This is the eleventh in our series sharing thought pieces, and the first from the CISO Desk Reference Guide: A Practical Guide for CISOs, Volume 2. In the following excerpt from Gary Hayslip’s essay for Chapter 11, Gary makes the case that effective cybersecurity leadership involves not just the right tools, but also proactive techniques like educating stakeholders, assuming controls will fail, and investing in staff training. These strategies help build a resilient security program that can adapt to evolving threats. Please enjoy.
Techniques and More Techniques
Many aspects of an organization’s security program will determine how well it detects and responds to cyber incidents. However, remember that even the best cybersecurity strategies can fail if the program lacks critical components such as the correct mix of talent, support from executive management, or the right security resources. So, in our next topic for discussion, let’s look at some techniques a CISO can use to deploy cyber and proactively improve the security program. Our next question is: “What techniques can the security program proactively use to protect organizational assets better and preempt threats?”
One of the first questions I ask my teams and stakeholders is, “Do we know how our company is susceptible to cyber-attacks?” This is one of the first techniques I recommend to new CISOs. Get out into your departments and talk to your stakeholders. Educate them on the risks facing the organization and then ask them questions. Some questions that I would recommend you ask center on how they work, what data they use, who has access to it, and what applications are critical for them to be successful. This information will provide insight into the information your company, employees, and partners have that criminals may target. The biggest motivator for cybercriminals is still money, and your data has now become an international currency. So, my first recommended technique is: “Educate yourself and your stakeholders on what is valuable to the criminal and what methods they may use to access it and use that information to focus your security program and reduce the organization’s exposure to risk.”
The following technique I recommend is one of healthy paranoia, born from working in cybersecurity for over 20 years. I never assume that my security controls are working. I always expect that something will eventually fail, so I continually look for that failure.
Many organizations consider security an issue to fix; they put security controls in place and then assume they’re working. Unfortunately, with this line of thinking, the organization is unprepared for a breach because they don’t realize that the controls are no longer functioning. I advise assuming that not all of your controls work as advertised. I have seen many instances where new technologies or changes to workflows for an application broke a security program’s installed controls.
You should continually assess the effectiveness of your controls and build into your program an assumption that they will fail. Then, plan for, continually evaluate, and remediate it when found. This mindset, “Assume your security controls are going to fail,” will allow you and your teams to keep your security control portfolio flexible, and over time, you will better understand their impact on the organization’s business operations.
The following technique I recommend to you as a CISO revolves around your security teams and personnel. In every organization I have worked at, my teams enabled me to be successful. Part of this success involved understanding the skillsets of my personnel, the skillsets required to manage the security suite, and the training needed to handle any future changes to the security program and its suite of tools. This technique addresses a significant operational issue impacting all organizations: needing more trained, knowledgeable security professionals. The technique I recommend is to assess your staff members’ education, certifications, and experience. Then, build a training program for each staff member and share it with them so they see that the organization plans to invest in them.
I would then lay out your plan to your manager to gain funding for building a training program for your teams. Start small, one class at a time, and eventually build a program where you can offer access to online training and attendance at an annual security conference to keep your personnel up to date on the latest threats to the organization. I believe this technique, “Invest in your people,” will provide you with dedicated staff members interested in their work. You will also reduce the risk exposure to your organization of having a security team that is understaffed, ill-trained, and not motivated.
The next technique I recommend revolves around the fact that in most organizations, the cybersecurity program typically lacks complete visibility into the organization’s enterprise landscape. This usually results in some manual security processes to compensate for the lack of visibility. Unfortunately, hackers don’t have this barrier and will leverage any issue, including time-consuming, manual processes, to compromise a network. Therefore, the technique I would recommend is “When in doubt, upgrade and automate it.”
As a CISO, you should seek to automate basic security processes that deal with low-level threats so that you can focus your resources and staff on more demanding challenges. You will find that as the cyber threats we face are ever-increasing, so is the volume of security data they generate. To respond appropriately to its strategic cyber threats, the organization must scale and use automation and machine learning to analyze its collected security data. As the CISO, you should champion techniques such as scripting, automation, and generative AI tools to remove the noise from your collected security data. This will provide the visibility you require to identify and remediate any residual threats, providing a valuable service to the business.
My final technique is, “Security doesn’t exist in a vacuum—so go get some help!” In cybersecurity, you will never know everything. From time to time, you will need to collaborate and get information to assist you with strategic planning, emergency operations, and sometimes just a different point of view, even if only to verify you’re not going crazy.
As we conclude this topic, what is essential for you to understand is that these techniques are all part of different leadership styles that I have found particularly useful for a CISO in a dynamic, fast-changing environment. Picture each of these techniques as an extra push—a push for you to focus on your security program, the threats the organization faces, educating your organization on the value of cybersecurity, investing in your teams—and be willing to collaborate and understand that you will never know everything about cyber, so ask for help.
#CyberSecurity #CISOTechniques #RiskManagement