With every new security breach announced, the CISO position is becoming more and more trendy for organizations. However, CISO is not a new position – it’s just only now getting the attention it deserves. Outside of enterprises, we rarely see an organization or a startup with a CISO and this is a huge mistake. There are many different security challenges in organizations of all sizes that prove why the need for an internal CISO will play a critical role in your organization’s success.
Before we dig into the different challenges and mistakes that CISOs make let’s discuss what does the role entails. The position, Chief Information Security Officer (CISO) is fully in charge of the organization’s cyber and information security responsibilities and risk management.
As we have seen in past years with huge breaches like the Equifax and Capital One breach, CISO’s have a lot of responsibilities on their plate when strategizing their organization’s risk management. As the threat landscape is continuously evolving with hackers implementing different dynamic and complicated attack tactics, the traditional risk management strategy can not withstand these styles of attacks. By implementing an outdated strategy your organization can become victim to massive fines, losing the trust of your customers and brand damage if your strategy isn’t up to par with the latest best security practices.
Today, your average CISO resources are mainly allocated to monitoring and responding to different security threats and making certain that their organization meets all the different compliance requirements.
The organization’s CISO key responsibilities include identifying and securing any potential leaks in the network, creating and managing a risk management strategy for security incidents, researching and implementing new security tools and technologies. Last but not least the CISO is the go-to employee for all things security and with that, it’s their responsibility to inform everyone from junior developers to the sales team to C-level management about all the different security team activities in the organization.
Mistakes Will Happen
No matter how experienced your CISO is, mistakes will happen. The difference is how big are the mistakes and how often are they occurring. As we start a new year organization’s CISOs should be well aware of what are the best practices and what are the new style of different attacks. So with further ado, here are the 5 mistakes your CISO should avoid in 2020.
Not Hacking Your Own Network
Organizations that aren’t using external or internal white hackers (ethical hackers) and think their network or environments are secure are dead wrong. Without knowing how secure or insecure your internal resources is like launching your product without testing with quality assurance. While your CISO might tell the management team that everything is secure but until your organization has implemented hacks by white hackers on your system you can’t be 100% sure that your organization is safe.
Advice: Hire white hackers internally but if you don’t have the necessary resources to hire professional penetration testers. Pen testers will look for everything from testing network security protocols and settings, software vulnerabilities and even will try different malware and targeted phishing campaigns on the organization employees. Your organization’s CISO should implement a yearly internal security test to take the extra step ensuring the organization’s cybersecurity is up to date.
Nobody Likes a “Dr. No”
Every organization has employees who are yes men/women but when it comes to the different responsibilities of a CISO, one of the worst mistakes they can make is becoming a “Dr. No”. The CISO is often seen as the organizational blocker telling employees they can’t do things and forcing them through unwieldy processes in the name of compliance. Despite looking out for what’s best for the organization, CISO’s should have a good balance of when to say yes and no to different requests.
Advice: Instead of CISO’s denying and putting their foot down, they should be open to change. They should be able to easily recognize the benefits of new security tools and solutions and how it will help the organization on a security level. Secondly, instead of saying no to everyone and everything, become the person that everyone seeks to implement new technology in the organization, but don’t forget to check the risk factor.
Not Sticking to a 360 Degrees Security Strategy
The security space has two players, the organizations and the hackers. While some people might say it’s a fair matchup, it’s not. Organizations are expected to know how to defend every attacker from every angle, while hackers have it easy by finding one small leak and then they have access to the organization’s network. To make it simple, CISO’s should understand and accept that you won’t be able to fight off every attack.
Advice: As a CISO who is always thinking about one’s security, one of the worst mistakes they can make is thinking that you can stop every single attack. Instead, CISO’s should clearly understand the organization’s technology, vision, and limitations and strategize for minimal risk with the different resources you have in the organization. In a world where there are endless attacks it’s best to survive than not be prepared.
Not Setting up a Security Policy for the Future
Today, organizations are making changes and decisions quicker than ever. They’re focusing more on how many new features and products can we launch in a certain amount of time. One major factor that is being forgotten is the security risk factor. While moving fast and making quick changes is great, organizations of all sizes need to make sure the right security is put into place so your organization won’t become an easy target for hackers.
Advice: Implement a cybersecurity policy and architecture in the organization. If there isn’t a security policy in place there is a very high chance your organization will be hacked and breached. Organizations and CISO need to emphasize on a cybersecurity strategy as early as possible to provide the best defense plan against hackers. This strategy should include incident response strategies, creating a security policy, employee training and assigning employees as the security team.
Not asking for Help
Despite the increase of cybersecurity jobs worldwide, there is a huge shortage of proper cybersecurity skills in most organizations. However, with a CISO they should never be afraid to ask when they don’t know the answer or can’t find the answer. CISO’s can have the “perfect team” but if they’re lacking the right security skills, the CISO decisions will backfire without reasons.
Advice: Instead of making choices with a gut feeling or best practices, CISO’s should ask the experts which is the correct direction and have a clear understanding of why they are making the decision with the correct reason to back it up.
Better be Prepared then Attacked
While a CISO will never be correct 100 percent of the time, they should learn from their mistakes and have the right strategy in place to fight off everything. By strategizing correcting with the right security approach that has a mix of experience, security knowledge, strategy, and organization’s expectations, the CISO will be more ready to grasp every security activity they will encounter.