Oct 30 2023
In the leadership and communications section, Proactive Boards Enable More Reliable Cyber Governance, CISO Best Practices for Managing Cyber Risk, The Evolution of Work: How Can Companies Prepare for What’s to Come?, and more!
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Show Notes: https://securityweekly.com/bsw-326
Oct 14 2023
Best implementers of InfoSec program (ISMS) are those who possess both management and leadership capabilities…
CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers
2020 Cybersecurity CANON Hall of Fame Winner
Todd Fitzgerald, co-author of the ground-breaking (ISC)2 CISO Leadership: Essential Principles for Success, Information Security Governance Simplified: From the Boardroom to the Keyboard, co-author for the E-C Council CISO Body of Knowledge, and contributor to many others including Official (ISC)2 Guide to the CISSP CBK, COBIT 5 for Information Security, and ISACA CSX Cybersecurity Fundamental Certification, is back with this new book incorporating practical experience in leading, building, and sustaining an information security/cybersecurity program.
CISO COMPASS includes personal, pragmatic perspectives and lessons learned of over 75 award-winning CISOs, security leaders, professional association leaders, and cybersecurity standard setters who have fought the tough battle. Todd has also, for the first time, adapted the McKinsey 7S framework (strategy, structure, systems, shared values, staff, skills and style) for organizational effectiveness to the practice of leading cybersecurity to structure the content to ensure comprehensive coverage by the CISO and security leaders to key issues impacting the delivery of the cybersecurity strategy and demonstrate to the Board of Directors due diligence. The insights will assist the security leader to create programs appreciated and supported by the organization, capable of industry/ peer award-winning recognition, enhance cybersecurity maturity, gain confidence by senior management, and avoid pitfalls.
The book is a comprehensive, soup-to-nuts book enabling security leaders to effectively protect information assets and build award-winning programs by covering topics such as developing cybersecurity strategy, emerging trends and technologies, cybersecurity organization structure and reporting models, leveraging current incidents, security control frameworks, risk management, laws and regulations, data protection and privacy, meaningful policies and procedures, multi-generational workforce team dynamics, soft skills, and communicating with the Board of Directors and executive management. The book is valuable to current and future security leaders as a valuable resource and an integral part of any college program for information/ cybersecurity.
Previous articles on the subject of Chief Information Security Officers (CISOs)
Previous articles on the subject of Virtual Chief Information Security Officers (vCISOs).
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Sep 20 2023
Aug 22 2023
A Chief Information Security Officer (CISO) is vital for safeguarding an organization’s digital assets. They oversee sensitive data security, combat cyber threats, and uphold data integrity. The CISO devises security strategies, partners with stakeholders, and addresses vulnerabilities. The Help Net Security roundup showcases insights from experts through recorded videos, highlighting the pivotal responsibilities and challenges that characterize the role of CISOs.
Complete videos
DISC InfoSec previous posts on CISO topic
InfoSec tools | InfoSec services | InfoSec books | Follow our blog
Aug 20 2023
Cynomi Study Reveals Number of MSPs Providing Virtual CISO Services Will Grow Fivefold By Next Year
The frequency of cyberattacks is increasing, particularly targeting smaller businesses. However, most small and mid-size companies cannot afford a full-time security professional. To address this, they are turning to vCISO (virtual Chief Information Security Officer) services offered by Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). These services provide access to external cybersecurity experts at a lower cost than hiring an in-house CISO.
A report by Cynomi, based on a survey of 200 executives in the U.S. and Canada, shows the rising demand for vCISO services among SMBs and how MSPs and MSSPs are responding to this demand. The report reveals that 84% of those not currently offering vCISO services but plan to do so by the end of 2024. The number of providers offering these services has been consistently growing, with 8% in 2022, 28% in 2023, and a projected 45% in 2024.
MSPs and MSSPs are motivated to offer vCISO services due to anticipated increased revenue, higher margins, easy upselling of other cybersecurity services, and enhanced client engagement. Although they foresee challenges such as limited in-house security knowledge and a lack of skilled cybersecurity personnel, vCISO platforms help mitigate these concerns.
Cynomi, a leading vCISO platform provider, aims to conduct annual studies on the growing trend of the vCISO role. They have also created a directory of prominent vCISO service providers to help SMBs find trusted security partners, offering details about services and technology platforms used by each provider.
DISC InfoSec Previous posts on vCISO
InfoSec tools | InfoSec services | InfoSec books | Follow our blog
Aug 19 2023
In the provided article, the author, who is a Chief Information Security Officer (CISO), discusses the challenges and strategies related to maintaining technical expertise while effectively communicating complex cybersecurity issues to stakeholders in a comprehensible manner.
