Tag Archive: Chief Information Security Officer

What to Expect in Your CISO’s First 90-Day Board Report

Published by

Corey E. Thomas

Aligning with your company’s new chief information security officer (CISO) is a great opportunity to provide better protection for your organization, ensure regulatory compliance, and align previously siloed teams to gain clarity on how your business will respond in the event of a cybersecurity crisis. That’s why I urge board members to initiate early communication with those directly in charge of maintaining the enterprise’s vision for security by asking questions and collaborating on cybersecurity strategies.

According to a new study from the Enterprise Strategy Group and the Information Systems Security Association a lack of alignment between the security leader and the business can contribute to high CISO turnover. This is especially true if the CISO doesn’t feel welcome to participate in the boardroom meetings with executives.

This is a two-way street, of course. Board members often lack the knowledge they need to converse with information technology (IT) and cybersecurity professionals. They also tend to lack an understanding of how these groups contribute to effective enterprise risk management. Below we go through a few tips that will help put you on the right track and align these critical parties.

Understanding Your Company’s Risk Tolerance

First, in order for the board to understand the company’s cybersecurity posture, its members need to understand what level of risk is appropriate for your company. Each company’s individual strategy for growth, innovation, and safety should determine the extent to which it manages various types of risk, be it safety risks, operational risks, environmental risks, or technology risks (keeping in mind that technology plays a role in just about every category of risk).

Cybersecurity programs need to address an expansive and ever-changing threat landscape. They should include strategies to identify how vulnerable the organization is, determine whether or not they are compromised, and enhance operational efficiencies. During the first 90 days of his or her tenure, directors should be sure to get input from the new CISO on all of these areas, as well as a documented approach to how they will monitor the overall risk to the business based on these elements.

Setting Expectations

Understanding the risk tolerance of the business is the first step, but in order to properly determine this the CISO must be able to answer several questions. And knowing which questions to ask, and how these questions relate to managing risk within the company, will go a long way toward effective cyber risk management. To get a full understanding of your company’s cybersecurity posture, and ensure your security team is focused on the right things, ask your new CISO to answer the following questions in his or her first 90-day board report.

  1. Does our security team have a full, well-informed view of our organization’s vulnerabilities? What are our top three cyber threats? How do we identify and deal with emerging threats?
  2. What have we learned from past cybersecurity incidents?
  3. Does management have a clear vision of the cyber risks to our organization? Can you provide any past examples of C-suite executives supporting the cybersecurity objectives of the company?
  4. Are we managing cyber risks in alignment with the appropriate level of risk for our company and industry?
  5. What steps are we taking to ensure compliance with all requirements for our industry? Do we follow any cybersecurity industry best practices such as the Center for Internet Security’s Critical Controls?
  6. What is our cybersecurity incident response plan? Do we maintain an internal and external communications plan as a component of that? Has a tabletop exercise been completed to test the effectiveness of the plan?
  7. How is our security team collaborating with our IT and development operations teams? Look for examples of a strong security operations (SecOps) practice, such as shared data and integrated processes, helping to make security inherent within all business operations and innovation.
  8. How are we ensuring that our partners take appropriate security measures? For example, when engaging outside firms for services, are those other companies protecting sensitive information such as our marketing strategies and customer information? How is this being enforced? This could include signing agreements and performing regular assessments of vendor security practices.
  9. How do you measure the effectiveness of our cybersecurity program and initiatives?
  10. What investments can we make to further reduce our risk? What do we need  and why?

Encourage your board as they review the information provided by the CISO to ask for relevant specific examples and documentation. While your fellow board members might not know the underpinnings of cybersecurity, they will have a fresh point of view around the resources and implementation of these processes. For instance, a comprehensive incident response plan should be thoroughly documented and readable for all involved parties so that they are aware of their role during a security incident.

By asking the CISO these probing questions, verifying the responses, having a knowledgeable senior executive or board member sponsors, and partnering with a trusted cybersecurity advisor, your organization will have a defined understanding of its cyber risks and will be prepared to make informed investment decisions.

Next Steps

Only 44 percent of cybersecurity professionals surveyed by the Enterprise Strategy Group and the Information Systems Security Association believe that CISO participation with executive management and boards of directors is at the right level. Clearly, more needs to be done to inform risk-based cybersecurity decision making as well as deeper integration of SecOps into core IT and development responsibilities. How can you buck that trend?

After the 90-day report from the CISO is a perfect time to discuss the answers to these questions. Follow up with your CISO to identify areas of concern and where more support from the board or executives might be needed for them to succeed. An ongoing dialog is critical, and will fine-tune cyber-risk management. It will also allow management to make informed technology investments, identify what training needs to happen, and provide ongoing cybersecurity governance aligned to risk tolerance and business goals.

