With security and IT landscapes continuing to evolve at a moment’s notice, the ways organizations work are constantly changing. For example, the shift to remote and hybrid work environments over the past two years have introduced a wave of new opportunities for threat actors to compromise companies and their employees. Yet, as CISOs remain inundated with information regarding the biggest threats, the latest industry best practices and many more important considerations are left on the back burner.
Ready to hit the books? Here are three ideas that will help CISOs brush up on the security concerns that are being overlooked and causing failing grades:
- Embrace more mature security methodologies.
First and foremost, CISOs should swap old, traditional ways of approaching security with more mature, tailored methodologies. It’s extremely important because mature methodologies can work through an enormous volume of information and data to establish a strong situational awareness relevant to an organization’s specific risks and threats.
Additionally, these methodologies also work to develop a targeted communication strategy that helps facilitate organization resilience. Organizations without a mature methodology are stuck filtering through clutter disguised as resources and considerations rather than focusing on the items that are actually most relevant to their organization. As such, leaders from these organizations will likely miss important security-related intelligence as it gets lost in the shuffle.
- Focus on communication.
CISOs must also establish an effective communication strategy within the organization. This ensures that relevant security-related information is ultimately making it to the right audience and department — whether it’s a specific business unit, vice president, or even all employees. Furthermore, it ensures that the CISO gets timely, useful information that’s actionable. For example, messaging regarding vulnerabilities to a handful of vice presidents should not be the same as what’s delivered to lower-level technical employees.
Additionally, companies need bi-directional communications. This lets the CISO constantly keep apprised of the market and business strategies being pursued by the organization, which in turn will give them more insight into the potential threats, such as adversaries that may target or plan to target specific lines of business.
- Practice public and private cross-collaboration.
CISOs are also responsible for integrating approaches with the government to strengthen intelligence sharing. Take for example last year’s Cybersecurity Executive Order from the Biden administration, which strongly emphasized this cross-collaboration between public and private sectors.
By facilitating information sharing, CISOs arm themselves with the resources necessary to make the smartest decisions in the quickest amount of time. Working in tandem with the public sector can help them obtain access to timely and rich data regarding threats, tactics and adversaries, which they can ingest into an organization’s full stack of security processes and capabilities.
The costs of inaction
If CISOs are unable to implement a mature awareness and communication program, their organization faces detrimental business risks such as lost investment across technology, services, and practices. Subsequently, this lack of investment can negatively impact the company’s output and weaken the bottom line. Furthermore, if CISOs do not have a clear connection to the organization’s risks and threats, the organization can become “technology-rich,” but “security-poor.”
This “security-poor” status can result in a false sense of security and compliance throughout the entire organization. Tools, services and practices will not align to protect against the most current risks, allowing potential adversaries to easily fly under the radar and cause extensive damage.
CISOs have to commit to these new methodologies at a leadership level. Allocate resources to conduct threat and intelligence integration. Establish a robust method to filter through what’s observed in the field, fusing that information with what exists in the organization and then using that information as a tool to identify the gaps that need addressing before a threat turns into an exploit.
The biggest lesson from CISO summer school: develop a process to prioritize filtered data, communicate it and then put resources to action.
Kevin Brown, chief information security officer, SAIC