Culture / Five key considerations for CISOs that are easily overlooked
Five key considerations for CISOs that are easily overlooked
24 April 2019
Jan van Vliet, VP and GM of EMEA, Digital Guardian highlights five key points for CISOs that are often overlooked and why just a little bit of attention can go a long way towards improving the overall security posture of any organisation.
The role of a Chief Information Security Officer (CISO) is an extremely challenging one. Not only is the scope considerable, often requiring an extensive set of technical and interpersonal skills right out the gate, but the emergence of new security threats on a near daily basis makes staying ahead of the game next to impossible.
With so much going on all the time, it can quickly become overwhelming. For this reason, many CISOs choose to stay laser focussed on the fundamentals of the job, often to the detriment of less obvious, but equally important areas of consideration.
This article identifies some of these easily overlooked areas and why just a little bit of attention can go a long way towards improving the overall security posture of any organisation.
Also of interest: What can we do to protect SMEs from cyber attacks?
Take the time to think like a hacker!
Most CISOs are often so busy that they never take the time to stop and think strategically like the very hackers they are trying to keep out. Unlike CISOs, hackers are not bound by corporate rules or protocols.
They only have one goal, which is to identify and exploit any vulnerability they can find in an organisation’s defences. Very few of them have qualifications or certifications, meaning they can often be highly unpredictable, using novel attack strategies and outside-the-box thinking specifically designed to keep them under the radar.
In order to get on the same wavelength, CISOs must step away from day-to-day operational activities and really try to understand the hacker mindset. This could be achieved through various means, including connecting with colleagues and fellow CISOs, speaking with local law enforcement, or even just conducting personal research online. Whichever path is chosen, the key is to do it regularly.
The cyber security industry doesn’t stand still, even for a second, and falling behind can have serious ramifications.
Also of interest: Inside the mind of a hacker
Understand the power of education
Many CISOs become overly fixated on the use of technology to keep their organisations secure. However, it is people who are (and likely always will be) the biggest security risk. For that reason, CISOs should never underestimate the power of properly educating employees.
Not only is it significantly cheaper than the latest cyber security solution, but in the majority of scenarios it is also much more effective.
Well trained, well informed employees can easily spot phishing or social engineering tactics and even identify insider threats, helping to stop attacks much faster than any technology solution can.
Also of interest: Security training: why one approach is not going to work
Recognise that mobile is the weakest link
Mobile devices have quickly become an essential part of operations for many organisations. However, according to Kaspersky Lab, there were over 42 million attack attempts on mobile devices globally in 2017, showing just how much focus it is now receiving from cybercriminals.
The main challenge for CISOs is finding the right balance between mobility and security, giving employees the freedom they need to be productive, while also maintaining the right level of protection.
Doing so often requires specialist mobile defence solutions that are capable of monitoring and blocking any suspicious activity while protecting user privacy and device usability.
Also of interest: Researchers uncover 180 vulnerabilities in 30 financial services apps
Properly vet external vendors
Loss or corruption of digital data is a regular occurrence in modern business, yet few organisations have the resources to recover it internally. As such, many rely on external third party vendors for data recovery tasks.
However, these vendors often fail to meet the same high standards of data protection that the organisations themselves do, which can put them at risk of breaching stringent compliance rules if they aren’t careful.
Taking the time to perform due diligence on all external vendors should be a key consideration for any CISO wishing to avoid major reputational or financial damage.
Also of interest: Are supply chains fit for purpose in the 21st century?
Know your own limitations
Ideal CISO candidates have a combination of top-tier technical understanding, outstanding management capabilities and strong interpersonal skills. Unfortunately, there are very few candidates out there today that can boast all three of these!
As a result, many CISOs tend to be strong in two of these areas but potentially lacking in the third. Which two they are strongest in varies greatly from candidate to candidate.
It’s imperative that CISOs in this situation know their own limitations and take steps to mitigate them. This includes undertaking further qualifications and/or surrounding themselves with a strong team to not only bolster any areas of personal deficiency, but also share the workload and prevent burnout.
With so many roles and responsibilities to fulfil on a daily basis, it’s very easy for CISOs to develop tunnel vision and end up focussing on a handful of tasks that they perceive to be the most critical.
However, taking the time to step back and think about data security from a more holistic perspective can quickly shed light on other key areas of consideration that are equally important.
With just a small amount of attention, they can significantly improve the overall security posture of any business, so is it time you took the blinkers off?