In my last blog I drilled straight into the one of the biggest, ever-present threats in any network, zero day vulnerabilities.
I thought in this blog I’d be a little more circumspect and talk about the broader issues keeping CISOs up at night (the overall theme of this blog series).
The best analogy I can think of in describing the role of the CISO is, like a spider, we’re are at the centre of the security web in terms of over-arching control and management.
Our teams build, watch, react and maintain all of the security infrastructure across our organisations, locally and internationally.
At the same time, we’re working very hard to ensure our organisation (our people, information, assets) doesn’t become a fly in some-else’s web.
When all is said and done, this really boils down to two main area.
Managing access to systems and mitigating uncontrolled changes to systems (accidental, deliberate or malicious).
And while that sounds fairly simple, it covers a lot of ground and in practice can often be difficult. It includes network security, systems and application security, physical security, system and application access, privacy compliance, back-up and redundancy, setting the security culture within an organisation and a lot of communication between other primary stakeholders to ensure, at the end of the day, the organisation can still go about its business and not go out of business.
Communication is key, especially with the executive teams and the board as they want to understand risk to the business and potential personal liability, so it can be managed and treated accordingly. The CISO is a key person in helping to ensure they are all well informed so they can make well informed decisions.
After, all, you could just turn off the broadband internet connections to the company and a lot of security concerns would disappear instantly. I’m sure there’s a few CISOs out there who have that recurring dream. However, the business is there for a reason to provide a service or product to its customers, so this all comes with a level of risk and has to be managed.
So how do you balance it all?
Well, quite clearly, in all but the most chaotic organisations, CISOs try and architect for success. We’re not wanting to race around the organisation playing whack-a-mole on a daily basis as threats or concerns emerge, even though it may sometimes feel that way.
We build secure environments and everything that entails (people, process, and technology) but we’re also keeping a close eye on external information sources.
We listen to what critical vendors tell us about their technologies including roadmaps, patches and security flaws and performance issues. We gather intel from trusted security partners, ranging from cybersecurity groups publishing alerts about new threats as well as media reports and security vendors issuing specific alerts.
We all know that at some point something will go wrong and we need to have our incident response processes in place to help manage those times.
We also look at macro changes in the behaviour of our organisation in how it goes about its business and what that may mean to our security posture. Is BYOD becoming a more important part of our work culture? What does that mean? What about remote work and information leakage? What about shadow IT and what systems are they deploying? What third party connections or data flows are in place?
We consider the strategic plans in place for our organisation as well. How will organic growth or new branch offices or company acquisitions impact security considerations? Will it fit our security architecture? What gaps and risks do we have to manage with this process? Is this other business a square peg in a round hole? How hard will it be to fix or integrate? It all has to go into the mix.
Then there’s the fine detail of daily operational control. What signals should we pay attention to? What are our systems and fail-safes telling us? How’s our security posture? What is an acceptable risk and what’s not? What does our SIEM show us? What threats are we detecting? What are we missing and need to address? What do we have to do to address them?
It’s a complicated tapestry combining business, organisational and technical challenges into one job description and the CISO has to be the master weaver.
About Steve Challans
Steve has more than 33 years’ experience working in the IT security sector and over 20 years specialising in Information Security. He has been the CISO at Prophecy International for 5 years.
Steve holds security qualifications including the CISM, CISA, CRISC, CISSP, PCIP, and ISO27001 Lead Auditor certifications.