The CISO Desk Reference Guide Executive Primer is written primarily for the CISO’s colleagues. The perspective is one of expectation. What are the expectations the CEO should have for their CISO? What support should the CFO expect to provide the organization’s CISO in support of their mission? What are the expectations the CISO will place on their colleagues to help make the organization more resilient? What kind of support should a CISO expect from the board? As important, what expectations should the entire leadership team, including the board, place on the CISO in terms of communications, teaching, expertise, risk assessment, metrics, meeting regulatory requirements, and preparing the organization to detect, respond to, and recover from cyber incidents?
Table of Contents
CISO Desk Reference Guide Executive Primer
The Executive’s Guide to Security Programs
Section 1 – The Role of the Information Security Executive
1. The CISO
Though relatively new for some organizations, the position of Chief Information Security Officer (CISO) is one of technical complexity that is not for the faint of heart. This position is the leading cybersecurity expert for a company and, therefore, often faces the repercussions if there is a data security breach. Incumbents will make decisions that impact all aspects of an organization and its ability to conduct business. Some of these decisions will involve interpreting regulations, establishing new policies, or influencing the employee/corporate culture. The reporting structure has a tremendous impact on the efficacy of the organization’s security operations. We believe that organizations with a designated security officer – a CISO – will have better security outcomes than those who have not formalized this role.
2. Risk Management and Cyber Liability Insurance
The risk management function within organizations has changed considerably due to the dynamic threats facing enterprise business environments. Because there is more economic value embedded in computer networks and the systems they connect as we move more and more functionality online, there are more criminals attracted to cybercrime. At the same time, this march to online functionality exposes more systems to external threats. Not surprisingly, over the last few years, nation-states, industrial spies, and terrorists have begun to attack many more targets, endangering not just the largest enterprises but their supply chains as well.
3. Third-Party Risk
The reality is that most organizations do not have a good understanding of the cybersecurity risks they are assuming with their third-party relationships. This reality was exposed by the now-infamous Target and Snowden breaches, both in 2013. In the Target breach, access was obtained by the bad actors through the VPN connection maintained for Target’s HVAC vendor for direct billing purposes. For the Snowden incident, Edward Snowden was an employee of a subcontractor of the National Security Administration. He moved from the CIA to Dell to Booz Allen Hamilton under a veil of suspicion after trying to break into classified files while at the CIA, and later fled with a trove of classified information. If we needed further convincing, in March of 2020, the SolarWinds software build process was compromised, providing a backdoor into more than 18,000 customers of its Orion Network Management System.
4. Regulatory, Compliance and Audit
In most organizations, the CISO plays a significant role in compliance activities. This usually includes a combination of high-level sponsorship, guidance, control testing, program management, and direct control execution. This variability, combined with the myriad different backgrounds of CISOs, can lead to an over-reliance on using the CISO role for the organization’s compliance function.
5. Data Governance and Security Policy
There are few topics more critical in cybersecurity than establishing proper data governance, informed by data classification, and codified through data governance and cybersecurity (data protection) policies. For many organizations, data and information are the most valuable (strategic) assets. It is critical to align data classification and governance activities with the organization’s risk management practices and, ultimately, its risk appetite.
6. Measurement and Reporting
Given the CISO’s evolving mandate to help the organization achieve operational resilience and the myriad competing interests for management focus and the allocation of budget, it is critical that the organization has reliable information upon which to base its decisions to invest the time, attention, and money needed to achieve better cybersecurity outcomes. The value of measuring and reporting on the results of business processes to drive the changes in behavior required to achieve corporate objectives is well understood. However, in many organizations the CISO’s role is still maturing and nowhere is the journey more visible than in learning how to speak the language of business, especially with regard to measuring the performance of the security team and the preparedness of the organization to protect against, detect, respond to, and recover from business disruptions.
Section 2 – The Cybersecurity Program
7. The Human Element
CISOs must recognize that they are always recruiting. Even if there is no unfilled headcount today, the human network will be necessary to create and maintain a pool of talented people for the organization. And while there is a minimum bar for the skills the security team will need to be successful, you can only hire for so many of those skills. The cost (in hard cost and opportunity loss) of competing for and hiring fully formed senior security engineers for all positions has already become prohibitive.
8. Situational Awareness
We grouped these three process elements – threat intelligence, continuity planning and cyber-resilience, and monitoring – together because, when taken as a whole, they provide the organization with situational awareness about their security posture.
