As organizations become more dependent upon increasing amounts of data, many companies are hiring Chief Information Security Officers, (CISOs) to take on the responsibility of managing information security programs.
Nettitude frequently works with organizations to help define cyber security strategies, and has worked with a good number of CISOs over the years. Here are our top five things that we believe sets a great CISO aside from a purely good Chief Information Security Officer.
They understand where data resides
We are creating more and more data every day. Employees interact with this data whilst on the move, in the cloud and at the office. As a consequence, data is spreading, morphing, even leaking out of organizations at an unparalleled rate, and consequently the risk of it being compromised is growing at an alarming rate. Users frequently download data so that they can work on it away from the office. This data is frequently stored on laptops and cell phones, and is then replicated to NAS drives, on drop box repositories or even in to OneDrive or iCloud. The data that once sat in a secure data center in a single fileserver or database has now spread in to many other storage locations.
CISOs that take the time to understand where data really resides and how users interact with, have the best chance of securing it. Simply accepting that it is secure, and hoping that it has been contained to one location is simply not enough. Data discovery, and a deep understanding of how users interact with data is a key attribute of the Great CISO.
They understand the likely threat, and tailor risk management programs accordingly
It is all too easy to believe the media hype and believe that we are all being targeted by sophisticated APT groups. Although for some organizations this may be true, for many other types of businesses there will be much more likely or probable threats beyond a nation state threat actor.
CISOs that get to understand the treat landscape, and understand the most likely types of threats to an organization will have much better likelihood of being able to build an effective risk management program. If the most likely threat is end user ransomware, that touches end users devices, then the knowledge of this may help drive security awareness programs and solutions that can be installed on end user machines. Alternatively, if a CISO is aware of a known organized crime group that has been targeting similar types of organizations within your industry, it will be possible to focus on building an effective set of defenses and detection points that addressed the tools, techniques and procedures associated with this threat actor. In Nettitude’s opinion, CISOs that understand the threat landscape will be much more effective at building mature and tailored risk management programs.
A CISO that looks at people, processes and technology as a whole
Often CISOs focus to heavily on technology and although technology clearly has a significant part to play, cyber encompasses people, process and technology, (PPT) as a whole. The most overlooked part of this PPT relationship is process. Many CISOs start by looking at technology and then move on to focusing on people. However very few CISOs get a strong grip of the process that is going on within their organization and the vulnerabilities that can be introduced in to this process when deviations occur. Nettitude frequently engages with organizations where processes are either undefined, or even over defined. Documenting complex business critical processes, and then storing this information on an unsecured internal fileshare introduces as much vulnerability to an organization as forgetting to patch systems, or apply strong authentication controls. CISOs need to carve up their time to focus on people, process and technology, and not focus on technology alone.
A CISO that can juggle a lot of projects simultaneously and prioritize accordingly
Despite many organizations focusing on technology simplification, cyber is becoming more and more complex. This complexity is driven by the fact that cyber intersects at the heart of people, process and technology. As much as technology and technology driven process can be proceduralized, when it interacts with people, so complexity and human vulnerability is introduced. CISOs need to have a strong understanding of technology, security and risk management. They also need strong business skills, strong communication skills and the ability to take complex information and translate in to understandable and actionable tasks. Effective CISOs need all of these skills, and must be well versed at managing multiple project simultaneously. The CISO role is really more of a multi-disciplinary role than the technology centric role that many organizations seem to believe!
Plan to be breached, prepare to detect and gain assurance about your companies response.
Great CISOs understand that there is no such thing as 100% security. If an attacker is determined enough, has access to the right resources, and has plenty of time on their side, the chances of them penetrating an organization is high.
Great CISOs prepare to be compromised. They develop and test rigorous incident response plans, and conduct table top exercises to simulate the steps that they would go through in the event of an a breach. A great CISO understands the need to continually search for threats within their organization. They build cyber programs that focus on detection and response as opposed to purely programs that focus on defense. Great CISOs don’t simply take it for granted that their detection technology and processes are effective. They conduct ongoing assurance exercises against them, and align them with the threat landscape as it continually mutates and evolves.
Just one more...
OK, we said it was only a top five, however we felt that there was really one other attribute that great CISOs tend to practice in addition to the five we have already mentioned.
Great CISOs educate, teach and evangelize good security practices both upwards, downwards and sideways across all part of the organization. They recognize that employees are people, and interact with technology, cloud services and social media at home. As a consequence they equip employees with training that extends out of the office, in to the home and social lives, in the hope that employees will then go on and evangelize to their friends, families and loved ones on how to be vigilant when online. By focusing their education on all parts of the organization, on staff when they are at work and when they are at home, great CISOs have the ability to engender a much more cyber savvy culture in their organization over the long run.
How Nettitude can help your business
Nettitude delivers cyber security consulting and cyber strategy services to many types of organizations both large and small. We provide V-CISO services, to augment or support organizations that have not yet been able to afford the leap to hiring a CISO themselves. To find out more about Nettitude’s V-CISO services fill in the form below and a member of the consulting team will be in touch.