A practical approach
As a cyber security leader, I feel strongly about social issues related to human rights in the context of privacy, data protection and safe use of technology. I believe technology can be an enabler but also a potential cause of harm that needs to be considered.
I started volunteering with the CyberPeace Institute to leverage my cyber and technology skills to empower not-for-profit organisations to combat cyber threats and protect the communities they serve.
ISO 27001 is a widely adopted international standard that sets out systematic and adaptable approach to managing information security. It enables organisations to establish a culture of continuous improvement, staying ahead of emerging threats, and ensuring business resilience in the face of evolving cybersecurity challenges.
A new version of this standard – ISO 27001:2022 – was published on 24 October 2022. I recently led the transition to this version and wanted to share my key takeaways.
Not every conversation a CISO is having with the Board should be about asking for a budget increase or FTE uplift. On the contrary, with the squeeze on security budgets, it can be an opportunity to demonstrate how you do more with less.
To demonstrate business value and achieve desired impact, a CISO’s cyber security strategy should go beyond cyber capability uplift and risk reduction and also improve cost performance.
Security leaders don’t have unlimited resources. Significant security transformation, however, can be achieved leveraging existing investment and security resource levels.
Cyber security strategy and execution is one of the top priorities for a CISO. It helps articulate the value of security, provide clarity on short and long term goals and outline a cyber security uplift roadmap.
In this blog I recommend a proven step-by-step guide for developing a cyber strategy.
During one of my dives I pondered if there are any parallels we can draw between scuba diving and cyber security. They may seem like vastly different activities, but they share many important similarities. Both are dealing with unknown and often rapidly changing environments, where careful preparation, attention to detail and a focus are critical for success. I list some themes in this blog, feel free leave a comment to add your own.
How can security support the business? To answer this question in financial terms, I outline two sides of the story. On one hand, CISOs can demonstrate positive impact on the EBITDA through elevating security capabilities. On the other hand, we can list potential downsides of poor security practices from both revenue and cost perspectives.
It’s not about carrots and sticks, it’s about seeing the full picture of opportunity and risk.
I’m often asked what security control framework is the best. Spoiler alert – I don’t think there is one! No single framework is a silver bullet – they all have pros and cons. Some frameworks are highly-prescriptive and have a narrow scope – cardholder and account data for PCI DSS, for example.
SOC 2, on the other hand is more principled-based and doesn’t mandate specific controls but rather a Trust Services Criteria.
ISO 27001 is another popular choice: it’s a risk-based framework, although also has a set of example controls in the standard that many people chose to adopt.
NIST Cybersecurity Framework and its functions (Identify, Protect, Detect, Respond and Recover) can aid communication with business stakeholders but it has its limitations too.
Your particular industry may have other specialised sets of requirements, like NERC CIP for electric power grid in North America. The list goes on.
Many organisations are subject to multiple regulation and legislation simultaneously, having to adopt multiple frameworks and compliance regimes. If not managed appropriately, this can be labour-intensive to maintain and demonstrate compliance. It helps to recognise that often, although worded differently, controls from different frameworks aim to achieve the same objective, so it pays to maintain cross-framework control mapping to streamline your compliance program.
While achieving compliance with a security framework is often a necessary step in establishing a baseline level of security, it’s often not sufficient to mitigate modern threats.
Compliance frameworks were developed with a specific objective in mind – to reduce risk. And they can get you part of the way there, just not all the way. An organisation can be compliant but still insecure. Security leaders should go beyond compliance and move towards actively identifying and managing risks, focusing on the overall security posture and risk reduction to survive and thrive in the digital world.
Asset management is often regarded as the foundation of a security programme. You can’t protect something that you don’t know you have. This extends beyond internal systems to your organisation’s partners. Depending on the line of business, supply chains can get increasingly complex. They include vendors, manufacturers, retailers and distributors in multiple geographies and regulatory regimes. Securing such a network is no easy task and should start with visibility and careful risk management.
I previously wrote about the complexity of communication and the multi-faceted nature of the CISO role. Combining these perspectives, I would like to give an overview of what a communication strategy might look like for a security leader.
Knowing your existing assets, threats and countermeasures is a necessary step in establishing a starting point to begin prioritising cyber risk management activities. Indeed, when driving the improvement of the security posture in an organisation, security leaders often begin with getting a view of the effectiveness of security controls.
A common approach is to perform a security assessment that involves interviewing stakeholders and reviewing policies in line with a security framework (e.g. NIST CSF).
A report is then produced presenting the current state and highlighting the gaps. It can then be used to gain wider leadership support for a remediation programme, justifying the investment for security uplift initiatives. I wrote a number of these reports myself while working as a consultant and also internally in the first few weeks of being a CISO.
These reports have a lot of merits but they also have limitations. They are, by definition, point-in-time: the document is out of date the day after it’s produced, or even sooner. The threat landscape has already shifted, state of assets and controls changed and business context and priorities are no longer the same.
Cyber Security Leadership 