The author emphasizes the importance of understanding the intricacies of technology in order to secure it effectively. This philosophy has driven the author to stay up-to-date with technology trends, collaborate with other security experts, and maintain a deep connection with their technical teams. The author also highlights the value of using simple metaphors to explain complex concepts, leveraging their strong technical background to convey information in a way that is easier for non-technical stakeholders to grasp.
In the context of managing cyber resilience efforts across an enterprise, the author draws parallels to managing different types of risk, categorizing them as good and bad risks. Good risks are those that contribute to business growth and innovation, while bad risks are associated with lacking proper planning and security measures. Balancing these risks requires strong relationships across the organization and constant communication.
The article also discusses the impact of digital initiatives and rapid digital transformation on the CISO’s role. While digital transformation can enhance efficiency and lower risks, challenges arise when new technologies like cloud or SaaS services are introduced without a clear understanding of their security implications. Collaboration between technology vendors, cybersecurity companies, and leadership teams is essential to address these challenges.
In the face of external events that test organizational resilience, the author presents four key principles for effective leadership: communication, agility, constant learning, and adaptability. These principles help leaders navigate uncertainties, learn from experiences, and handle change more effectively.
For a newly appointed CISO tasked with explaining complex cyber regulations to the board, the author suggests researching the backgrounds and industries of board members to tailor explanations to their perspectives. Comparisons to regulations in related industries or significant news events can help the board better understand the issues and recognize the CISO’s commitment to understanding the regulatory landscape.
In summary, the article underscores the need for CISOs to balance technical expertise with effective communication, employing metaphors to simplify complex concepts, and building strong relationships to manage cyber risks across the enterprise. It also highlights the challenges and strategies associated with digital transformation, organizational resilience, and succinctly communicating complex regulations to the board.
DISC InfoSec previous posts on CISO topic
InfoSec tools | InfoSec services | InfoSec books | Follow our blog
Aug 02 2023
How CISOs can succeed in a challenging landscape Reimagining operational resilience and recovery in 2023
#CISOs face mounting demands to develop information security strategies that effectively safeguard their organizations against an ever-evolving threat landscape. A strong information security stance is imperative, but the requirements for security and risk management are intricate and distinct for each organization. The alignment of business priorities and suitable solutions may not always be apparent, while swift results and cost-effective measures are crucial.
In what situations would a vCISO or CISOaaS Service be appropriate?
CISO Conversations: The Role of the vCISO
InfoSec tools | InfoSec services | InfoSec books
Aug 02 2023
A CISO needs to wear many hats across the business and juggle many competing priorities. They need to be a customer support representative, a product partner, a manager, a visionary, a strategist, and of course, a security expert.
I have found that some of the most important characteristics are to be friendly, honest, and emphatic. Being a friend to the organization and people you work with, rather than leading with just policies and demands, is critical to getting more done and the success of your team.
It may sound counterintuitive, but a good CISO must get out from behind the technology and understand the people they are serving. Of course, you must maintain a high level of technology knowledge, but if you find yourself only sitting in front of a firewall console, you’re probably in the wrong job.
With the more-rapidly-than-ever changing environment, you can rarely rely solely on multi-year strategies or multi-quarter roadmaps. You must be ready for constant change and quickly adapt to it.
CISOs must create a security strategy built around anticipating outcomes and a feedback loop to gather information during incidents, assessments, threat analysis, and research. The information gathered should then be turned into metrics which will give insights into if the strategy is working, and, if necessary, how to evolve the strategy.
Though CISOs play a lead role in managing an organization’s security posture, it is important that cybersecurity efforts manifest as a shared responsibility across an organization. From new hires to the C-suite, cybersecurity should be a communicated priority for all employees. Everyone should care about security, and if they don’t do it, it’s because they don’t understand something about the situation or ask.
Just as much as a CISO needs to learn about the business, they must also educate other business leaders on what’s out there and the landscape of evolving threats. Then, it’s important to connect these threats and the solutions back to the goals of that part of the business so teams can fully understand the role they can play in mitigating risk.
It’s important to prioritize security and proactively communicate initiatives with stakeholders. However, building and maintaining trust isn’t a one-size-fits-all approach. CISOs must possess the ability to effectively communicate and educate all stakeholders about the specific cyber risks relevant to their organization while also proactively outlining how it is prepared to address those risks. Implementing robust, proactive security measures and emphasizing the protection of sensitive data will reassure customers, stakeholders, and employees alike that their information is secure. Swiftly acting on emerging and existing security threats also reinforces trust and demonstrates an organization’s proactive efforts in addressing threats before they become detrimental.
There are three ways I manage competing priorities: Focus, transparency, and accountability. A CISO must focus on the tasks that have the biggest ROIs, and not get distracted by the noise. Leading with transparency will make it clear to everyone within the organization why we are making changes or asks. And finally, security posture and response can only be improved when accountability is clear. And not just accountability of the security team, but accountability from across the organization where everyone understands the responsibility.
