With new cyber threats constantly emerging, it’s easy for embattled CISOs to overlook some valuable steps which go a long way toward improving security
The role of a Chief Information Security Officers (CISOs) is rising to a prominent and indispensable place in companies around the world. CISOs work in tandem with IT teams but are primarily the security “head” to the department’s “hands.” They also must communicate with, and often convincing, the board as to which cybersecurity standards and policies to implement. In short, CISOs need all the help they can get.
In that spirit, here are some best-practice tips which sometimes get overlooked:
Think like a hacker
CISOs may become so focused on defeating hackers that they don’t realize the security benefits of becoming like them. A computational study published by the National Center for Biotechnology Information rightly sums up cybersecurity not as a matter of hardware or software, but of human thought:
“Cyber-security is ultimately the interaction of human cognition and adversarial behavior in the context of computer networks. Simulations of human cognitive processes can be of great use for simulating and predicting user error and negligence, defender best-practices, most likely attack behavior, and ultimately, network vulnerabilities.”
CISOs need to widen their thought processes and start weeding out where they’re failing. How? By attacking themselves. They must think like a hacker: “What or who would I go after if I were them?” From there, CISOs can simulate focused and company-wide cyberattacks to test the defenses.
These tests shouldn’t be a rarity. Consistent security drills are the most effective measure in a world where cyberattacks are non-stop. The practice of such pre-emptive analytics greatly strengthens a company’s security posture in a way that even the best threat detection software can’t by itself.
CISOs must remember that they’re not alone
The security buck may stop with them, but the CISO’s responsibility is eased if every staff member is schooled on security procedures. This is more than common sense: on closer inspection, many CISOs may discover that company-wide security training is a legal requirement dependent on the nature of their business.
Drafting and implementing an ongoing security awareness and practices program will help to firmly establish cyber policy and strengthen positive ties between a CISO and his or her colleagues. When staff knows that they each play a vital part in what may amount to the company’s survival, they realize that everyone is important—and bears significant responsibility for the organization.
Security training also creates a more confident and integrated staff who can use their new awareness to strengthen a company’s entire culture, not just the dedicated security aspect of it.
A CISO must also never forget the security posture of companies partnering with their own. Even the most security-savvy staff may not be enough if outside parties aren’t as diligent with data safety. It’s one of the CISO’s many responsibilities to vet outside vendors and assess their risk profile—and enlist their help to lock down data and systems.
Adapt to the growing dangers of mobile/BYOD
Bring Your Own Device (BYOD) is a huge part of the mobile security problem faced by CISOs. It’s certainly on many security professionals’ radar, but many underestimate the scope of the issue. The proliferation of personal smartphones, laptops, wearables, and tablets brought to work by employees is creating countless new ways for company data to be haphazardly accessed, stored, and taken offsite.
These mobile devices could be left physically unguarded, lost, or used to connect to unsecured Wi-Fi hotspots which are a hacker’s best friend. Any device accessing company data should be registered with the company and safeguarded via multiple steps.
All remote access should take place over a secured Virtual Private Network. This is a must, as is multi-factor authentication and password protection with automatic lockdown after a set number of failed log-in attempts. Inactivity timers should be a common feature in order to log out any user who forgets to exit a session. Biometrics are a particularly strong defense for mobile devices.
BYOD may seem like a less-expensive alternative to issuing every staff member a company-owned device, but it also sacrifices a great degree of control and disempowers a CISO who can quickly lose track of the various software and hardware being used by numerous employees. Unless every worker has secured their personal device as strongly as possible, anyone of them could carry an infection right into the heart of the company network.
Remote data wiping is another solution when a device is suspected to have been compromised. It’s a controversial method, however, since it can directly clash with employee privacy and access to their personal data. Regardless of which exact policies and procedures are implemented, they must be comprehensive enough to tackle all major threats, many of which are rapidly expanding with the growth of the Internet of Things (IoT).
Get a cyber insurance policy in place
Any honest cybersecurity firm will tell you they can never protect anyone 100 percent. Cyber insurance is a growing market and something CISOs can use to stop up that safety gap. The value of the cybersecurity insurance market is estimated to hit $7.5 billion next year, with an average claim cost of over $1 million.
It’s a great idea to have this protection in place, but often only the most well-prepared companies will be able to qualify. Some businesses may have cybersecurity that’s so poor to non-existent that no insurer will want to touch them. Otherwise, premium rates will be calculated on how much of a risk a company is deemed to be. The more effective the security framework, the lower the payments.
Cyber insurance is a small price to pay for further protection against the great financial losses which can follow a breach.
CISOs should think CyberGuard360
Our PG360 security solution offers simulated phishing, a risk assessment, an instant work plan, and over 60 NIST-based policy templates with industry-leading policy management. That’s not all we can do—yet these tools are the perfect way for CISOs to make a strong security start and maintain the kind of momentum that gives hackers a hard time.
We also offer employee security training that goes beyond a one-and-done approach, providing ongoing weekly assessments that continuously monitor and grade how the staff is responding to security threats. Basically, it’s our job to make a CISO’s job easier. Connect with us at the link below to find out how.
At CyberGuard 360, our clients are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, training, and disaster recovery. Call 914-202-0227 or reach us via our contact form.