The role of chief information security officer (CISO), or its equivalent, is very important for any organisation. He or she is responsible for guiding the rest of the organisation in protecting information and systems.
More often than not, if a company experiences a cyber security breach, the CISO takes the blame. Now that cyber security is a major talking point, the role of CISO has skyrocketed into a high profile and powerful position with great responsibility.
However, having a CISO in place isn’t enough to deter attacks from individuals or organisations trying to steal or damage company data data. Prefixing a position with a ‘C’ does not ensure success.
Many CISOs lack experience of fighting in the trenches against cybercriminals. Especially if a CISO does not come from a technical background involving penetration testing or forensic investigation, he or she should be open to learning more about cybercrime and specifically the following three important lessons.
1. Everyone is a target
Your company’s industry, geographical region, customer base, size and revenue are irrelevant – if your organisation stores, processes or transmits any data of value, it has either been or will be the target of a cyber attack.
This is because there is a thriving black market for the data your organisation stores. This data could be customers’ contact information, username and password pairings or payment card information.
To cybercriminals, the type of data does not matter because each of these examples has a very real monetary value that they can cash in.
You also have to wrestle with the possibility of resentful insiders looking to harm your organisation or seeking to steal intellectual property to make an easier (and often profitable) transition to new opportunities.
CISOs need to understand these threats and be prepared to respond to them at any moment. Carrying out regular and realistic penetration testing, threat simulations, user access control reviews and security awareness training should be a priority.
By staying on top of these and by being ready for an eventual attack, a CISO demonstrates that he or she has a firm grip on the current cybercrime environment.
2. Training is the key to winning the fight
Army training uses the concept of opposing forces, or OPFOR. This kind of training is made as realistic as possible in mimicking the enemy’s tactics, techniques and procedures.
The main reasoning behind this method is to reduce the number of unknowns when facing an actual attack. While it’s unrealistic to believe you can entirely eliminate surprises, the fewer you encounter, the better position you will be in.
This approach also creates and improves muscle memory, meaning that when the attack happens the training kicks in without you having to make a conscious decision – a feat that would be impossible without having prior experience of regular and realistic practice.
Often during an attack, you don’t have the luxury of time to contemplate a measured response. An organisation’s response capabilities will benefit drastically if the CISO is open to and understands the need for regular, realistic training exercises that closely mimic the actual threat landscape.
Contrary to the beliefs of many C-level executives, spending time and resources on situational training is not a waste of time or money.
When a data breach occurs, an organisation that has carried out regular, situational training exercises will be in a much better position to recognise and respond swiftly to the threat than one that has not prepared wisely.
3. Compliance is not the same as security
Checklists are incredibly beneficial in making sure that repeatable steps in routine tasks are completed as needed. For example, the next time you take a commercial flight, you really want the pilots to follow their pre-flight checklists to the letter. That’s how to avoid the plane going down due to a technical issue arising from a skipped a step in the safety routine.
However, all the checklists in the world won’t make a difference if pilots are unable to think on their feet when the unexpected occurs – for instance, when a bird strikes the plane while it’s landing. The fact that pilots have undergone hundreds of hours of training will ensure they react appropriately.
In the cyber security world, governance, risk management and compliance checklists are there to make sure security professionals don’t overlook the obvious. However, these lists are not a comprehensive guide to security.
Designing security protocols solely around a checklist is most certainly flirting with disaster. Checklists are guides for adaptable, suitably-trained professionals who can think on their feet in an environment where there is good data hygiene and a commitment to securing the organisation’s data – not just satisfying an arbitrary compliance request.
In the face of a number of very challenging issues, this list is by no means complete. Any CISO who cannot appreciate the importance of these three points is going to find themselves hot water pretty quickly after a security incident.
A CISO who understands the reasoning behind these ideas – and is confident in raising them with the C-suite and in implementing them – will significantly improve his or her organisation’s ability to detect, react to and recover from a security breach.
Sourced from Chris Pogue, CISO, Nuix