By making data-driven decisions and conducting continuous risk assessments, CISOs can strategically allocate resources to high-priority tasks. The delicate balance lies in leading these various aspects while leveraging the expertise of a skilled team to ensure comprehensive security protection across the organization. By staffing a knowledgeable team of security experts and empowering them to take ownership of their day-to-day responsibilities, CISOs can focus their time on providing strategic and executive-level oversight on key issues.
From a leadership standpoint, the CISO is so much more than just security. It’s truly a business leader position, they are collaborating with the other business leaders to share the same resources. CISOs must understand the organizational goals, the customer needs, and the capacity of each team to prioritize security in collaboration with product management, IT leaders, CTO, etc.
CISOs must maintain fundamental technology knowledge but rely on the team’s subject matter expertise for deeper technical aspects. It’s important to find the right training, like CISSP, and vendor-specific certifications, without overwhelming yourself.
In what situations would a vCISO or CISOaaS Service be appropriate?
CISO Conversations: The Role of the vCISO
InfoSec tools | InfoSec services | InfoSec books
Jul 31 2023
Superstar CISOs stand out from the rest due to their acute understanding of the growing threat landscape and the shortage of cybersecurity skills. However, they refuse to succumb to despair and instead leverage their existing assets effectively, notably by recognizing an overlooked security resource: their development teams.
In the era of DevSecOps hype, it’s common to say that security is everyone’s responsibility. But there are limits to what untrained and unmotivated workers – especially those who don’t work in IT – can do to make their organization more secure against cyberthreats.
For example, in the real world, travelers at a busy airport should feel responsible for reporting an unattended bag sitting alone in a suspicious location. However, they aren’t trained to inspect that bag to look for threats or empowered to take any actions on their own. At a company, it’s one thing to make everyone aware of cybersecurity, and another to educate them to make their organization more secure within the context of their role or to use the defensive tools they already have in place to counter threats and squash vulnerabilities.
For that, companies need to invest in upskilling. It’s far better, and oftentimes easier, to invest in the talented, loyal staff that are already a part of your organization than to try and hire new people from the outside. But even then, putting those learning resources in the best place to get the required results is key.
Developers already understand IT since they write much of the code for the programs being used by their organizations. And they are often ready, willing, and able to upskill in cybersecurity to help make them even more amazing at their jobs. Smart CISOs are tapping into that enthusiasm and providing developers with the education pathways they want and need, with the payoff being a reduction in common vulnerabilities (not to mention less pressure on overworked AppSec personnel).
The best CISOs know that upskilling is critical to success. But not just any training will do, especially for the development community who already have a good baseline understanding of IT. A “check-the-box” program won’t offer much return on investment and will likely frustrate developers into poor performance and a lifelong hatred of working with security teams.
Likewise, any solution that impedes their workflow, fails to stay agile with enterprise security goals, or cannot deliver the right education at the right time in an easily digestible format, is unlikely to result in foundational security awareness or skills.
Exemplary CISOs are also able to address other key pain points that traditionally flummox good cybersecurity programs, such as the relationships between developers and application security (AppSec) teams, or how cybersecurity is viewed by other C-suite executives and the board of directors.
For AppSec relations, good CISOs realize that developer enablement helps to shift security farther to the so-called left and closer to a piece of software’s origins. Fixing flaws before applications are dropped into production environments is important, and much better than the old way of building code first and running it past the AppSec team at the last minute to avoid those annoying hotfixes and delays to delivery. But it can’t solve all of AppSec’s problems alone. Some vulnerabilities may not show up until applications get into production, so relying on shifting left in isolation to catch all vulnerabilities is impractical and costly.
There also needs to be continuous testing and monitoring in the production environment, and yes, sometimes apps will need to be sent back to developers even after they have been deployed. A great CISO, with a foot in development and security, can smooth out those relations and keep everyone working as a team.
Getting other C-suite executives onboard with better security might be an even more difficult challenge, with leadership outside the CISO and CIO normally looking at business objectives and profits before anything else. To counter that, superstar CISOs know how to show a direct correlation between better, more mature cybersecurity and increased revenue, and how it can even provide a competitive advantage against the competition.
It’s not easy being a CISO, and certainly more challenging than at any other point in history. But those CISOs who master that adversity are becoming true superstars within their companies and communities. They competently employ agile developer upskilling, champion security culture, streamline relationships between the traditional rivals of development and AppSec teams, and encourage leadership to foster a security-first approach from the top down.
In what situations would a vCISO or CISOaaS Service be appropriate?
