Most vendors fall into the trends, forgetting about customer needs for the sake of a technology race. Unfortunately, the main problems for CISOs still lie within the borders of security basics.
New technologies will never bring any value to your company, unless you get your basic security right. While attackers and threats get more sophisticated, the level of security awareness at the board level often leaves much to be desired.
Here are five recommendations that you, as a CISO, can take advantage of to get maximum return on your cyber security efforts:
1. Know Your Assets
Before you start making strategic security plans, it is very important to find out what IT assets and data you have, where they are located and how critical they are.
Lack of visibility prevents organizations from setting the right goals, which means they fail even before they start. The main challenge here is to discover the maximum number of assets within the minimum period of time. There is no one-size-fits-all solution yet, but it may lie somewhere in between an automated data discovery solution enforced with recon techniques (used by hackers to discover subdomains, resources and properties) and hiring a full-time employee responsible for the process.
2. Develop Cloud Security Skills
Start with major decision makers and bring key stakeholders, including CISO, InfoSec and application teams together into one agile group. This will greatly contribute to developing a cloud security strategy and improve cooperation.
The next step involves a mix of new and old technologies. Combine network penetration testing, dynamic application security testing, automated patch management, vulnerability assessment with UEBA and SIEM solutions for cloud services, and cloud access security brokers (CASB). In addition to that, leverage security services offered by cloud providers. This combination of management decisions and technical expertise will greatly add to your security efforts.
3. Focus On Identity Not Perimeter
Gradually network perimeter security disappears, clearing the way to an identity perimeter concept. Your employees can now work remotely from home or business trips, so your security measures should be adapted accordingly. Set protection of user identity as your ultimate goal and develop a security strategy to support it. Start with multi-factor authentication (MFA) that will allow you to minimize risks of account hijacking, especially in case of phishing attacks, and with CASB to intercept and monitor data traffic between your network and cloud platform if you use cloud services. Finally, raise security awareness among employees. Thus, everyone will understand their personal responsibility for data security in the company.
4. Speak the language of C-levels
CISOs could have been more successful if they understood that their board of directors speaks the language of money. If you want to convince the C-suite to increase your funds, get ready to talk about business benefits and financial risks. When getting ready for your speech, make sure you can evaluate and explain the following measurements:
- Baseline: How much money you can you afford to lose and what breach probability is acceptable for your company?
- Situation 1: You have made zero investments. How much money will the company lose in case of a breach? What is the likelihood of a breach in this case?
- Situation 2: You have made investments. How much money will the company lose in case of a breach? What is the likelihood of a breach in this case?
Before the meeting, calculate the cost of risk reduction measures and be ready to explain in detail how the security team will spend it. Consider a risk assessment solution to articulate a clear plan.
5. Make Compliance Your BFF
To survive in 2018 and beyond, CISOs should be aware of security and business risks, be able to prioritize security efforts, and do not hesitate to talk money and argue your position. Accept that there is no single technology solution to address all threats and solve all issues at once. You will never be 100% secured, but you can make your company a tough nut to crack.
Click here to read the full article