Friday, October 20, 2023

How To Embrace The Era Of Cyber Transformation - 3 Golden Nuggets

 


One of the key buzzwords in Cybersecurity is that of “Transformation”.  Just like other techno jargons that fly out there, this term can have different meanings to people.  But broadly speaking, it can be defined as follows:

“A cybersecurity transformation enables you to rapidly reduce cyber risk and confidently adopt new digital technologies that support your strategic goals.”

(SOURCE:  https://www.pwc.com/m1/en/services/consulting/technology/cyber-security/transformation.html)

But in the end, it is the CISO who has to embrace this definition and make it work for their organization.  Of course, being such a broad definition, this is for sure a tall order to fulfill.  So, how can it be done?  Well, one lesson I have learned in life is to break down things into more manageable tasks, and get help when you need it.

So in this regard, here are three steps that a CISO or even a vCISO can take to accomplish this part of their mission.  Here we go:

1)     Get the right people:

Very often, when a CISO gets a new project that is handed down to them, their first inkling is to handle it all by themselves in order to prove their grain of salt to their higher ups.  But this is totally flawed thinking.  The primary role of the CISO (vCISO) is to get the project, but assign it down to the relevant members of the IT Security team (or even other departments as necessary) to get the job done.  Take for example a Disaster Recovery (DR) plan.  Obviously, a CISO cannot write the entire by themselves, so you delegate to the different people who can write the different sections to compile the entire thing.  Then you, the CISO, it is your responsibility to review the document and deliver the final one to the higher ups.  But most importantly, you also will be responsible for practicing the DR plan on a regular basis to make sure that it is up to snuff, and that the people on the team will react in a quick manner to bring up mission critical processes as quickly as possible.  Make sure to spread the knowledge that you have, and always communicate in a clear and concise manner.

2)     Make sure your goals are the company goals:

By this, I simply mean that whatever you are doing, make sure as much as possible that it is also relevant to the entire company and not just to your team.  Take for example the DR plan once again.  Obviously, your IT Security team can’t write it all.  You need to get people from other departments involved (such as HR, Finance, Accounting, etc.) to write their parts as well.  After all, they will be directly impacted by a security breach as well.  Another example would be Cyber security awareness training.  You can’t use a one size fits all approach for this.  For instance, what your IT security team needs to be trained will have no relevance whatsoever say, for the HR department.  They need to be trained in the concepts of Social Engineering so they can spot our calls directly from phony recruiters.

3)     Think of the holistic picture:

This can considered to be kind of a repeat of the last one.  But in this instance, once you are given a project and completed it over the required time period, you need to be asking yourself, “How will the company benefit from all of this?”  Of course, the first though here is to see how your specific role can benefit from this, and how you can advance.  But in the long term, this is rather a selfish way of thinking.  Instead, think also (and most importantly), how your entire company can benefit from it.  Ultimately, when you present the final deliverable to the CEO and Board of Directors, they will see the ROI quickly.  And in the end, this will simply be brownie points for you, the CISO, in the end.

My Thoughts On This:

I guess the moral of the story here is that for you, the CISO, you need to get away from the siloed way of thinking that is so prevalent in the Cyber industry today.  Working in siloes serves no purpose whatsoever in today’s digital age.  By taking the holistic approach and way of thinking, you, your company, and everybody else will advance in the long run.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...