A CISO of a tech company called me last week. Apparently, 3 workstations were infected by ransomware, one of which was infected for about two weeks only to be discovered in a specific network-wide scan for the original malicious file since the employee was on vacation.
Among my first questions were:
1. Question: “Did you follow through on your incident response policy?” Answer: “We don’t have one per se.”
2. Question: “Do you know when the initial compromise happened and how?” Answer: “We have some theories, but it will take the incident response team 3-4 business days to arrive.”
3. Question: “Do you know which data assets may be affected and what the possible damage may be?” Answer: “We have a decent mapping of the network but didn’t get around to damage control.”
4. Question: “Did you notify management?” Answer: “Partially. They were upset enough about the workers’ lost hours and only wanted to know when the work stations could be up and running.”
Further conversation pointed out that this CISO was very aware of Cyber Security and used the resources he was given to try and secure the company’s information network. Two things were desperately missing though. One was solid communication with senior management. The other was a solid, long term strategy for cyber security to cover business processes and assets, and align cyber security with business goals and objectives.
Getting this incident under control will take a few days but bringing cyber security in this company on to the right tracks is going to be a challenging mission with recent events adding to the general mistrust by management.
As a CISO, “doing a good job” means more than being a cyber security professional. It means getting into company politics, being transparent to senior management and aligning cyber security processes with those of the company.
Here are some critical steps you need to take if you want to be that Rockstar CISO:
1. Charter
Even though this seems a little pretentious at times, negotiating a charter is one of the first and most important tasks a CISO must do. Cyber security is a relatively new field of expertise and probably unfamiliar to senior management in your company. Setting a charter for the role of CISO will set expectations on both sides, set your authority in the company and define your roles and responsibilities.
2. Senior Management Support
There’s a reason why CISO is c-level. As opposed to the IS (Information Security) manager, the CISO is expected to bridge cyber security technological terminology and consideration to business oriented senior management. In many cases, the CISO with cyber security professional background is drawn to the technical aspects of cyber security at the expense of maintaining good communication channels with senior management.
Success as a CISO can be achieved only through senior management support for the CISO personally as well as for the cyber security the CISO is promoting.
Proving positive ROI or even KPIs is not an easy task for any CISO and therefore regular constructive communication with senior management and other stakeholders is imperative. Cluing stakeholders in on your plans, consideration and strategy opens new understanding familiarity for what drives cyber security.
3. Map Information Assets
Information assets are the crown jewels. This is what it’s all about. Information assets aren’t limited to databases or servers. Data assets can be employees, processes, vendors etc.
Nothing can replace a thorough mapping and understanding of the company data assets.
This knowledge will not only help you understand what to protect and how to prioritize resource allocation, it will also send stakeholders a message that you know the business priorities and processes, thus gaining more support and cooperation.
4. Risk Assessment
Long term, sustainable cyber security relies heavily on the mapping and understanding of the risk facing the company on the cyber realm.
Cyber risk is a risk like any other facing the company. It needs to be assessed and mitigated according to company needs, goals and prioritization.
Getting an external auditor to assess cyber risk has two major advantages when it comes to risk assessment. First – professional auditors (should) have vast experience accumulated over years of experience and across many organizations surveyed. Second – external auditors (are supposed to) have a fresh, unbiased approach to the organization and produce a relatively objective assessment on the risk facing the company.
It is the CISO’s job to contribute to this assessment with the company’s risk appetite and tolerance so that the assessment can ultimately be translated into steps that need to be taken according to possible impact on the company’s short and long-term goals and objectives.
5. Strategy
Once you have in-depth knowledge of the intricacies of the company and it’s business objectives, you can combine it with steps required to lower cyber risk to acceptable levels. With the goal of constantly reducing risk to an acceptable level in mind, you can create a long-term strategy that utilizes the company’s strengths and compensates for its weaknesses.
The strategy should take into account all stakeholders and their needs. It should address all known risk and mitigate it while preparing for unknown risk.
Cyber Security strategy should be on a high enough level for senior management to understand, approve and support while detailed enough for the affected departments to understand and translate this strategy to department-specific procedures.
This strategy, once approved by senior management, will be the basis for all cyber security operation and company-wide regulation.
6. Maintain
Once strategy has been established, approved, and communicated across the company, the CISO should revisit all stages and make sure the strategy is implemented correctly and successfully reduces risk to acceptable levels.
At this stage the CISO should work together with the information security manager to ensure effective implementation of the cyber security strategy while constantly monitoring for new, unforeseen and obsolete risk.
This stage is also when the CISO should monitor and promote advancement in the company’s cyber security stance maturity level.