Threat Management, Supply chain, Supply chain

How to find, fund and fix cyber risk blind spots

Today’s columnist, Sean McDermott of RedMonocle, says that companies should use the NIST 800-53 security and privacy controls to help find cyber risk blind spots. After that, companies need to fund and then fix the security gaps.

The FBI Internet Crime Complaint Center reports that cybercrime has risen 300% in the last 12 months and concerns grow as company leaders determine how to navigate the long-term effects brought on by the pandemic and the acceleration of digital transformation started last year. The rapid, overnight shift exposed new cyber risk blind spots and gaps unknown to security leaders or executive teams.

The long-term impact of security issues and understanding how to prevent them  weighs on the shoulders of chief information security officers (CISOs), who are now front and center in every business conversation. But CISOs may lack a 360-degree view into their tech security stack (tools) to see the security risks surrounding their business.

Much like standing in the living room looking through the front window, it’s not possible to see what’s surrounding the house: there’s a limited perspective. Today’s security leaders, on the other hand, need to see inside and outside their security stack at the same time, and doing so starts by identifying cyber risk blind spots.

There are three steps for CISOs to consider as they look to resolve security concerns for the long-term success of the company: understanding how to find, fund and fix cyber risk blind spots.

  • FIND the company’s cybersecurity blind spot.

Security teams don’t know what they don’t know, and they don’t know what they can’t see, either. That’s how many CISOs and security leaders feel in the “find” stage. They need to figure out where those cyber risk blind spots are and what’s inside.

Most CISOs and security leaders don’t align their security stack with their standard cybersecurity control sets. Viewing them separate causes cyber risk blind spots because they’re isolating one over the other and creating silos for those blind spots to form. Instead, leaders should align their security stack with their standard stack to see the inside and outside, while also mapping software features in their security stack to the 96 NIST-800-53 controls. This comparison lets CISOs quickly identify their gaps, and using the frameworks as guidelines, determine the priority in which gaps are addressed.

  • FUND cybersecurity priorities.

Once security leaders find their cyber risk blind spots, they must know how to fund the projects that will resolve them. There are three important aspects of funding cyber risk blind spots — knowing how to fund the fixes, how to get executive buy-in, and more importantly, how to close the communication gap with stakeholders and the security team to relay the short- and long-term business value.

It’s challenging and potentially intimidating to approach the leadership team for additional funds to support something they may not understand. Security leaders must contend with daily threats on a technical level and explain the risk in a business context that their executive colleagues can understand. This has been a challenge because the complexity of IT infrastructure has outpaced cybersecurity growth. When CISOs can clearly quantify the cybersecurity risk in dollars and cents, funding becomes a natural by-product.

  • FIX the cybersecurity gaps.

Once a CISO secures the funding, it’s time to fix the security threats — but where should CISOs start? How do they know which blind spots to prioritize and how to educate their team to collaborate and fix them in real-time? More importantly, what’s the best tactic to update executives and stakeholders on progress?

First and foremost, understand that not all blind spots are the same, and each may have a different risk level. Second, think of cybersecurity as a marathon, not a sprint. Take time to invest in the proper tools that consistently audit the risks at hand and recommend actionable steps accordingly.

From there, CISOs have a better understanding of what to prioritize and how to direct their team. With the right tools and processes in place, CISOs are equipped to confidently report back to their executive team and continue strengthening their relationship for the company’s future success.

CISOs are in a unique position as the liaison between their security team and the business leadership. When the pandemic hit last March, security became a pressing issue, bringing CISOs front and center. A year later, many companies are still struggling to get back on track, especially in identifying their cyber risk blind spots. It’s in the hands of the CISO to find, fund and fix cyber risk blind spots and ultimately prove their value to the business and its customers — now and post-pandemic.

Sean McDermott, chief executive officer, RedMonocle

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.