Jan 10, 2018
Top Four Concerns Keeping Your CISO Up At Night
The position of CISO, Chief Information Security Officer, has evolved significantly over the last few years. It has become a standalone position and is no longer just a title slapped on to an existing employee's responsibilities. This new CISO has the responsibility, and ultimately accountability, to think proactively safeguarding the confidentiality, integrity, and availability of information systems under the control of the organization.
Now add to this the added burden of budgeting or requesting funds for the latest cool security tool, assessing the risk any venture might pose to business continuity, and compliance with the latest regulations and international standards, it's not easy.
There is so much keeping a CISO up at night, and to get ahead of the rest and avoid getting swamped in all the small details, here are the top four things that might be keeping your CISO up at night.
Preventing and Handling Security Breaches
The hack last year at Equifax, and with the allegations of security breaches involving world governments, has really put the spotlight on hackers and their adverse impact on both governments and businesses.
The likelihood of security breaches, be it affecting the data of an organization, it's customers or businesses partners, is limitless and that a CISO should spend sleepless nights over this make a lot of sense.
With the move to cloud-based computing, company assets have become so geographically dispersed around the world that a CISO has to track of all these human and technical resources ensuring that they're all safe and secure.
There's the likelihood of unauthorized access to organizational social media accounts, the spread of malware and viruses, and an increase in hackable sensitive data like account information and passwords through mobile devices accessing one's system.
It's impossible to identify all the potential risks; the possibilities are endless. Although; performing regular performing risk assessments, and subsequently mitigating those that don't meet your organizations risk tolerance threshold, will help them get a few extra hours of Z's
Handling the Growing Cost of Information Security
CISOs must understand the budget required for the growing cost of information security. Apart from funding issues, this also requires streamlining and mobilizing the entire organization to become more security aware.
It's not feasible to protect all of the organization's assets, this would be impracticably costly. A good CISO will identify the cost of the risk materializing, and the cost of various methods to mitigate the risk. They might have multiple completely different ways of mitigating the risk too, think insurance vs physical controls.
A very rudimentary calculation might be (cost of the risk materializing) * (likelihood of risk materializing) and compare it against the (cost of mitigating risk). If the number makes sense they should probably mitigate that risk. Calculating the cost of a risk materializing is tough, and erring on the side of caution is probably best.
A CISO has to be vigilant in the management of organization risks, but they also have to have the capability to communicate the importance of security to boards and managers to receive the investment needed for security. They must understand how to derive costs and compare these with the return on investment that they bring.
Securing an Organization's Business Continuity
Preventing security breaches and handling them capably when, not if, they occur is what you might think is the primary function of the CISO. Sure, while this might take up a good part of their time, it is actually only a part of the CISO's job description.
So, they have adopted new strategies, maybe the deployment of some new products or even implemented a whole bunch of new processes, they still can't sleep! "What if my <blank> goes down?" they'll say.
Now is the perfect time to document your organizations Business Continuity Plan (BCP), a document that forecasts business disruptions and the strategies needed to bounce back from risks that materialize.
The BCP can go side by side with disaster recovery functions that typically focus on recovering hardware and software and getting backups restored and should prove to be helpful in understanding the risks facing any organization.
The input of the BCP is primarily based on a business impact analysis that might be created for every revenue generating stream. This organizes data on the maximum acceptable lost revenue, ultimately providing valuable insights for a continuity-informed security program.
Ensuring Compliance with the Latest Regulations and Requirements
While the first three causes of the CISOsomnia are all incredibly important components of a #CISOlife, ensuring compliance with the latest regulations and requirements may be considered the foundation of the work that provides the key to addressing the whole spectrum of their responsibilities.
Regulatory compliance is one step towards investing in information security, preventing and handling security breaches, and securing the organization's business continuity when faced with unexpected disruptions.
Securing data and information systems, for instance, is at the core of the European's General Data Protection Regulation (GDPR) or ISO 27001 which institutes the standards for an Information Security Management System (ISMS). Service Organization Control (SOC) 2 or Federal Risk and Authorization Management Program (FedRAMP), which all help in cover the growing costs of information security and necessities of business continuity.
Complying with these standards can help your CISO sleep, but more importantly help your organization by also ensuring that systems, controls, and adequate security measures are put in place to prevent and handle breaches well.