Today’s CISO looks a lot like a football coach. Both must have a vision of success. Both need to build a team and earn the respect of their players. And both are judged on performance.
In football, the main measure of performance is victory, including all the steps necessary for victory: first downs, successful passes, turnovers, touchdowns. What does performance mean for today’s CISO?
Well-known key performance indicators, such as mean time to recovery (MTTR), number of breach attempts, and cost per incident, are all important issues in ensuring business security and compliance. But at a higher level, we believe that if CISOs can master the following three areas of cybersecurity – security posture, access management, and cybersecurity training – they will be able to deliver Super Bowl-level performance (or at unless you make the playoffs).
3 keys to a successful cybersecurity plan
“Security posture” has become a buzzword, but it is nonetheless an important measure of how effectively an organization can detect, respond to, and prevent cyber threats.
Ironically, however, there is no single metric to measure “safety posture”. Rather, it is the high point of the number of vulnerabilities and threats across your IT environment, the severity of those vulnerabilities and threats, and how quickly you respond to them.
But a cybersecurity team’s view of critical threats and vulnerabilities is often limited to only activity within endpoints (laptops, desktops, and mobile devices).
This is where a security solution with extended detection and response (XDR) capabilities can be invaluable to a CISO’s cybersecurity plan. XDR provides a holistic view of threats and vulnerabilities across endpoints, email, servers, cloud workloads, and networks. XDR uses automation to sift through and correlate threat data volumes. It then secures fewer alerts, but with higher fidelity, across all security layers. This ultimately means eliminating the number of false positives.
According to ESG, companies that implement XDR see 50% fewer successful attacks. For a performance-rated CISO, the ability to see the entire IT environment and respond to threats more quickly will help maintain a strong security posture.
Organizations often lack proper authentication and authorization rights for their employees. As we all learned when Edward Snowden leaked highly classified NSA information, it is dangerous to give privileged access to employees or contractors who do not need it to do their job.
As such, CISOs should pay close attention to the ratio of privileged users to non-privileged users. If there are too many privileged users in a company’s IT environment, the company is exposed to insider threats. Additionally, privileged users are a goldmine for malicious hackers, giving them access to more sensitive data if they can steal privileged users’ login credentials.
Most CISOs now follow the principle of least privilege, where IT grants users the permissions they need to do their job, and nothing more. But many cybersecurity teams still manually monitor privileged users by performing user access audits once a year. To prevent another Snowden, there should be an automated process to disable credentials whenever privileged users leave the company or even move within the organization.
The need to automate access rights has spawned a zero-trust security approach. The appeal of zero trust for CISOs is that it validates the risk and health of each user or device before connect them to a network. Once the connection is established, a Zero Trust architecture continuously monitors the health of the device, user identity, or application. If anything changes, the connection will be automatically terminated to limit the impact if a malicious hacker takes control of a user account.
Just like with XDR for detection and response, a zero-trust approach to managing user access gives CISOs the visibility, automation, and continuous monitoring to stay ahead of data breaches.
Human error is the primary cause of 88% of data breaches. Whether it’s your employees, your executives, or your IT and security teams, people make mistakes that malicious hackers are waiting to exploit. Consistent training is essential for any successful cybersecurity plan.
Training will be different for each department – from training staff to identify business email compromises (BECs) and phishing scams, to ensuring IT teams have the appropriate skills to perform vulnerability assessments or deploy virtual patches – but company-wide security awareness training is a great way for a CISO to unite the organization and boost morale.
Here are two cybersecurity training best practices for CISOs to keep in mind:
- Make training relevant to each person’s job responsibilities so people don’t see training as just another job obligation. For example, executives need to be made aware of the financial and reputational damage caused by a data breach. While employees should be trained and tested on how to spot and report phishing attacks.
- Make sure the awareness training works. No indicator alone will be able to measure the effectiveness of cybersecurity awareness training. However, CISOs should look for concrete results as a result of the training. This could include an increase in the number of employees reporting phishing attacks or a decrease in actual security breaches.
Consistent cybersecurity awareness training ties into the culture we discussed earlier. High-performing CISOs know that to create a cybersecurity-focused culture, everyone needs to operate by the same playbook and feel like they’re contributing to business security.
High-performing visionary CISOs
Every successful football manager has had to become a successful visionary who can focus on the details of victory, but also see the bigger picture better than their opponents.
Along the same lines, winning CISOs need to see the details by tracking standard security KPIs while monitoring the big picture with an XDR-based cybersecurity plan, zero trust, and cybersecurity training. CISOs who can expertly balance job detail and strategy will be the high-performing visionaries that digital businesses need more than ever.
For more information on managing cyber risk, see the following resources: