Several years ago, I received an early-morning phone call at home from one of my security staff. Our security operations center had just contacted us, reporting anomalous data traffic. They believed we had several assets that were infected with malware. As I listened to…
Several years ago, I received an early-morning phone call at home from one of my security staff. Our security operations center had just contacted us, reporting anomalous data traffic. They believed we had several assets that were infected with malware. As I listened to the incident response team triage the event, I thought to myself, « What can I do as a CISO to better protect my organization? »
I had numerous networks and legacy assets under my purview, and even though I had a solid security program, I didn’ t feel we were doing enough to address our risk. What fundamentals could I incorporate to better prepare my teams and my security organization?
I started to review and document how I could continuously analyze and upgrade my security systems and deployed security controls. I eventually settled on seven steps I call my CISO Fundamentals. These are processes I use to view my security program, understand its dependencies and continuously review for improvement. They have become my template to measure the maturity of my security systems and my overall security program.
Here are the first four of my CISO Fundamentals
Enumerate. As a CISO I find it crucial that I understand what is on my company’s networks, where the devices are located, and what applications and data they require. Enumeration provides that information – and it’s fundamental to cyber hygiene.
Enumeration is the discovery of hosts and devices on a network, typically using standard industry discovery protocols such as ICMP and SNMP. It can also document well-known services and the operating systems on the scanned devices. Security teams can then use much of the information collected to create a configuration management data base (CMDB) . This foundational step feeds not just my cybersecurity and risk management programs, but it is also required for IT, Change Management and Governance-Risk Management-Compliance. Without an accurate inventory, it is extremely hard to manage risk and protect corporate digital assets.
Consolidate. With an updated inventory, we can identify what could be consolidated. For example, can an organization reduce its servers and server locations to more efficiently use space and resources? Can servers be virtualized or upgraded to new hardware to occupy less rack space and consume less power?
I look at consolidation as another fundamental control. I continuously review my security suites hardware and software tools to see if there is anything I can consolidate or decommission — keeping business needs in mind. If I can reduce my costs and consolidate the assets my team must manage without impacting the services we provide to the business, I believe it’s required of me to investigate the possibility.
Mitigate. I then review the potential impact of identified risks on the organization’s business operations. This process is continuous. As we add new technologies to the company’s portfolio or change deployed applications, we need to reassess security risks. If risks are identified, then we employ appropriate and cost-effective controls to mitigate the risk to an acceptable level.
CISOs and their team need to manage this process continuously and report to executive staff on an ongoing basis. I recommend CISOs use their company’s business objectives as guidelines to prioritize any identified risks that must be mitigated.
Integrate. I don’ t want my organization’s security platform to be a do-it-yourself dashboard of multiple islands of isolated technology held together by duct tape. Security teams need to continually assess the integration of security components. Where appropriate, integration provides operating efficiencies and more visibility into deployed security assets, networks and risks.
I would rather have my selected solutions connected via a technology like API, providing me an overall view of risk in one platform. I know many organizations have legacy systems that are critical, and companies don’ t want to touch them because they work. I understand, as I have been in that situation multiple times. However, every time I have upgraded and integrated my technologies, the new capabilities and efficiencies paid dividends.
I am aware that integrating security systems is not an easy process. Security vendors often force organizations to purchase all the platform’s components to get full functionality. Or they provide minimal customer service, instead opting to charge assistance as professional services. But if you can make a business case for integration — it will result in reduced labor required to triage an incident or in greater visibility to strategic threats facing the organization, for instance — then I believe CISOs need to seriously consider integration.
How I advance my security programs into innovation
Over the past 10 years, I have watched the CISO role evolve a strategic partnership, at least when executive leadership champions it. I have also witnessed a changing environment that seems to open more doorways to attackers than security professionals can close — from new malware types to previously unknown vulnerabilities.
But even with the rise in cybercrime, I’ ve learned to focus on security and risk management frameworks to create strategic roadmaps for my teams. These roadmaps provide a foundation for my organization, enabling my security and risk management programs to mature and better protect the company.
As I began to incorporate these roadmaps, I started to view cybersecurity-and-risk management as a continuous life cycle of dynamic processes. These processes I envisioned as interconnected workflows that incorporated my deployed security controls.
But even then, I continue to ask myself, « In today’s dynamic threat environment, what can I improve? »
Today’s unique threats have forced me to consider new approaches to managing my organization’s risk. In crafting my CISO Fundamentals, I learned to accept the fact security and risk management programs are not made to be static, but need to be flexible and adjust to new threats, new technologies and resource constraints. As a CISO, I know I must be innovative and willing to make changes to provide focused cybersecurity and risk management services to the business.
Here are the final three of my seven CISO Fundamentals
Innovate. As technology advances, cyber criminals are continually innovating and deploying new capabilities, thereby increasing the threats companies face. CISOs, in turn, need to be comfortable with the evolution of new defensive security technologies.
The cyber hygiene basics — configuration management, access control, network segmentation, patch management and network monitoring — can remove most of the cyber risk facing companies and allow a CISO to work with cybersecurity startups to identify technologies that provide value to the business.
Obviously, there are risks associated with being innovative. Exactly why I believe it is imperative to have your security basics done first. You then gain the freedom to try new technologies and processes with reduced risk.
