One of the key buzzwords in Cybersecurity is that of “Transformation”. Just like other techno jargons that fly out
there, this term can have different meanings to people. But broadly speaking, it can be defined as
follows:
“A cybersecurity transformation enables you to rapidly
reduce cyber risk and confidently adopt new digital technologies that support
your strategic goals.”
(SOURCE: https://www.pwc.com/m1/en/services/consulting/technology/cyber-security/transformation.html)
But in the end, it is the CISO who has to embrace this definition
and make it work for their organization.
Of course, being such a broad definition, this is for sure a tall order
to fulfill. So, how can it be done? Well, one lesson I have learned in life is to
break down things into more manageable tasks, and get help when you need it.
So in this regard, here are three steps that a CISO or even
a vCISO can take to accomplish this part of their mission. Here we go:
1)
Get the right people:
Very often, when a CISO gets a new
project that is handed down to them, their first inkling is to handle it all by
themselves in order to prove their grain of salt to their higher ups. But this is totally flawed thinking. The primary role of the CISO (vCISO) is to
get the project, but assign it down to the relevant members of the IT Security
team (or even other departments as necessary) to get the job done. Take for example a Disaster Recovery (DR)
plan. Obviously, a CISO cannot write the
entire by themselves, so you delegate to the different people who can write the
different sections to compile the entire thing.
Then you, the CISO, it is your responsibility to review the document and
deliver the final one to the higher ups.
But most importantly, you also will be responsible for practicing the DR
plan on a regular basis to make sure that it is up to snuff, and that the
people on the team will react in a quick manner to bring up mission critical
processes as quickly as possible. Make
sure to spread the knowledge that you have, and always communicate in a clear
and concise manner.
2)
Make sure your goals are the company goals:
By this, I simply mean that
whatever you are doing, make sure as much as possible that it is also relevant
to the entire company and not just to your team. Take for example the DR plan once again. Obviously, your IT Security team can’t write
it all. You need to get people from
other departments involved (such as HR, Finance, Accounting, etc.) to write
their parts as well. After all, they
will be directly impacted by a security breach as well. Another example would be Cyber security awareness
training. You can’t use a one size fits
all approach for this. For instance,
what your IT security team needs to be trained will have no relevance whatsoever
say, for the HR department. They need to
be trained in the concepts of Social Engineering so they can spot our calls
directly from phony recruiters.
3)
Think of the holistic picture:
This can considered to be kind of a
repeat of the last one. But in this instance,
once you are given a project and completed it over the required time period,
you need to be asking yourself, “How will the company benefit from all of this?” Of course, the first though here is to see
how your specific role can benefit from this, and how you can advance. But in the long term, this is rather a selfish
way of thinking. Instead, think also
(and most importantly), how your entire company can benefit from it. Ultimately, when you present the final
deliverable to the CEO and Board of Directors, they will see the ROI quickly. And in the end, this will simply be brownie points
for you, the CISO, in the end.
My Thoughts On This:
I guess the moral of the story here is that for you, the
CISO, you need to get away from the siloed way of thinking that is so prevalent
in the Cyber industry today. Working in
siloes serves no purpose whatsoever in today’s digital age. By taking the holistic approach and way of
thinking, you, your company, and everybody else will advance in the long run.
No comments:
Post a Comment