It’s no secret: Chief information security officers shoulder a lot of responsibility. They are the mediator between profit and risk, and every year the stakes seem to get higher. If you are a CISO or security leader, the number of things you are responsible for doing well can seem daunting. There are many facets of information security, it can be difficult to figure out what to focus on and how to prioritize your efforts.
There are a few key things that are truly foundational to a successful information security program, and they should be made your top priority. Whether you are starting out as a new CISO, or looking to strengthen an established information security program, these things are essential for any security leader. The foundational security areas I’m referring to are informed leadership, security culture in the business, and technical maturity.
As a CISO, you are the security representative who has a seat at the table with the key decision-makers within your business. Being able to communicate effectively with other business leaders is important because you need to be able to clearly demonstrate when your information security program has a big need that isn’t being met.
First, make sure your business executives are aware of the potential outcomes of a cyber-attack, and gauge the outcomes they are most worried about. Besides ransomware, there are laws/regulations, brand reputation, and intellectual property loss that can all be financial risks to the business. Other business executives don’t usually have much of a background in information security or IT, but they do understand risk. Knowing what other leaders find the most valuable can help you effectively communicate risk in context.
Once you understand your business leaders’ biggest concerns and what they consider the most valuable, you can begin to advocate for investment in security. Your leaders’ concerns probably don’t always match up with the true cyber risk that your business faces. In cases like that, it’s important to use things like metrics to be able to change their perspective. Clear and relevant metrics are the most effective tools you have at your disposal for informing and conveying risk to leaders in other areas of the business.
While technical maturity is probably the most considered foundation of a strong information security program, security culture within the business is probably thought about the least. Nonetheless, it is integral to securing an organization from cyber threats and information loss. Employees without an information security background play a huge role in protecting the company from breaches. Because of that, it’s important to foster a positive relationship between information security and the rest of the business.
Having employees that are aware of security issues is the first step towards connecting them with security. Phishing training is a common practice that builds security awareness, as well as having security policies that define proper usage of computers. It can also be helpful to supplement your policies and training with technical controls such as warnings about external senders in emails and data sensitivity labels on documents. While these practices are great for building awareness, they can have varying degrees of effectiveness and acceptance depending on their delivery.
Once your employees are aware of potential security risks, the next step is to get their support for improving things. Sometimes this can be a big hurdle. In some organizations, security is treated as a bad word because of the hindrances to productivity or punishment for things like failing phishing training. Ultimately, you want your employees to find security engaging and not a chore. The more you can find ways to make security training fun or security controls easier to use, the better your employees will respond.
Building technical maturity is the most time-demanding part of an information security program. There are many things to consider, and the list continues to grow over time as computers and information are used to drive more business areas. Because of the overwhelming amount of work to be done, it can be helpful to use frameworks like the NIST Cybersecurity Framework to assist you in making your priorities.
Frameworks have pros and cons, and it’s important to understand them to be able to use a framework effectively. The positive side of frameworks is that they are very thorough, and you can rely on them to not leave out important considerations when securing your business. The negative side of frameworks is that it’s easy to get caught up in the formalities of the framework and not consider what it means in the context of your business.
Rather than checking every box in the framework with the least amount of investment, you need to make sure you are implementing robust solutions to every problem you are trying to solve. You also need to make sure that you are taking the current threat landscape into account when prioritizing where you are investing your time and resources. Security is an ever-evolving problem, and cyber risk can pop up or regress in different areas over time.