CISO Conversations: The Role of the vCISO
InfoSec tools | InfoSec services | InfoSec books
Jul 18 2023
In today’s evolving digital landscape, the role of a chief information security officer (CISO) is critical. These professionals defend against the rising tide of daily cyberthreats. Yet we’re seeing a trend: Many CISOs are leaving or considering leaving their jobs, a phenomenon coined the “Great CISO Resignation.”
This trend seems to reflect the intense pressure CISOs endure. They face a constant stream of complex cyberthreats, manage compliance issues and struggle with a talent deficit in cybersecurity. Paired with high expectations, many reconsider their roles, which can lead to a leadership gap.
However, this situation opens a strategic opportunity for innovation. As the founder and president of a company that offers virtual chief information security officer (vCISO) services, I’ve seen this model gaining momentum.
A vCISO is an outsourced security practitioner or provider who offers their expertise to businesses on a part-time or contractual basis. These professionals provide many of the same services as a traditional CISO, such as developing and implementing security strategies, ensuring compliance with regulations, training staff and managing a company’s cybersecurity posture. The key difference is that vCISOs offer these services remotely and often to multiple companies at once.
This model brings flexibility and scalability, allowing businesses to tailor cybersecurity leadership to their specific needs. It also provides access to a breadth of expertise that is often unaffordable in a full-time, in-house CISO.
With the current trend of CISOs leaving their positions, the vCISO model offers a practical solution to maintain cybersecurity leadership. Here are some ways businesses can take advantage of this model:
When a CISO departs, they leave a leadership void that’s hard to fill quickly, especially considering the shortage of cybersecurity talent. By leveraging a vCISO, businesses can plug this gap swiftly, ensuring continued oversight and direction in their cybersecurity efforts.
vCISOs, often being part of a larger team, can bring a wide range of experiences and skills. They are exposed to diverse security landscapes across industries, which can provide a fresh perspective and innovative solutions to your security challenges.
Hiring a full-time CISO can be prohibitively expensive for some companies. vCISO services, on the other hand, can be scaled to fit budgetary constraints, giving businesses access to top-tier security leadership without as much of a hefty price tag.
As your business grows and evolves, so too can your cybersecurity needs. A vCISO’s flexible engagement model means you can scale cybersecurity leadership to match your changing requirements.
Selecting the right virtual chief information security officer is pivotal to the success of your cybersecurity strategy, especially in the wake of the “Great CISO Resignation.” You’re essentially recruiting an outsourced leader who can help guide your organization’s information security infrastructure and strategy, so you need to ensure that they not only have the expertise but that they also align with your organization’s culture and values. Here are some strategic suggestions for identifying the perfect vCISO for your business:
Start by examining the vCISO’s professional background. This includes their level of experience in your specific industry, as well as their familiarity with the size and type of businesses like yours. Their past roles and achievements can provide valuable insight into their ability to handle the unique cybersecurity threats and risks your business may face. Don’t hesitate to ask for a detailed track record of their experience and successes.
Probe into their knowledge of current cybersecurity trends, their ability to create a cybersecurity strategy, their understanding of regulatory requirements that are relevant to your industry and their experience in managing security incidents. You should also ask about their experience with various cybersecurity tools and technologies. A vCISO’s expertise should encompass not only tactical but also strategic thinking and planning.
Get a sense of their management style, communication skills and approach to problem-solving. Cybersecurity is a team effort, so the vCISO needs to effectively work with and guide your in-house team. Are they able to communicate complex security concepts in a way that everyone in your organization can understand? Can they foster a security-first culture within the company?
The right vCISO should understand your business strategy and align security strategies to business objectives. They should be able to strike a balance between the necessary security measures and the operational needs of your company.
In what situations would a vCISO or CISOaaS Service be appropriate?
CISO Conversations: The Role of the vCISO
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.
InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services
Jul 17 2023
In this Help Net Security interview, Charles Brooks, Adjunct Professor at Georgetown University’s Applied Intelligence Program and graduate Cybersecurity Programs, talks about how zero trust principles, identity access management, and managed security services are crucial for effective cybersecurity, and how implementation of new technologies like AI, machine learning, and tracking tools can enhance supply chain security.
The loss of data despite protection measures is not that surprising. We are all playing catchup in cybersecurity. The internet was invented in a government laboratory and later commercialized in the private sector. The hardware, software, and networks were originally designed for open communication. Cybersecurity initially was not a major consideration. That mindset has surely changed due to the explosion of connectivity and commerce on the internet and CISOs are playing a big game of catch up too.
