Five Key Considerations For CISOs
Steve Durbin is Managing Director, Information Security Forum. He is a frequent speaker on the Board’s role in cybersecurity and technology.
As the world slowly emerges from lockdown and business tentatively resumes, organizations of all kinds face a tumultuous road ahead. Economic downturn looms menacingly, unemployment is climbing and uncertainty reigns. Adapting to the new business reality presents many challenges and only the best-prepared and most-adaptable will survive.
CISOs have a vital role to play in safeguarding long-term recovery and building a foundation for future success. Tasked, as ever, with protecting data and infrastructure, CISOs must work closely with boards. They must take time to understand business concerns, so they can prioritize the protection of assets, profile threats, reduce exposure and estimate potential losses. Ultimately, business leaders will rely on CISOs to help them make informed decisions about risk and, in these instances careful, planning is crucial. CISOs and security leaders must engage with boards to ensure proper funding and set realistic levels of risk tolerance.
Let’s explore five key areas of concern and actionable advice for CISOs.
1. Risk Management
Security budgets are liable to be under pressure, but risk management is only growing more complex in the current environment. CISOs may have to get creative and improvise to manage risk effectively. They will certainly have to engage with executive teams to craft relevant risk profiles and set acceptable levels of risk tolerance. Evolving regulations must also be considered to ensure proper security governance and compliance.
• Come to the boardroom prepared to fight for necessary security budgets and illustrate why risk management is so important.
• Draft a plan to safeguard remote workers and secure networks in the short term.
• Plan for the resumption of delayed long-term projects and investments.
• Identify fresh digital transformation opportunities.
• Factor in regulatory changes and assess their potential impact.
• Adapt policies, standards and procedures to ensure the governance framework is fit for purpose going forward.
Forward-thinking businesses have already turned to business continuity and disaster recovery plans to see them through the current crisis. Planning ahead for unexpected events can massively reduce the potential impact and financial burden. A resilient business is marked by a calm and efficient reaction to different scenarios to ensure that key business functions continue, if not completely uninterrupted, then with as little disruption as possible.
• Reassess critical business assets and reprioritize based on the latest operating models, adopted services and changes to infrastructure.
• Where possible, automate alerts, so the collection of data, analysis and filtering occurs, ensuring only critical events are flagged for already stretched security professionals.
• Strive for real-time identification of possible security events and work to reduce breach response times, so mitigation is swift, even with the new norm of remote work.
Many organizations have been forced to adopt new services or change the way existing technology is employed to meet the changing needs of the business. Distributed workforces, expansion of potential attack surfaces and increased complexity in infrastructure introduces new vulnerabilities and risks. The rapid change in infrastructure may have been essential to enable businesses to keep functioning, but these changes must be quantified, assessed and catered to from a security perspective.
• Secure the cloud by engaging with cloud service providers to manage capacity and examine VPN and authentication provision.
• Assess network capacity at the local and global levels to cater to bandwidth requirements and the increase in connection points.
• Take steps to secure company data by controlling where it resides and stress test network capacity, data centers and backup facilities.
• Ensure security requirements are met for new network technologies and factor in the potential impact of any technologies adapted to enable a return-to-work to identify new attack vectors and secure them.
4. Supply Chain
Economic uncertainty, geopolitical pressures, business closures and drops in demand will transform supply chains beyond recognition. Many of the factors here are beyond the influence of individual organizations, or even industries. Maintaining supply chain integrity will be an ongoing challenge that requires continuous assessment and considerable flexibility.
• Stay in close and constant contact with customers and suppliers to identify fresh risks as they emerge.
• Assess how changing procedures and business practices might expose new threat vectors and constantly review potential exposures.
• Identify areas where operational changes could lead to a failure to meet contractual obligations and act to mitigate issues without increasing risk.
• Comprehensive reporting and security assessments are vital to ensure oversight and guarantee business continuity.
Distributed workforces are more common than ever, but as some organizations usher a return to workplaces, or adapt to a hybrid approach, CISOs must take measures to reduce risk and maintain control.
• Fully map networks and compile an accurate inventory of all devices and equipment, including everything, whether it’s newly issued, held in reserve or redundant.
• Take steps to reduce exposure of unencrypted data or access to corporate networks on any devices used by remote workers.
• Educate the workforce on the latest security policies, ensure that expectations for returning to work are clear and update your onboarding procedures for new staff.
• Assess the effectiveness of safeguards to nullify insider threats and update where necessary.
While there’s a great deal for CISOs to think about, there’s also a very real opportunity to embrace the new business reality and adopt technologies and processes that will strengthen the security stance of the organization. A blend of short-term practicality and long-term planning will help businesses save money and build resilience.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?