The resources found here are provided to you by other CCISOs and EC-Council. To find out how you can contribute, send an email to: [email protected].
The resources found here are provided to you by other CCISOs and EC-Council. To find out how you can contribute, send an email to: [email protected].
In order for a CISO to be really effective, they must understand a few things:
- Understand the business and how it works
- Who the movers and shakers are
- How money is made and managed
- The company road map - where they are going and how are they getting there.
Collaboration is key to success, but you can't collaborate on things you don't know about or understand. You should know what moves the senior leadership and how they and the business units are thinking/positioning. Your security strategy should directly reflect and support that.
We all have presented security concerns and faced the 'so what?" moment. If you understand the business and the mission of the company, you should have that "so what" answer ready to deliver. It should show why the business needs to be concerned about the security issue or risk you are bringing forward, what the consequences might be and what strategy can be employed to mitigate the issue - yes indeed, it's called Risk Management. CISOs are managing a business enabling function and need to be engaged at the business level, integrating security into the organization needs not the organization into security.
In my career, I have assessed literally hundreds of cybersecurity programs. Of those programs I reviewed, less than five-percent were ever stress tested. Having a program audited or assessed does not constitute stress testing. They only serve to review control existence, not execution or performance. One has to purposefully test the reactions of their cybersecurity program and staff against a number of scenarios or simulated attacks.
I have found that using the NIST Cybersecurity Framework (CSF) is perfectly suited as a baseline. Particularly the detect, respond, and recover functions. Next you would select a hypothetical data breach or cyber-attack scenario as a test of your organization’s ability to react to the simulated event. The stress test is an advanced table top exercise and is best carried out unannounced using a scenario ripped from today’s headlines. Your staff can only use what is presently documented within your organization’s cybersecurity program. You will be amazed at how the stress test unfolds.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |