Chief Information Security Officers (CISO) today no longer sit in the IT and security corner doing “techie” things.
They are upper management, risk professionals tasked to monitor, measure and manage cyber risk throughout the entire organization. They must report to other C-level executives and board members and are held accountable for reducing cyber risk and protecting the organization.
Yet, the cards are stacked against CISOs. Large companies are extremely siloed with a multitude of lines of business, some of whom independently manage the company's most critical applications and assets. Because of this complex and distributed makeup, though CISOs are responsible for enterprise security, they often do not have complete visibility. They cannot see which systems and applications housing valuable assets contain unpatched vulnerabilities or if an unauthorized employee or third party contractor accessed them.
CISOs also struggle collecting accurate data. In a recent study by Osterman Research, “Reporting to the Board: Where CISOs and the Board are Missing the Mark,” 81 percent of IT and security executives admitted that they employ manually compiled spreadsheets to report data to the board. Each business unit cobbles together cyber risk information into manual spreadsheets, sometimes fudging data to paint a rosier picture than the truth or to make it look like the data makes sense. They hand those spreadsheets to the CISO who then stitches them together creating a consolidated, static view spreadsheet for the board, which is then tasked to make informed, risk-based decisions based off of inaccurate data.
CISOs invest in expensive security tools only to find themselves overwhelmed by the information coming from them. They want to make the most out of their investments but don't know how to make sense of the endless events including which ones to take action on more immediately.
Similar to how pilots need a cockpit to fly a plane and get passengers to their destination as quickly and safely as possible, CISOs need their own cockpit to manage the alerts, threats, vulnerabilities, communications and other elements that affect the level of cyber risk to their organization.
For example, a CISO's cockpit needs warning lights that alert them to threats to their most sensitive assets. Those include threats from insiders like employees or third party vendors, threats from outsiders like cybercriminals and nation states and threats to applications and systems that contain associated vulnerabilities. CISOs need to know their organization's current state of affairs which includes threats and vulnerabilities to its most valuable assets and the likelihood of them being compromised. CISOs need the ability to shift to “autopilot” where cyber risk information that's in front of them is automatically prioritized and actioned based on the level of risk to the organization's most valued assets. CISOs can use the flight control stick to quickly change their course of action based on new incoming information.
A CISO's cockpit should show how well the organization is performing at remediating vulnerabilities on their most valuable applications and systems. It must also reveal the line-of-business application owners who govern those assets so they can be actively engaged in the cyber risk management process.
Like pilots, CISOs need communication systems to put the right information into each stakeholder's hands. They must inform line-of-business application owners about risks to valuable assets under their governance and hold them accountable for taking action to minimize those risks. They must also communicate with the board and other C-level executives, showing how they are managing risk and the results of their actions.
Today's CISOs have the ability to create significant value within their organizations however they need a cockpit to manage and execute. A dashboard without controls to change what's happening is just a dashboard alerting them to problems. A cockpit provides additional tools to help CISOs get their organizations where they need to be so that their valuable assets are protected at all times.