There is a tendency to believe that once something like threat intelligence is packaged commercially, that “buying” your threat intelligence is the most comprehensive and practical approach. Let the experts collect the data from their millions of sensors and their honeypots and other forms of deception technology, and let their analysts review that intelligence and monitor the dark web for you and tell you where you should focus your attention. It’s true that very few companies have the means to run a comprehensive threat intelligence program on their own, and even those that do still consume commercial feeds to support their efforts. But there is a critical aspect to threat intelligence that is specific to each organization.
Continuity planning was once the exclusive province of the CIO. But the emerging role of the CISO, beyond expertise in cyber risk, policy, and data protection, is the continuity of business operations. To be successful, CISOs need to bring risk management front and center and make it a cornerstone in building their security programs. We cannot protect every system equally. Not all business processes, applications, and infrastructure are created equal. This inequality may seem obvious, but our security programs frequently don’t reflect this reality. Too many security programs attempt to apply the same level of security to all systems, infrastructure, and employees. The result is watered down security. Critical systems are under-resourced and under-secured while non-critical systems are over-protected. The root cause of this disconnect is a lack of alignment with organizational priorities.
Networks are noisy. From heartbeats to probing, from legitimate database extracts to covert data exfiltration, from sensor telemetry to malware infusions, there is an enormous amount of traffic on your network. Without a strategic and diligent approach, it is difficult to know how much of this traffic is appropriate and legitimate. Long gone are the days when network traffic volume alone was the biggest hint that an organization was under attack. When we think of monitoring, many of us immediately think of our networks and the packets that traverse them. It’s our view that this monitoring, while crucial to our security programs, is only a small part of the overall effort. CISOs must take a more comprehensive and expansive view of monitoring to ensure that they adequately align their security program with the objectives of their organization.
9. Incident Management
Incident response is the most visible function for a CISO and how the CISO oversees the incident response program of their organization is critical for the role. For good or for ill, it is the primary way CISOs are judged. Beyond the immediate impact of demonstrating the organization’s resilience to customers, management, and employees, how an organization deals with incident response says a lot about its culture. We have entered the era of the celebrity breach. Often nation-state sponsored, usually impacting millions of customers, and always coming with tiring lists of remediation steps that are at the same time both complex and monotonous in their sameness. We have long since worn out the cliché of “not if but when” as we describe the inevitability of a data breach happening to any given company. Making the front page of the New York Times or the Wall Street Journal because of a cataclysmic data breach was once an existential threat. Now, there is a certain resignation to the fact that data breaches are a part of life. Incident response can no longer be a hot seat occupied only by the CISO, as responding to an incident must be a team effort.
10. Executing the Cybersecurity Program
The temptation among those of us in the technical fields is to think of tools first. While tools are often helpful in solving various process problems, an over-reliance on tools is often expensive and usually decreases the effectiveness of any given program.
We recommend starting instead with a business impact analysis, asset inventory, and third-party risk assessment. These should provide an in-depth understanding of the organization’s data assets and how this data flows into and out of the organization with third parties, processes, applications, and clients. In addition to cataloging the assets to protect, continuity planning and an incident response plan provide resilience essential to the organization.
Turnover and knowledge gaps create seams in the security program that leave the organization with blind spots and vulnerabilities. Essential to reducing turnover and closing knowledge gaps is continual skill development. Along with a well-trained and skilled security team, an effective awareness program is indispensable. An empowered workforce, confident in its ability to make good decisions, acts as both an early warning system and a shield.
Technical solutions will fall into two broad categories – tools used by the organization to deploy and maintain a secure infrastructure and tools used by the security organization to prevent bad events and monitor the network to expose questionable activities for follow up.
Your organization faces a dynamic threat environment that is continually evolving. New threats will at times require changes to security controls and the technology used to execute these controls and the cybersecurity budget must be flexible enough to accommodate the occasional urgent need. Budgets that are too tight to begin with or overloaded with long-term commitments may force decisions made for budgetary reasons that are not in the best interest of securing critical assets. Tying all of this spending together is the strategic plan.
11. Management and the Board
The inclusion of cybersecurity as an agenda item for board meetings has grown dramatically since the watershed Target breach of 2013. The quick succession of other breaches, including Home Depot, Wyndham, and JP Morgan Chase, put boards on notice. More recent events, such as the SolarWinds breach in 2020 and the Microsoft Exchange Server attack and the Colonial Pipeline ransomware attack of 2021, have made the point that boards must understand cyber risk inescapable. Guidance for boards on this subject is available from multiple resources, including the Securities and Exchange Commission, the Digital Directors Network (DDN), the National Association of Corporate Directors (NACD), and regulatory bodies such as the Federal Financial Institutions Examination Council (FFIEC).
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.