Shiny-new-toy syndrome—it’s one of the biggest issues I fight against in my career. Security firms blast their network of clients and sales leads with sensationally broad descriptions of their newest software and hardware products; sometimes these solutions are looking to solve a problem that’s not clearly defined, and often the promise does not equal the reality. And their audience of security officers and staff, wrestling with a challenging set of risks, must stop themselves from thinking: “Yes, finally an easy answer to my [fill-in-the-blank] problem.”
Selecting the right suite of software and hardware solutions is an important part of a CISO’s job. But security isn’t just a technological problem, it’s a business problem. And this comes down to people.
For National Cybersecurity Awareness Month 2016, Stroz Friedberg is producing educational materials that organizations can use to emphasize the best practices of cybersecurity. In this post, we outline information often breezed over in more technical thought leadership pieces: who are the people CISOs should develop relationships with in order to more effectively manage the cyber risk posture of the organization, and why.
The Board of Directors and Executive Leadership: This vital relationship goes two ways. The CISO must help educate these leaders about cybersecurity, either through direct presentations or collaboration with a cybersecurity-focused board member. At the same time, the CISO must be trusted enough by this group for them to share their newest concerns and endeavors with him or her. This is the best way for CISOs to keep up-to-date on shifts in the company’s risk tolerance, culture, operations and footprint, cache of highly valuable information assets, and ultimately exposure areas.
Chief Marketing Officer, R&D leadership and Product Managers: These are the company’s drivers of innovation. They are not only likely to be the most active in terms of bringing new business-building technologies to the firm, but they’re likely developing new technologies as well. Understanding their innovations and why they’re pursuing these advancements can prevent CISOs from falling into a reactive mode, where they learn about new technology after implementation and then must rush to address any new risk exposure areas.
Legal team: A relationship with the legal team gives CISOs the opportunity to help reduce litigation risks by aligning security operations with existing or expected legal obligations. For example, are the company’s cloud-based services partners obligated to produce responsive information in the case of a breach? Are contracts with third-party vendors written to require good information security practices? Are regulatory requirements being properly supported by the security program? In addition, similar to the CISO’s relationship with executive-level leadership, this relationship can help the CISO identify changes to what data and operations should be treated as highly valuable assets.
Compliance executives: Through a relationship with compliance executives, CISOs can not only discuss concerns about possible gaps in compliance, but he or she can also learn about upcoming changes to regulations relevant to information security that might not otherwise rise to their awareness, such as shifts in financial or other regulations that could impact their work. This is also an opportunity to discuss the company’s cybersecurity policy and training.
Human resources (HR): A relationship with HR pays off in three ways. One, it gives CISOs more awareness of possible insider threats lurking in the company and an edge in managing these politically sensitive issues. Two, CISOs can learn about new HR technologies and partnerships in the pipeline. Three, HR can provide feedback about the efficacy of new hire and staff training on information security issues.
Security software/hardware experts: People are also integral to making the latest and greatest tools do their jobs. If a Security Information and Event Manager (SIEM) or vulnerability-scanning tool isn’t optimized to, for example, prioritize meaningful security issues, it may spout out several thousand alerts a day and overwhelm the staff, leading to missed events. If a tool’s implementation accidentally opens a side door for unauthorized access, it increases the company’s risk profile. What’s more, people internally must be trained to understand the complex technology solutions and manage their output, because someone needs to quickly judge what issues to escalate and how to escalate them. The CISO’s role here is to define and communicate how each tool fits into the company’s overall security risk management process, and to work with the team to most efficiently and effectively make use of these tools.
It’s ambitious for a CISO to development meaningful and useful relationships with all of these individuals. But after putting in the effort to develop these partnerships, CISOs can not only better foresee information security threats and weaknesses but also identify opportunities where security can help the business grow.