As CISOs, we must prepare our organizations for the CRISIS – not just the cyber security incident. Our leadership, public relations and business line partners need to steel themselves against the impulse to minimize the impact during every phase of the response. Too many organizations lose sight of the importance of candor and ownership in crisis management, and jeopardize long term recovery.
As you ramp up or validate your telecommuting capabilities, it would also be a good time to reinforce Cybersecurity Authenticity for your staff – meaning, cybersecurity awareness as a whole life value – especially when the staff are at home.
As senior members of the Executive team, CISO’s have political influence – of course collectively in our professional associations – but also across the organizations and industries where we work. We are responsible for the information assets of huge cohorts of stakeholders across industries – and have a meaningful role to play in the public discourse. If we leave advocacy primarily to our vendor / partners or “big tech”, we risk common sense safeguards becoming partisan issues.
Security teams need to think like developers to more efficiently protect microservice based architectures. Trying to create security enforcement policies organized around monolithic applications flows will not only make it harder to keep up with dynamic releases – it could undermine the advantages of microservices and zero trust networking altogether.
Breach and Attack Simulation is a force multiplier. Continuous and automated security testing not only makes our infrastructure more resilient, it directly addresses the one group that – after our adversaries – concerns me most … ourselves.
The understanding that cybersecurity must be integrated into the DevOps process is nearly ubiquitous at this point. While SecDevOps was an important step forward, we must also ensure that Privacy and Enterprise Risk are addressed in the continuous delivery process. Not knowing the privacy or control framework needed for a new release, can lead to the very same disruptive and expensive course corrections that ignoring cybersecurity once did.
Security Awareness programs focus on training employees to protect corporate information and systems. We are asking staff to put on a “cybersecurity hats” at work – which we don’t care if they remove the moment the leave the office. To have real behavior change, cyber security awareness needs to be an authentic part of employee’s lives. CISO’s should be advocating “whole life” cybersecurity to really engage staff and reduce risk.
Security policies should not be organized around “communities” – they should be built around the entitlements they grant. These entitlements should be “service provider” focused – not based on membership in a point-in-time organizational structure. Developers realized the value of object oriented design years ago – security policies should do the same.
Caught between many opposing forces and priorities, there is an under-served conversation around best practices for the everyday CISO.