The time is now for boards to improve the quality of dialogue with CISOs. Initial conversations and expectation-setting will minimize the possibility of overlooking cyber risk that could be detrimental to the corporation and its shareholders, while also making sure that everyone involved in the oversight of security gets on the same page.

 

Corey E. Thomas is CEO of Rapid7. Read more of his insights here.

Four Questions to Ask to Probe Your Company’s Cyber Resiliency

Published by

Kelly Bissell

Cybersecurity is the bedrock of intelligent business. Companies that hope to develop superior customer knowledge, unique insights, and proprietary intellectual property by utilizing digital capabilities will require a robust cybersecurity strategy to underpin the whole. Companies need a strategy that leads to true cyber resilience.

To create a resilient enterprise, companies must make changes in four areas: leadership and governance, funding, organizational culture, and security measurement and monitoring.

Directors and executives should be asking themselves the following questions in order to ensure that they are on the right track.

1. Leadership and governance: Do we really understand what’s at stake for the business?

CEOs and boards of directors fortunately are ramping up their engagement and accountability for cybersecurity. Most CEOs, however, have much more to do. The chief executive’s relationship with his or her chief information security officer (CISO) is critical to the right kind of engagement. The CEO’s relationship with the CISO is also important to the board’s ability to perform sound cyber-risk governance.

CISOs should have oversight of more than just the corporate office, to include functions, subsidiaries, joint ventures, and labs. They should be involved in discussions of any new business initiatives or technologies that will increase cyber risk. CEOs and boards should bring them into the inner circle to help build risk management strategies to support business goals and objectives. The bottom line is that CISOs must become business advisors to leadership and informants of business challenges and successes to boards.

2. Culture: Do we truly put security first?

A big part of embracing a security-first culture is having the right mindset. At the C-suite and board level, cyber resilience and operational performance management should go hand in hand. Security must be a strategic priority tracked and reacted to as part of the tempo of normal business management, much the same as with the profitability of business units. It is a new competence that needs to be built, just like manufacturing excellence or personalization in digital marketing.

This mindset must spread throughout the organization and serve as a spur to proper actions. Line management must understand that they have a primary objective: Protect customers’ data and the company’s digital assets and operations. Fail at this and all else is irrelevant. The same is true for the front lines.

Cultural change must be backed by action and investment, and the buck stops with the board. Ensure your board is asking management whether or not this key culture change is being made across the organization.

3. Funding: How much is the right amount?

Answering this difficult question requires breaking it into two parts:

  1. Is the company brilliant at the basics? This means properly investing to resolve challenges of any magnitude—from intruders who want to get at a particular customer, to attackers after the company’s most critical assets, whether they be data or key intellectual property that differentiates the company in the market.
  2. Is the company innovating to improve its security? The only way to lower the cost of cybersecurity (or at least slow cost increases) while improving overall capability is to innovate upon current security practices.

Getting the basics right isn’t easy. It requires understanding and preparing for the many potential intentions of cyberattackers. It also means hardening high-value assets. Companies must make it as difficult as possible for attackers and limit the damage that’s possible when they do breach the walls.

Breakthrough innovations come from many corners, including business partners, vendors, and alliances across other ecosystems. CEOs and boards should think of the startup community as their company’s route to innovation and experimentation. Once partners demonstrate how their products will integrate efficiently and drive  value in the security mission, security professionals must rapidly scale the innovations across their organizations. The CEO can empower that scaling, and the board should be asking the CEO about plans to do so.

4. Metrics and monitoring: Are we measuring for business relevance?

The metrics used in the past to measure business success won’t help in the future. For example, low, medium, and high compliance scores don’t communicate enough about business risk. Rather than information such as project plans on encryption, CEOs and board members should receive metrics on protecting customer data. Rather than metrics around patching (updating software with the latest, most secure versions), they should hear about how the integrity of production environments is being maintained. Companies need business-relevant scorecards on security.

In addition to receiving better information on more relevant metrics, CEOs and boards should improve their own monitoring and understanding of cyber threats. They need to develop muscle memory by taking part in crisis drills and working through attack scenarios. Such practice helps track improvements and lessons learned, and to be prepared to respond immediately when a threat occurs.

The Path to Cyber Resilience

CEOs and boards of big organizations that have been successful at demonstrating cyber resiliency are leading wise pivots to new strategies for security. While these pivots are essential to the survival of businesses, they do bring risks and increased attack surfaces to critical digital assets and operations. Business leaders must engage more directly to own this challenge, because in the future, the only resilient business will be one that is cyber resilient.