liability. There is no panacea for perfect cybersecurity. Breaches can happen to any company or person in our precarious digital landscape. It is not fair or good business to have CISO go at it alone. In a similar context, cybersecurity should no longer be viewed as a cost item for businesses or organizations. It has become an ROI that can ensure continuity of operations and protect reputation. Investment in both the company and the CISO’s compensation and portfolio of required duties need to be a priority going forward.

As supply chain risk continues to be a recurring priority, how can CISOs better manage this aspect of their cybersecurity strategies, especially under constrained budgets?

Ensuring that the supply chain is not breached including the design, manufacturing, production, distribution, installation, operation, and maintenance elements is a challenge to all companies. Cyber-attackers will always look for the weakest point of entry and mitigating third-party risk is critical for cybersecurity. Supply chain cyber-attacks can be perpetrated from nation-state adversaries, espionage operators, criminals, or hacktivists.

CISOs require visibility of all vendors in the supply chain along with set policies and monitoring. NIST, a non-regulatory agency of the US Department of Commerce has a suggested framework for supply chain security that provides sound guidelines from both government and industry.

NIST recommends:

  • Identify, establish, and assess cyber supply chain risk management processes and gain stakeholder agreement
  • Identify, prioritize, and assess suppliers and third-party supplier partners
  • Develop contracts with suppliers and third-party partners to address your organization’s supply chain risk management goals
  • Routinely assess suppliers and third-party partners using audits, test results, and other forms of evaluation
  • Complete testing to ensure suppliers and third-party providers are able to respond to and recover from service disruption

Other mitigation efforts can be done with the acquisition of new technologies that monitor, alert, and analyze activities in the supply chain. Artificial intelligence and machine learning tools can provide visibility and predictive analytics, and stenographic and watermark technologies can provide tracking of products and software.

Previous DISC InfoSec posts on CISO topic

Chief Information Security Officer

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: artificial intelligence, Chief Information Security Officer, CISO, Protecting sensitive information, security ROI, supply chain attacks

Jul 13 2023

CISO perspective on why boards don’t fully grasp cyber attack risks

Category: CISO,vCISOdisc7 @ 1:55 pm

Due to their distinct perspectives, board members and CISOs often have differing views on cyber attack risks. The discrepancy arises when boards need cybersecurity expertise, need help comprehending technical jargon, or when CISOs need to communicate in business language.

In this Help Net Security interview, David Christensen, CISO of PlanSource, proposes strategies to understand and acknowledge the broader organizational and strategic implications of cybersecurity risk management, strategy, and governance.

Board members and CISOs often do not see eye-to-eye on the risk of cyber attacks. In your opinion, what is the primary cause of this discrepancy?

A difference in perspective is a fundamental reason board members and CISO are not always aligned. Board members typically have a much broader view of the organization’s goals, strategies, and overall risk landscape, where CISOs are responsible for assessing and mitigating cybersecurity risk. These differences in perspectives lead to contrasting priorities and risk assessments. However, when board members and CISOs do not see eye-to-eye on the risk of cyber attacks, it’s often a result of the board lacking cybersecurity expertise among its members, the complexity with understanding the topic and CISOs who focus too heavily on technical language during their discussions with the board.

Communicating cyber risk to the board requires the CISO to understand the audience, translating technical jargon into business language, allowing the board to see the CISO as a strategic partner. Becoming the strategic partner also requires CISOs to view their cybersecurity investments in terms of ROI to help the board understand the importance of an investment against competing priorities and spend.

CISOs need to also understand that board members often have a shorter time horizon for decision-making, focusing on quarterly or annual performance, in contrast to CISOs being more attuned to the potential long-term impacts of cyber attacks and advocating for proactive measures. This misalignment in time horizons can contribute to disparities in risk perceptions.

How can a CISO effectively translate technical jargon into business language that board members can understand and engage with? Do you have any specific strategies or approaches in mind?

A CISO needs to understand the knowledge and background of the board members to be able to translate technical jargon into business language and something familiar with the target audience. I approach this by relating technical jargon to everyday situations or business scenarios, something the board can easily grasp.

To be effective at this style of communication, I collaborate with other business leaders outside of the technology groups to optimize business alignment. Focusing on the potential business impact of cybersecurity risk also allows a CISO to frame technical issues in terms of their consequences such as financial loss or damage to the company’s brand.

It is equally important to be concise and avoid over-embellishing cyber-risks, while still focusing on the strategic objectives you are asking the board to weigh in on. To bridge the gap between board members and CISOs to promote the mitigation of cyber-risk, it is essential that a CISO enhance communication, educate board members about cybersecurity risks and promote a collaborative approach to decision making.

Many boards still see cybersecurity as a purely technical issue. What strategies can they employ to understand and acknowledge the broader organizational and strategic implications of cybersecurity?

For boards to better understand and acknowledge the broader organizational and strategic implications of cybersecurity, there needs to be a shift in how cyber-risk is viewed and approached. Boards can start by overcoming the common CISO-board disconnect that exists, developing a direct and strategic relationship with the CISO that continues outside of board meetings. Boards should also allocate more of their time to the topic of cybersecurity and allow the CISO to communicate risk to the board beyond just a handful of quarterly slides. Cybersecurity expertise also needs to be a part of a board’s composition, by including directors with a blend of business and cyber experience.

How do you envision the proposed amendments by the SEC changing the way boards approach cybersecurity risk management, strategy, and governance?

When the proposed amendments by the SEC become a reality, I envision boards putting more attention on cybersecurity issues. The hope is that these changes will lead boards to dedicate more resources, time, and expertise to assessing, managing and mitigating cybersecurity risk before they are impacted by an incident.

I would then expect this to result in boards establishing or enhancing governance structures related to cybersecurity, leading to them defining clear roles and responsibilities for cybersecurity oversight, and ultimately the presence of cybersecurity expertise at the board level. These amendments are also going to encourage boards to integrate cybersecurity considerations into their overall business strategy.

In your view, what concrete steps can board members take to improve their understanding of cybersecurity-induced risks and evaluate plans to manage them effectively?

Boards members should actively educate themselves about cybersecurity, attending training, workshops and conferences on the topic that can help them stay updated on emerging threats and latest trends. Boards should also establish a dedicated cybersecurity committee made up of members with relevant expertise to help assess and oversee cybersecurity initiatives within an organization.

The board should also engage with cybersecurity experts and consultants to gain insights into the specific risks and challenges facing their organization. In addition, boards should require their organizations conduct regular risk assessments, as well as reviewing cybersecurity reports, which will provide an overview of the organization’s cybersecurity posture.

Chief Information Security Officer

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: CISO, cyber attack risks

Jul 08 2023

Announcing: SuperCISO!

Category: CISO,vCISOdisc7 @ 6:15 pm

By — Gary Hinson — on LinkedIn

SuperCISO’s superpowers: Visionary cartographer: scan the horizon and map out the information risk…

SuperCISO’s superpowers:

Visionary cartographer:

Change catalyst:

Team-builder and inspirational leader:


Smooth-talking diplomatic facilitator:

Swamp-avoiding corner-cutting road-hump-flattening soot-juggler

Empathetic relationship builder:

Guardrail installer:

Culture cultivator:


Unless you really are superhuman, you can’t expect to do all those things (and more) exceptionally well 
 so a more pragmatic approach starts with self-awareness and a personal/career strategy. One possibility is to run a SWOT analysis on yourself:

  • What are your Strengths as a person – not just the areas where you clearly shine and the achievements you are most proud of, but the things likely to be brought up in your eulogy? 
  • In what areas are you comparatively Weak? What causes you the most stress or grief? What parts of the job would you prefer to shy away from, given the choice?
  • Where are your Opportunities to grow, develop, mature and flourish? In career terms, what would take you to “the next level”? Are there things you can plan and prepare for?
  • What about the Threats, the things (or people or situations 
) that might derail you from your path to ultimate success?

Hinson tip: if you find this process confusing and awkward, discreetly seek the assistance and guidance of close colleagues, friends and family members. Google for HR tools and techniques such as the Myers-Briggs approach. Take a cold, hard, dispassionate look at your own CV: if you were tasked to appoint your own replacement before leaving the organisation, would your CV pass muster? What might raise concerns among the interview panel? Which aspects beg questions? Issues from your past will naturally dissolve over time, but perhaps you can address them more proactively to speed-up the dissipation, for example through self-study, training or seeking out chances to make and demonstrate progress. Making a genuine effort will highlight matters to bring up (or avoid!) at annual bonus appraisal or interview time so there’s a pay-off to aim for. Literally.

As career advice goes, that’s all very well 
 but in essence it applies to almost any management position, so what’s different about the pragmatic CISO?

  • Pragmatism in this area involves acknowledging that, with the best will in the world, we cannot all reach and stay at the very top of our game all the time. When the going gets hard, we may struggle, stumble, perhaps even fall 
 which is when the value of preparation, resilience and contingency thinking comes into play. Being sacked or made redundant, for instance, is as much an opportunity to seize as an issue to overcome.
  • Optimism is another aspect. Pragmatism typically involves tolerating higher information risks in the interest of not overly constraining the business. Keep your natural paranoia in check by cutting some slack for information risk owners who elect to accept risks that you, personally, would not. As a competent professional advisor, your job is simply to make sure the risk owners are well informed and understand the risks – and for that you are accountable. If they decide to overrule your advice for business reasons, they are accountable for their decisions – and fair enough: they understand the business context better than you. Maybe, in fact, they are correct.
  • Teamwork is another part of the solution. If you admit to being comparatively weak in, say, constantly scanning the horizon for emerging risks, it might just be the very thing that someone in your team, a colleague elsewhere in the organisation, or an external advisor might excel at – so work with them. If they are junior to you, taking on the additional responsibility may be an excellent opportunity for them, and a chance to deepen your relationship. 

if you are interested in Super CISO topic, this link and references may be of interest… to explore further.

The CISO Mentor: Pragmatic advice for emerging risk management leaders

Tags: Super CISO

Jul 07 2023

Chief Information Security Officer Handbook

Category: CISO,vCISOdisc7 @ 11:03 am

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Chief Information Security Officer, CISO

Jul 04 2023

What are the Common Security Challenges CISOs Face?

Category: CISO,CISSP,vCISOdisc7 @ 11:23 am

Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.

As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.

These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.

The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.

This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.

By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.

Who is a CISO?

Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.

A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.

They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.

CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.

They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.

In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.

They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.

The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.

CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.

CISO Guide to Balancing Network Security Risks Offered by Perimeter 81 for free, helps to prevent your network from being at Risk.

What are all the Roles and Responsibilities of CISO?

  1. Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organization’s business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
  2. Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
  3. Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organization’s assets.
  4. Risk Management: The CISO is responsible for identifying and assessing security risks to the organization’s information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
  5. Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
  6. Security Incident Response: The CISO leads the organization’s response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
  7. Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
  8. Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
  9. Security Governance and Reporting: The CISO provides regular reports and updates on the organization’s security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
  10. Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.

Security Challenges CISOs Face

CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:

  • Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
  • Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
  • Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
  • Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
  • Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industry’s rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
  • Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
  • Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
  • Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
  • Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
  • Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.

What are the Security Compliance CISO Should Follow

As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:

  1. General Data Protection Regulation (GDPR): If your organization deals with the personal data of individuals in the European Union (EU), GDPR sets requirements for the protection, processing, and transfer of personal data. It includes principles for data minimization, consent, data breach notification, and the rights of individuals.
  2. Payment Card Industry Data Security Standard (PCI DSS): PCI DSS applies to organizations that handle credit card information. It sets requirements for securing payment card data, including network security, encryption, access controls, and regular vulnerability assessments.
  3. Health Insurance Portability and Accountability Act (HIPAA): HIPAA applies to organizations in the healthcare industry that handle protected health information (PHI). It establishes requirements for the privacy and security of PHI, including access controls, encryption, risk assessments, and breach notification.
  4. Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It sets requirements for financial reporting and establishes controls and processes to ensure the accuracy and integrity of financial statements. While not solely focused on security, it includes provisions for protecting financial data.
  5. National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. It covers risk assessment, security controls, incident response, and continuous monitoring.
  6. ISO 27001: ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It covers various aspects of information security, including risk management, access controls, incident management, and security awareness.
  7. Federal Information Security Management Act (FISMA): FISMA applies to U.S. federal agencies and sets requirements for securing federal information and systems. It mandates risk assessments, security controls, incident response planning, and continuous monitoring.

Security Challenges CISOs Face to Manage Security Team

Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:

  1. Establish Clear Roles and Responsibilities: Clearly define the roles and responsibilities of each team member to ensure everyone understands their specific duties and areas of expertise. This clarity helps streamline operations and avoid confusion.
  2. Set Goals and Objectives: Define strategic goals and objectives for the security team aligned with the organization’s overall security strategy. Communicate these goals to the team and regularly track progress to ensure everyone is working towards the same objectives.
  3. Provide Guidance and Mentorship: Offer team members guidance, mentorship, and professional development opportunities. Encourage skill development, certifications, and staying up-to-date with the latest security trends and technologies—support team members in their career growth.
  4. Foster Collaboration and Communication: Promote a collaborative and open communication culture within the team. Encourage knowledge sharing, cross-functional collaboration, and effective communication channels. Regular team meetings, brainstorming sessions, and updates are valuable for aligning efforts.
  5. Support Decision-Making: Empower team members to make decisions within their areas of responsibility. Provide guidance and support when needed, but encourage autonomy and ownership in decision-making. Foster an environment where team members feel comfortable taking calculated risks.
  6. Establish Incident Response Procedures: Develop clear incident response procedures and ensure the team is well-prepared to handle security incidents effectively. Conduct regular drills, tabletop exercises, and simulations to test and improve the team’s incident response capabilities.
  7. Stay Informed and Adapt: Stay up-to-date with the latest security threats, industry trends, and best practices. Encourage continuous learning and professional development for the team. Adapt security strategies and measures as the threat landscape evolves.
  8. Collaborate with Other Departments: Work closely with other departments, such as IT, legal, HR, and executive management, to ensure security initiatives are aligned with business objectives and integrated into overall organizational operations. Build relationships and foster a culture of security awareness throughout the organization.
  9. Regularly Evaluate and Improve: Regularly evaluate the team’s performance, processes, and procedures. Collect feedback from team members and stakeholders to identify areas for improvement. Implement changes and adjustments as necessary to enhance the team’s effectiveness and efficiency.
  10. Lead by Example: Demonstrate strong leadership skills, integrity, and a commitment to security best practices. Lead by example in adhering to security policies and procedures. Encourage a positive and supportive work environment.

Final Thoughts 

CISOs face many common security challenges as protectors of their organization’s digital assets and information.

From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.

CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.

To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.

They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.

While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.

By effectively addressing these challenges, CISOs can enhance their organizations’ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.

Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.

By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: CISO

Jun 27 2023

How CISOs can succeed in a challenging landscape

Category: CISO,vCISOdisc7 @ 9:42 pm

InfoSec tools | InfoSec services | InfoSec books

Tags: CISOs, Virtual CISOs

Jun 27 2023

How cyber insurance empowers CISOs

Category: CISO,Cyber Insurancedisc7 @ 3:41 pm

The Cyber Insurance Imperative, 2nd Edition: Updated for Today’s Challenging Risk Landscape

InfoSec tools | InfoSec services | InfoSec books

Tags: Cyber Insurance

Jun 23 2023

Digital‑first economy has introduced unforeseen risks say 89 percent of CISOs

Category: CISO,vCISODISC @ 1:20 pm

Salt Security has released key findings from its ‘State of the CISO’ report. Conducted by Global Surveyz for Salt, the global CISO survey gathered feedback from 300 CISOs/CSOs around the world on issues resulting from digital transformation and enterprise digitalization.

The results highlight significant CISO challenges including the biggest security control gaps they must manage, the most significant personal struggles they face, and the impact that broader global issues are having on their ability to deliver effective cyber security strategies. 

Today’s digital-first economy has transformed the role of the modern CISO, increasing threats and changing security priorities.

Key findings include:

  • 89 percent of CISOs report that the rapid deployment of digital services has generated unforeseen risks to securing critical business data.
  • Digital initiatives have produced new individual concerns, the top being the risk of personal liability and litigation resulting from security breaches, with 48 percent of CISOs citing that challenge.
  • 94 percent of CISOs worldwide say the speed of AI adoption is the macro dynamic having the greatest impact on their role.
  • 95 percent of CISOs plan to prioritize API security over the next two years, a 12 percent increase compared with that priority two years ago.

Biggest CISO challenges in a digital-first economy

The 2023 report shows that the digital-first economy has brought new security challenges for CISOs. Interestingly, most of the challenges cited by CISOs represent nearly equal levels of concern, forcing CISOs to address multiple challenges at the same time.

CISOs cite the following top security challenges:

  • Lack of qualified cyber security talent to address new needs (40 percent)
  • Inadequate adoption of software (36 percent)
  • Complexity of distributed technology environments (35 percent)
  • Increased compliance and regulatory requirements (35 percent)
  • Difficulties justifying the cost of security investments (34 percent)
  • Getting stakeholder support for security initiatives (31 percent)

Also notable, while most CISOs (44 percent) report security budgets are about 25 percent higher than two years ago, nearly 30 percent identify lack of budget to address new security challenges from digital transformation as a key challenge, and 34 percent of CISOs cite difficulty justifying the cost of security investments as a challenge.

Supply chain and APIs top security control gaps

Two thirds of CISOs state that they have more new digital services to secure compared to 2021. In addition, 89 percent of CISOs state that the rapid introduction of digital services creates unforeseen security risks in protecting their companies’ vital data. API adoption and supply chain/third party vendors presented the two highest security control gaps in organizations’ digital initiatives.
CISOs rank security control gaps resulting from digital initiatives as follows:

  • Supply chain/third party vendors (38 percent)
  • API adoption (37 percent)
  • Cloud adoption (35 percent)
  • Incomplete vulnerability management (34 percent)
  • Outdated software and hardware (33 percent)
  • Shadow IT (32 percent).

Global trends impacting the CISO role

The vast majority of CISOs admit to feeling the impact of a number of global trends. More CISOs cited the speed of AI adoption as having significant impact, followed by macro-economic uncertainty, the geo/political climate, and layoffs. Specific CISO responses regarding the impact of global trends were:

  • Speed of AI adoption (94 percent)
  • Macro-economic uncertainty (92 percent)
  • Geo/political climate (91 percent)
  • Layoffs (89 percent)

Threat of litigation and increased liability top CISOs’ personal concerns

The digital-first economy has also impacted CISOs on a personal level. Among the personal challenges reported were:

  • Concerns over personal litigation stemming from breaches (48 percent)
  • Increased personal risk/liability (45 percent)
  • Expanded responsibilities and not enough time to fulfill (43 percent)
  • Increased job-related stress (38 percent)
  • Bigger teams to manage (37 percent)

Nearly 50 percent of CISOs cite litigation concerns. With several high-profile CISO lawsuits making waves recently, CISOs are fearful of being found personally liable in the event of a breach, putting their livelihood at risk.

CISOs say their boards of directors are knowledgeable about cyber risks and mitigation

On a positive note, 96 percent of CISOs worldwide report that their boards of directors are knowledgeable or very knowledgeable about cyber security issues. In addition, the survey showed that 26 percent of CISOs present to the board on cyber risks mitigation and business exposure once a quarter or more, and 57 percent present to the board at least once every six months.


InfoSec tools | InfoSec services | InfoSec books

Jun 19 2023

Red teaming can be the ground truth for CISOs and execs

Category: CISO,vCISOdisc7 @ 2:34 am

As these breaches continue to make headlines, the time is now for boardroom executives to take on the responsibility of setting the tone for cybersecurity across the company. After all, instilling priorities at the board level and having that message trickle down across the company is a key tenet of business success.

But is cybersecurity treated differently? Some would argue that while cyber is certainly a priority in boardroom discussions, execs have still yet to take full responsibility for their security posture and often silo this to SecOps teams or their CISO. Given the potential for ransomware to destabilize operations, finances, and reputation, more execs should put cybersecurity front and center on the agenda. Perhaps they would if they understood the truth of what they were looking at.

Why isn’t the board on-board?

While organizations around the world continue their journey to cyber-maturity, companies that don’t engage with the boardroom directly on cybersecurity are opening the door to serious risk in the future. This lack of engagement can be due to several variables, including lack of strong board cybersecurity expertise/experience, or simply an underestimation of risk. CISOs, whether they are in that boardroom or not, will recognize that this must change, and that change can only come from clearer communication of risk.

