Tips from industry-leading CISOs
& Compliance Officer
North Carolina Central University
In order for a CISO to be really effective, they must understand a few things:
- Understand the business and how it works
- Who the movers and shakers are
- How money is made and managed
- The company road map - where they are going and how are they getting there.
Collaboration is key to success, but you can't collaborate on things you don't know about or understand. You should know what moves the senior leadership and how they and the business units are thinking/positioning. Your security strategy should directly reflect and support that.
We all have presented security concerns and faced the 'so what?" moment. If you understand the business and the mission of the company, you should have that "so what" answer ready to deliver. It should show why the business needs to be concerned about the security issue or risk you are bringing forward, what the consequences might be and what strategy can be employed to mitigate the issue - yes indeed, it's called Risk Management. CISOs are managing a business enabling function and need to be engaged at the business level, integrating security into the organization needs not the organization into security.
In my career, I have assessed literally hundreds of cybersecurity programs. Of those programs I reviewed, less than five-percent were ever stress tested. Having a program audited or assessed does not constitute stress testing. They only serve to review control existence, not execution or performance. One has to purposefully test the reactions of their cybersecurity program and staff against a number of scenarios or simulated attacks.
I have found that using the NIST Cybersecurity Framework (CSF) is perfectly suited as a baseline. Particularly the detect, respond, and recover functions. Next you would select a hypothetical data breach or cyber-attack scenario as a test of your organization’s ability to react to the simulated event. The stress test is an advanced table top exercise and is best carried out unannounced using a scenario ripped from today’s headlines. Your staff can only use what is presently documented within your organization’s cybersecurity program. You will be amazed at how the stress test unfolds.
Privacy, Cyber Defense, Compliance,
Continuity/Recovery,
Secure Cloud & Information Governance