In Chapter 8, our authors discuss their views on the use of tools and critical strategies and techniques that the CISO can use to validate an organization’s security controls. Each of our authors will provide guidance on how they have used specific tools and techniques and will examine the importance of understanding a tool’s role with respect to risk and providing actionable information. All of the authors emphasize the importance of collaborating with stakeholders to select the best approach for deploying new critical processes and the use of tools to measure their maturity.
Through the aggregate of their different approaches, they provide the new CISO a unique opportunity to understand the importance of tools and critical strategies to an organization and their detrimental impact to business operations if not implemented correctly.
Bill Bonney approaches this discussion of tools and techniques for CISOs by focusing on inherent business processes and deployed technology. He advocates that the CISO must conduct an inventory of tools used to support critical business objectives and that the enterprise should focus on building a mature process portfolio. Bill makes the case that with a mature process portfolio and the required tools to measure their impact, the business will be more secure through the use of proper security controls.
Matt Stamper starts his discussion with the statement that common sense is one of the best tools a CISO can use to protect their organization. He states that with common sense and some context on the processes/techniques the tools are used to serve, the CISO can provide better service to the company versus purchasing a new technology. Matt makes the case that through the use of tools such as a Business Impact Assessment (BIA), the CISO can collaborate with his/her fellow stakeholders to understand the organization’s risks, resulting in a selection of techniques and tools more finely tuned for its strategic business operations.
Gary Hayslip begins his discussion with a list of best practices he has compiled over the years that an organization and a mature cybersecurity program should use to reduce risk exposure. Gary then provides a list of recommended techniques a CISO and the security program should use to sustain a more business-centric “cybersecurity as a service” to the company. He concludes his discussion by listing and describing the various domains of common tools that are available to organizations and their security programs to protect enterprise assets.
Some of the questions the authors used to frame their thoughts for this chapter include:
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.