If you want the board to take more of an interest in cybersecurity or fully grasp the risk of not making it a priority for the company, then you need to speak to their level of risk. They want the ground truth, spoken to them in a way they understand and cuts through the technical jargon. How will the consequences of not doing this affect their bottom line? How will a ransomware attack affect their reputation? Why is this a priority right now?

The CISOs among us may feel like they’ve been trying to have this conversation to no avail, but the risk of getting lost in translation is far too high. To engage the board, you need to clearly demonstrate the direct link between what happens if a hacker finds a vulnerability in your network and how badly things can go wrong as a result. If you speak a truth that they understand, you’ll unlock the trust, transparency and cooperation that is needed to give cybersecurity the attention it deserves at all levels of the business. Red teams can help you achieve this.

Red teams and “offensive security”

What red teams can give CISOs is the cold, hard truth of how their network stacks up against threats that could be ruinous to the business. Red teams leave no stone unturned and pull on every thread until it unravels. This shines light on the vulnerabilities that will harm the finances or reputation of the business.

With a red team, objective-based continuous penetration testing (led by experts that know attackers’ best tricks) can relentlessly scrutinize the attack surface to explore every avenue that could lead to a breakthrough. This proactive, “offensive security” approach will give a business the most comprehensive picture of their attack surface that money can buy, mapping out every possibility available to an attacker and how it can be remediated.

It is also not limited to testing the technology stack; for businesses concerned that their employees are susceptible to social engineering attacks, red teams can emulate social engineering scenarios as part of their testing. A stringent social engineering assessment program should not be overlooked in favor of only scrutinizing weaknesses in IT infrastructure. Cybersecurity is a human problem that needs humans to create a solution, using the available technology.

Get the facts, earn their trust

For CISOs, the evidence from red teams gives the who, what, when and how of how their attack surface stands up to scrutiny, with none of the negative consequences of a malicious breach. This is the evidence they can take to the board and confidently state the case for cybersecurity to be taken seriously at the exec level and gain the trust they need to put their best foot forward against ransomware.

For the board, they will simultaneously see the big picture of threats to their attack surface, but also be presented with a plan for remediation. They can trust the IT team that everything is being done to resolve vulnerabilities before it can affect the business. And because red teams have the knowledge to accurately gauge how urgent of a risk each vulnerability is, the presentation can zero-in on what needs to be done immediately, keeping these discussions succinct and solutions focused.

Once that trust has been built, red teams make it easy for the board to stay updated on cybersecurity. Continuous penetration testing persists even after vulnerabilities are remediated to make sure that the problem is truly fixed. This means cybersecurity always has its place on the agenda and there is transparency between CISOs and execs on how the organization is proactively looking to patch vulnerabilities, before an attacker knows they exists.

If an organization’s cybersecurity is not receiving the attention it deserves, then the board needs to know. However, it can be hard to get engagement from the wxecs if the information security team don’t speak “board language”. By deploying the expertise of a red team, you’ll have the facts you need to cut to the heart of what these decision-makers really care about with hard evidence of the risks they are facing, unlocking the support from the top needed to keep the entire business secure.

The Business-Minded CISO: How to Organize, Evangelize, and Operate an Enterprise-wide IT Risk Management Program

InfoSec tools | InfoSec services | InfoSec books

Tags: Red teaming

Jun 07 2023

Disaster recovery challenges enterprise CISOs face

Category: CISO,vCISOdisc7 @ 5:30 am

An essential aspect of organizational operations is effectively responding to and returning from a disruptive event, commonly called disaster recovery.

The primary objective of DR techniques is to restore the utilization of crucial systems and IT infrastructure following a disaster. To proactively tackle such scenarios, organizations conduct a comprehensive assessment of their systems and establish a formal document that serves as a guiding framework during times of crisis. This document is commonly known as a disaster recovery plan.

In this Help Net Security video, Chris Groot, General Manager of Cove Data Protection at N-able, discusses enterprise CISOs’ challenges with disaster recovery.

Resilience: Powerful Practices for Bouncing Back from Disappointment, Difficulty, and Even Disaster

InfoSec tools | InfoSec services | InfoSec books

Tags: Disaster recovery, Resilience:

Next Page »