Today’s blog
is a little bit different than the others, and yes, that means no AI!!!! This is an issue that I have addressed many
times before, and even in one of the books that I wrote about on Risk and
Cybersecurity Insurance. This is the
topic of whether a CISO is really understanding what they get when they purchase
a holistic, end to end Cyber based solution.
What got me to
this topic was an article that I had read this morning about a Cyber Executive
who interviewed many people in the industry to see what kinds of trends exist
in their buying patterns. Here is what
he found:
*Not planning
the solution in its entirety. In other
words, asking questions and evaluating the product and/or service to make sure
that it addresses all of our needs. In
other words, CISOs very often look for curing the symptoms and not the actual
cause. Once they have found something
that can do this, they immediately jump at it without thinking clearly if this is
what they really need.
*CISOs are
often taken aback by all of the bells and whistles that comes with an all-inclusive
security package. For example, if a
dashboard looks sleek, that is the catalyst that decides if they will buy or it
not. Or now, the big thing is Generative
AI. If the package comes with it, buy it!
*CISOs very
often don’t take a close look at the triaging process and the legitimate
warnings and alerts that come through.
Very often, they leave this to their IT Security teams to filter
through. But IMHO, this is the wrong
approach to take. It is this very
process that paint the entire picture of what exactly is going on the IT and
Network Infrastructure. It’s like taking
aspirin to stop a chest discomfort without seeing the doctor to determine the
underlying cause and to see if further action is needed.
*Another area
of key weakness is that CISOs do not adopt and enforce is a software patching
process. Instead, if they even do have a
process in place, they often rely on automation which may or may work.
So, what does
the author recommend as to how a CISO should make their purchasing
decisions? He starts off with first that
an organization needs to have a comprehensive Security Program in place first, which
should answer these fundamental questions:
*Examining all
current processes for your lines of defenses, and asking this question: “Why are we using it? Give me the reasons.”
*Your current
strategies for fending off an imminent threat, and how to even deal with those
that are lurking about your IT and Network Infrastructure, when you finally discover
them.
*How quick is
the response time? This is where the key
metrics of the “Meant Time To Detect” and the Mean Time To Respond” become
especially critical.
*What are the
current methods for Incident Response, Disaster Recovery, and Business Continuity? Are there even plans in place, and if so, how
often have they been rehearsed?
*Who is part of
the Incident Response team, and do they know what they need to do if they are called
upon during the time of a security breach?
To help the
CISO address all of the issues, and even more, he recommends following the
Security Framework as outlined by NIST.
It can be downloaded at the link below:
He gives his
own model for Cybersecurity, which is as follows:
“Program = Tool + People + Processes +
Goals”
In my writings,
I have produced something similar, but with not as many variables in it. This is as follows:
Great Cyber: People + Technology
In other words,
to have truly effective lines of defense for your business, you cannot rely too
much upon one side or the other. You
need both, as the model proposed by the author also suggests.
Towards the
end of the article, the author also points out two key areas the CISO also
needs to address in crafting their plans.
They are as follows:
1)
Involve
everybody:
In
Corporate America today, people still think that all issues that are related to
technology fall onto the shoulders of the IT Department. While the proverbial buck does stop here, it
is important to remember that each and every employee has to tow their
own line for the collective good!!! In
other words, “Cyber Hygiene” is not just left to the IT Department. Everybody has their role in this, to make
sure for example, that they recognize the signs of a Phishing Email and discard
it. Or, creating long and complex
passwords with the help of a Password Manager.
It takes all of the employees to fill the cracks!!!
2)
Conduct
Risk Assessments:
This
is one area in which I have belabored heavily upon. In order to lay out your Security Framework,
you first need to identify all of the vulnerabilities that are present. Simply put, this means inventorying all of your
digital and physical assets, and ranking them on a numerical scale in terms of
their degree of vulnerability. Of course,
those with the highest ranking should receive immediate attention, by either
putting in new controls or upgrading the existing ones that are in place. Also, by conducting this kind of Assessment,
you will know where all of your security tools lay at, and from there, you can then
decide if you really need them or not.
This is called decreasing your Attack Surface, and will enforce the efficient
use of the tools. Remember, by having
too many of them, you widen the gap for the Cyberattacker to penetrate into.
My
Thoughts On This:
To be honest,
I agree with the author on these points.
As a CISO, if you are considering procuring a new solution, ask this basic
question: “Am I really addressing the underlying
issue or just the symptom”? By thinking
along these lines, you and your IT Security team will go a lot further in staying
ahead of the Cyberattacker.
No comments:
Post a Comment