There are a multitude of causes that can account for the exfiltration of sensitive data. The first being that hacker adversaries have become more sophisticated and capable of breaching. The basic tools and tactics hackers use for exploitation include malware, social engineering, phishing (the easiest most common, especially spear-phishing aimed at corporate executives), ransomware, insider threats, and DDOS attacks. Also, they often use advanced and automated hacking tools shared on the dark web, including AI and ML tools that are used to attack and explore victims’ networks. That evolving chest of hacker weaponry is not so easy for CISOs to defend against.
Another big factor is the reality is that exponential digital connectivity propelled by the COVID-19 pandemic has changed the security paradigm. Many employees now work from hybrid and remote offices. There is more attack surface area to protect with less visibility and controls in place for the CISO. Therefore, it is logical to conclude that more sensitive data has and will be exposed to hackers.
The notion of adequate protection is a misnomer as threats are constantly morphing. All it takes is one crafty phish, a misconfiguration, or a failure to do a timely patch for a gap to provide an opportunity for a breach. Finally, many CISOs have had to operate with limited budgets and qualified cyber personnel. Perhaps they have lower expectations of the level of security they can achieve under the circumstances.
CISOs must enact a prudent risk management strategy according to their industry and size that they can follow to allow them to best optimize resources. A good risk management strategy will devise a vulnerability framework that Identifies digital assets and data to be protected. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity. This includes protecting and backing up business enterprise systems such as: financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel & detection, firewalls, etc.) and policies.
There are measures in a vulnerability framework that are not cost prohibitive. Those measures can include mandating strong passwords for employees and requiring multi-factor authentication. Firewalls can be set up and CISOs can make plans to segment their most sensitive data. Encryption software can also be affordable. The use of the cloud and hybrid clouds enables implementation of dynamic policies, faster encryption, drives down costs, and provides more transparency for access control (reducing insider threats). A good cloud provider can provide some of those security controls for a reasonable cost. Clouds are not inherently risky, but CISOs and companies will need to recognize that they must thoroughly evaluate provider policies and capabilities to protect their vital data.
And if a CISO is responsible for protecting a small or medium business without a deep IT and cybersecurity team below them, and are wary of cloud costs and management, they can also consider outside managed security services.
This goes to the essence of the strategy of zero trust. Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Organizations need to know everything that is connected to the network, devices & people.
Identity access management or IAM, is very important. IAM the label used for the set of technologies and policies that control who accesses what resources inside a system. A CISO must determine and know who has access to what data and why. If an employee leaves, they need to immediately revoke privileges and ensure that nothing sensitive was removed from the organization. There are many good IAM tools available from vendors on the market.
Certainly, with employee turnover, there are ethical and trust elements involved. Employee insider threats are difficult to detect and manage. Some of that can be addressed upfront in employment contracts with an employee understanding of the legal parameters involved, it is less likely that they will run off with sensitive data.
Yes, the burnout is a direct result of CISOs having too many responsibilities, too little budget, and too few workers to run operations and help mitigate growing cyber-threats. Now the personal liability factors exemplified by as the class action suit against Solar’s Wind’s CISO, and the suit against Uber’s CISO for obscuring ransomware payments, has heightened the risk. In an industry that is already lacking in required numbers of cybersecurity leaders and technicians, CISOs need to be given not only the tools, but the protections necessary for them to excel in their roles. If not, the burnout and liability issues will put more companies and organizations at greater risk.
Despite the trends of greater frequency, sophistication, lethality, and liabilities associated with incursions, industry management has been mostly unprepared and slow to act at becoming more cyber secure. A Gartner survey found that 88% of Boards of Directors (BoDs) view cybersecurity as a business risk, as opposed to a technology risk, according to a new survey, and that only 12% of BoDs have a dedicated board-level cybersecurity committee.
“It’s time for executives outside of IT to take responsibility for securing the enterprise,” said Paul Proctor, Chief of Research for Risk and Security. “The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve.”
CISOs not only need a seat at the table in the C-Suite, but they also need insurance protections comparable to other executive management that limits their personal liability. There is no panacea for perfect cybersecurity. Breaches can happen to any company or person in our precarious digital landscape. It is not fair or good business to have CISO go at it alone. In a similar context, cybersecurity should no longer be viewed as a cost item for businesses or organizations. It has become an ROI that can ensure continuity of operations and protect reputation. Investment in both the company and the CISO’s compensation and portfolio of required duties need to be a priority going forward.
As supply chain risk continues to be a recurring priority, how can CISOs better manage this aspect of their cybersecurity strategies, especially under constrained budgets?
Ensuring that the supply chain is not breached including the design, manufacturing, production, distribution, installation, operation, and maintenance elements is a challenge to all companies. Cyber-attackers will always look for the weakest point of entry and mitigating third-party risk is critical for cybersecurity. Supply chain cyber-attacks can be perpetrated from nation-state adversaries, espionage operators, criminals, or hacktivists.
CISOs require visibility of all vendors in the supply chain along with set policies and monitoring. NIST, a non-regulatory agency of the US Department of Commerce has a suggested framework for supply chain security that provides sound guidelines from both government and industry.
NIST recommends:
Other mitigation efforts can be done with the acquisition of new technologies that monitor, alert, and analyze activities in the supply chain. Artificial intelligence and machine learning tools can provide visibility and predictive analytics, and stenographic and watermark technologies can provide tracking of products and software.
Previous DISC InfoSec posts on CISO topic
InfoSec tools | InfoSec services | InfoSec books
Jul 13 2023
Due to their distinct perspectives, board members and CISOs often have differing views on cyber attack risks. The discrepancy arises when boards need cybersecurity expertise, need help comprehending technical jargon, or when CISOs need to communicate in business language.
In this Help Net Security interview, David Christensen, CISO of PlanSource, proposes strategies to understand and acknowledge the broader organizational and strategic implications of cybersecurity risk management, strategy, and governance.
A difference in perspective is a fundamental reason board members and CISO are not always aligned. Board members typically have a much broader view of the organization’s goals, strategies, and overall risk landscape, where CISOs are responsible for assessing and mitigating cybersecurity risk. These differences in perspectives lead to contrasting priorities and risk assessments. However, when board members and CISOs do not see eye-to-eye on the risk of cyber attacks, it’s often a result of the board lacking cybersecurity expertise among its members, the complexity with understanding the topic and CISOs who focus too heavily on technical language during their discussions with the board.
Communicating cyber risk to the board requires the CISO to understand the audience, translating technical jargon into business language, allowing the board to see the CISO as a strategic partner. Becoming the strategic partner also requires CISOs to view their cybersecurity investments in terms of ROI to help the board understand the importance of an investment against competing priorities and spend.
CISOs need to also understand that board members often have a shorter time horizon for decision-making, focusing on quarterly or annual performance, in contrast to CISOs being more attuned to the potential long-term impacts of cyber attacks and advocating for proactive measures. This misalignment in time horizons can contribute to disparities in risk perceptions.
A CISO needs to understand the knowledge and background of the board members to be able to translate technical jargon into business language and something familiar with the target audience. I approach this by relating technical jargon to everyday situations or business scenarios, something the board can easily grasp.
To be effective at this style of communication, I collaborate with other business leaders outside of the technology groups to optimize business alignment. Focusing on the potential business impact of cybersecurity risk also allows a CISO to frame technical issues in terms of their consequences such as financial loss or damage to the company’s brand.
It is equally important to be concise and avoid over-embellishing cyber-risks, while still focusing on the strategic objectives you are asking the board to weigh in on. To bridge the gap between board members and CISOs to promote the mitigation of cyber-risk, it is essential that a CISO enhance communication, educate board members about cybersecurity risks and promote a collaborative approach to decision making.
For boards to better understand and acknowledge the broader organizational and strategic implications of cybersecurity, there needs to be a shift in how cyber-risk is viewed and approached. Boards can start by overcoming the common CISO-board disconnect that exists, developing a direct and strategic relationship with the CISO that continues outside of board meetings. Boards should also allocate more of their time to the topic of cybersecurity and allow the CISO to communicate risk to the board beyond just a handful of quarterly slides. Cybersecurity expertise also needs to be a part of a board’s composition, by including directors with a blend of business and cyber experience.
When the proposed amendments by the SEC become a reality, I envision boards putting more attention on cybersecurity issues. The hope is that these changes will lead boards to dedicate more resources, time, and expertise to assessing, managing and mitigating cybersecurity risk before they are impacted by an incident.
I would then expect this to result in boards establishing or enhancing governance structures related to cybersecurity, leading to them defining clear roles and responsibilities for cybersecurity oversight, and ultimately the presence of cybersecurity expertise at the board level. These amendments are also going to encourage boards to integrate cybersecurity considerations into their overall business strategy.
Boards members should actively educate themselves about cybersecurity, attending training, workshops and conferences on the topic that can help them stay updated on emerging threats and latest trends. Boards should also establish a dedicated cybersecurity committee made up of members with relevant expertise to help assess and oversee cybersecurity initiatives within an organization.
The board should also engage with cybersecurity experts and consultants to gain insights into the specific risks and challenges facing their organization. In addition, boards should require their organizations conduct regular risk assessments, as well as reviewing cybersecurity reports, which will provide an overview of the organization’s cybersecurity posture.
InfoSec tools | InfoSec services | InfoSec books
Jul 08 2023
By — Gary Hinson — on LinkedIn
SuperCISO’s superpowers: Visionary cartographer: scan the horizon and map out the information risk…
SuperCISO’s superpowers:
Visionary cartographer:
Change catalyst:
Team-builder and inspirational leader:
Rock:
Smooth-talking diplomatic facilitator:
Swamp-avoiding corner-cutting road-hump-flattening soot-juggler:
Empathetic relationship builder:
Guardrail installer:
Culture cultivator:
Sage:
Unless you really are superhuman, you can’t expect to do all those things (and more) exceptionally well … so a more pragmatic approach starts with self-awareness and a personal/career strategy. One possibility is to run a SWOT analysis on yourself:
Hinson tip: if you find this process confusing and awkward, discreetly seek the assistance and guidance of close colleagues, friends and family members. Google for HR tools and techniques such as the Myers-Briggs approach. Take a cold, hard, dispassionate look at your own CV: if you were tasked to appoint your own replacement before leaving the organisation, would your CV pass muster? What might raise concerns among the interview panel? Which aspects beg questions? Issues from your past will naturally dissolve over time, but perhaps you can address them more proactively to speed-up the dissipation, for example through self-study, training or seeking out chances to make and demonstrate progress. Making a genuine effort will highlight matters to bring up (or avoid!) at annual bonus appraisal or interview time so there’s a pay-off to aim for. Literally.
As career advice goes, that’s all very well … but in essence it applies to almost any management position, so what’s different about the pragmatic CISO?
if you are interested in Super CISO topic, this link and references may be of interest… to explore further.
The CISO Mentor: Pragmatic advice for emerging risk management leaders
Jul 07 2023
Jul 04 2023
Chief Information Security Officers (CISOs) hold a critical and challenging role in today’s rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.
As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.
These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.
The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.
This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.
By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.
Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organization’s information security plan.
A CISO’s primary responsibility is safeguarding the confidentiality, availability, and integrity of an organization’s information assets and systems.
They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.
CISOs play a crucial role in maintaining an organization’s security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.
They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organization’s operations.
In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.
They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.
The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.
CISOs are responsible for safeguarding the organization’s sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.
CISO Guide to Balancing Network Security Risks Offered by Perimeter 81 for free, helps to prevent your network from being at Risk.
CISOs face various common security challenges as they strive to protect their organizations’ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:
As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:
Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:
CISOs face many common security challenges as protectors of their organization’s digital assets and information.
From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.
CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.
To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.
They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.
While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.
By effectively addressing these challenges, CISOs can enhance their organizations’ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.
Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.
By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.
InfoSec tools | InfoSec services | InfoSec books
Jun 27 2023
Jun 27 2023
Jun 23 2023
Salt Security has released key findings from its ‘State of the CISO’ report. Conducted by Global Surveyz for Salt, the global CISO survey gathered feedback from 300 CISOs/CSOs around the world on issues resulting from digital transformation and enterprise digitalization.
The results highlight significant CISO challenges including the biggest security control gaps they must manage, the most significant personal struggles they face, and the impact that broader global issues are having on their ability to deliver effective cyber security strategies.
Today’s digital-first economy has transformed the role of the modern CISO, increasing threats and changing security priorities.
Key findings include:
The 2023 report shows that the digital-first economy has brought new security challenges for CISOs. Interestingly, most of the challenges cited by CISOs represent nearly equal levels of concern, forcing CISOs to address multiple challenges at the same time.
CISOs cite the following top security challenges:
Also notable, while most CISOs (44 percent) report security budgets are about 25 percent higher than two years ago, nearly 30 percent identify lack of budget to address new security challenges from digital transformation as a key challenge, and 34 percent of CISOs cite difficulty justifying the cost of security investments as a challenge.
Two thirds of CISOs state that they have more new digital services to secure compared to 2021. In addition, 89 percent of CISOs state that the rapid introduction of digital services creates unforeseen security risks in protecting their companies’ vital data. API adoption and supply chain/third party vendors presented the two highest security control gaps in organizations’ digital initiatives.
CISOs rank security control gaps resulting from digital initiatives as follows:
The vast majority of CISOs admit to feeling the impact of a number of global trends. More CISOs cited the speed of AI adoption as having significant impact, followed by macro-economic uncertainty, the geo/political climate, and layoffs. Specific CISO responses regarding the impact of global trends were:
The digital-first economy has also impacted CISOs on a personal level. Among the personal challenges reported were:
Nearly 50 percent of CISOs cite litigation concerns. With several high-profile CISO lawsuits making waves recently, CISOs are fearful of being found personally liable in the event of a breach, putting their livelihood at risk.
On a positive note, 96 percent of CISOs worldwide report that their boards of directors are knowledgeable or very knowledgeable about cyber security issues. In addition, the survey showed that 26 percent of CISOs present to the board on cyber risks mitigation and business exposure once a quarter or more, and 57 percent present to the board at least once every six months.
InfoSec tools | InfoSec services | InfoSec books
Jun 19 2023
As these breaches continue to make headlines, the time is now for boardroom executives to take on the responsibility of setting the tone for cybersecurity across the company. After all, instilling priorities at the board level and having that message trickle down across the company is a key tenet of business success.
But is cybersecurity treated differently? Some would argue that while cyber is certainly a priority in boardroom discussions, execs have still yet to take full responsibility for their security posture and often silo this to SecOps teams or their CISO. Given the potential for ransomware to destabilize operations, finances, and reputation, more execs should put cybersecurity front and center on the agenda. Perhaps they would if they understood the truth of what they were looking at.
While organizations around the world continue their journey to cyber-maturity, companies that don’t engage with the boardroom directly on cybersecurity are opening the door to serious risk in the future. This lack of engagement can be due to several variables, including lack of strong board cybersecurity expertise/experience, or simply an underestimation of risk. CISOs, whether they are in that boardroom or not, will recognize that this must change, and that change can only come from clearer communication of risk.
If you want the board to take more of an interest in cybersecurity or fully grasp the risk of not making it a priority for the company, then you need to speak to their level of risk. They want the ground truth, spoken to them in a way they understand and cuts through the technical jargon. How will the consequences of not doing this affect their bottom line? How will a ransomware attack affect their reputation? Why is this a priority right now?
The CISOs among us may feel like they’ve been trying to have this conversation to no avail, but the risk of getting lost in translation is far too high. To engage the board, you need to clearly demonstrate the direct link between what happens if a hacker finds a vulnerability in your network and how badly things can go wrong as a result. If you speak a truth that they understand, you’ll unlock the trust, transparency and cooperation that is needed to give cybersecurity the attention it deserves at all levels of the business. Red teams can help you achieve this.
What red teams can give CISOs is the cold, hard truth of how their network stacks up against threats that could be ruinous to the business. Red teams leave no stone unturned and pull on every thread until it unravels. This shines light on the vulnerabilities that will harm the finances or reputation of the business.
With a red team, objective-based continuous penetration testing (led by experts that know attackers’ best tricks) can relentlessly scrutinize the attack surface to explore every avenue that could lead to a breakthrough. This proactive, “offensive security” approach will give a business the most comprehensive picture of their attack surface that money can buy, mapping out every possibility available to an attacker and how it can be remediated.
It is also not limited to testing the technology stack; for businesses concerned that their employees are susceptible to social engineering attacks, red teams can emulate social engineering scenarios as part of their testing. A stringent social engineering assessment program should not be overlooked in favor of only scrutinizing weaknesses in IT infrastructure. Cybersecurity is a human problem that needs humans to create a solution, using the available technology.
For CISOs, the evidence from red teams gives the who, what, when and how of how their attack surface stands up to scrutiny, with none of the negative consequences of a malicious breach. This is the evidence they can take to the board and confidently state the case for cybersecurity to be taken seriously at the exec level and gain the trust they need to put their best foot forward against ransomware.
For the board, they will simultaneously see the big picture of threats to their attack surface, but also be presented with a plan for remediation. They can trust the IT team that everything is being done to resolve vulnerabilities before it can affect the business. And because red teams have the knowledge to accurately gauge how urgent of a risk each vulnerability is, the presentation can zero-in on what needs to be done immediately, keeping these discussions succinct and solutions focused.
Once that trust has been built, red teams make it easy for the board to stay updated on cybersecurity. Continuous penetration testing persists even after vulnerabilities are remediated to make sure that the problem is truly fixed. This means cybersecurity always has its place on the agenda and there is transparency between CISOs and execs on how the organization is proactively looking to patch vulnerabilities, before an attacker knows they exists.
If an organization’s cybersecurity is not receiving the attention it deserves, then the board needs to know. However, it can be hard to get engagement from the wxecs if the information security team don’t speak “board language”. By deploying the expertise of a red team, you’ll have the facts you need to cut to the heart of what these decision-makers really care about with hard evidence of the risks they are facing, unlocking the support from the top needed to keep the entire business secure.
InfoSec tools | InfoSec services | InfoSec books
Jun 07 2023
An essential aspect of organizational operations is effectively responding to and returning from a disruptive event, commonly called disaster recovery.
The primary objective of DR techniques is to restore the utilization of crucial systems and IT infrastructure following a disaster. To proactively tackle such scenarios, organizations conduct a comprehensive assessment of their systems and establish a formal document that serves as a guiding framework during times of crisis. This document is commonly known as a disaster recovery plan.
In this Help Net Security video, Chris Groot, General Manager of Cove Data Protection at N-able, discusses enterprise CISOs’ challenges with disaster recovery.
InfoSec tools | InfoSec services | InfoSec books
