BreachExchange mailing list archives
Changing The CISO's Mindset To A Fact-Based, Holistic And Multilayered Approach
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 2 Mar 2021 09:55:16 -0600
https://www.forbes.com/sites/forbestechcouncil/2021/03/02/changing-the-cisos-mindset-to-a-fact-based-holistic-and-multilayered-approach/?sh=11d6189f3c7d After over 20 years of working in the cybersecurity industry, it has become abundantly clear that CISOs are being flooded with an endless barrage of security information. They need to constantly question their sources of information, their vendors’ security postures, where to invest their resources, how to optimize their investments and which vulnerabilities pose the biggest threats to business continuity. With so many challenges, it has never been more important for CISOs to change their mindsets from a speculative, compliance-driven and unilayered approach to a fact-based, holistic and multilayered approach. Here’s how to get started: Reassess Preconceived Notions When assessing the security posture of an organization, CISOs cannot afford to make assumptions. They cannot think that simply because certain security measures are in place, their organizations are unbreachable. Instead, CISOs need to adopt the mindset of hackers by setting up a team — or hiring an outside group — that will infiltrate their organizations, breach their security systems, execute social engineering campaigns, collect passwords and bypass each and every security control, all with the ultimate goal of attacking the organization exactly like a hacker would. This approach would enable CISOs to better identify their organizations’ most critical vulnerabilities and prevent real-life attacks before they occur. Work With Data, Facts And Numbers CISOs need to stop relying on estimations, guestimations and speculations when it comes to their organizations’ cybersecurity and instead embrace a fact-based, data-driven and mathematical approach. They need to understand their organization’s vulnerabilities, the probability of those vulnerabilities being exploited and the potential business impact if such an attack were to be executed. Armed with facts, data and mathematics, CISOs will be able to optimize their cybersecurity investments by allocating their resources to the places that matter most while simultaneously being able to justify their investments and allocation of resources to their CEOs and boards of directors. Look At Your Organization In A Holistic Way CISOs need to understand that cybersecurity assessments need to be conducted in a holistic way that takes into account every organizational asset. Failing to do so fails to take into account the overall picture of the company’s cybersecurity vulnerabilities. Looking at security issues in a siloed way, while working with various products that don't necessarily work together, creates a variety of problems. Additionally, they need to understand that there is no “one size fits all” when it comes to cybersecurity. Every organization needs to be looked at in a personalized and tailored way that takes into account its priorities, critical business assets and so on. What is critical for organization A may be of little or no significance to organization B — and vice versa. Implement Multilayered Security Protection Despite significant cybersecurity budgets, CISOs often fail to allocate their resources properly. For example, many organizations are very secure when it comes to their first points of access but aren't very secure when it comes to their internal infrastructures. Organizations are often not abiding by basic cyber hygiene, such as using weak passwords, and as a result, once the initial point of access is compromised, it is very easy for hackers to move laterally within the organization. As a result, while their budgets may be high, their overall cyber resilience is quite low. CISOs need to take a “back to basics” approach that ensures that their organizations' most critical assets and crown jewels are protected by many different layers of defense. Understand That Compliance Is Not Enough While CISOs are aware of their cyber risks, they often pursue security for the sake of compliance over broader and more crucial risk management. CISOs need to understand that while compliance is a necessary step toward improving security, it is simply not enough. They cannot be driven by the concept of compliance or convenient checklists. Rather, they must take full ownership over their organizations’ security in a way that does not simply check boxes, but that takes real, actionable steps toward improving their organizations’ cybersecurity postures. As CISOs watch and bear witness to even the biggest companies being breached as a result of not abiding by basic cyber hygiene, it has never been more important to take a fact-based, holistic and multilayered approach toward cybersecurity. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Changing The CISO's Mindset To A Fact-Based, Holistic And Multilayered Approach Destry Winant (Mar 02)