Thursday, November 5, 2020

From the Trenches (episode one)

Moving mountains cannot be accomplished alone. Most CISOs face similar questions when “pitching” an unfamiliar (to the organization) security control or technology. No matter which framework or standard the company has chosen to follow, the executive team will wonder “What do other organizations do?”, “Is this security challenge relevant to our industry?” and “Is this the most current or effective control or is there another way our peers have found for meeting the security challenge?” The next question may be “Is this an appropriate level of rigor for our size and market share?”

Being able to answer (or have these answers readily available) will be critical for a CISO in gaining support for budget and controls that will ultimately add to a CISO’s security control/capital, and potentially protect their job. 

Boiling the ocean is never a good strategy. Breaking down security controls into a “shortlist” of necessary practices (necessary for your organization, size, and organizational risk profile) has proven to be the most effective way to initiate the implementation of any security control or program. Picking the top 20 categories and their subsequent controls can give any organization a significant leg up with better control of the risk landscape while maintaining a manageable operational overhead.

Knowing how these categories and controls map to the major standards will further help a CISO in making the case for recommended improvements. Leadership should keep several things in mind; Risk tolerance and appetite (mapped to necessary practices), cultural perceptions and end-user experience, and operational sustainability. Compensating for these concerns during the initial request for resources, coupled with peer statistics and metrics, may help fully flesh out a business case for a process, policy, training, or technological improvements. 

1 comment: