Today's CISO is a lot like a football coach. Both need to have a vision for success. Both need to build a team and win over the respect of their players. And both are judged on performance.
In football, the main performance metric is wins, including all the steps that go into winning: first downs, completed passes, turnovers, touchdowns. What does performance mean for today’s CISO?
Well-known KPIs, such as mean time to recovery (MTTR), number of intrusion attempts, and cost per incident, are all table stakes in keeping a business secure and compliant. But at a higher level, we believe that if CISOs can master the following three cybersecurity areas – security posture, access management and cybersecurity training – they’ll be able to deliver Super Bowl-level performance (or at least make the playoffs).
3 Keys for a Successful Cybersecurity Plan
“Security posture” has become a buzzword, but it is nonetheless an important measurement of how effectively an organization can detect, respond to, and prevent cyber threats.
Ironically, though, there’s no one metric to measure “security posture.” It’s more a culmination of the number of vulnerabilities and threats across your entire IT environment, the severity of those vulnerabilities and threats, and how quickly you respond to them.
But a cybersecurity team’s view of critical threats and vulnerabilities is often limited to just activity within endpoints (laptops, desktops, and mobile devices).
This is where an security solution with extended detection and response (XDR) capabilities can be invaluable for a CISOs’ cybersecurity plan. XDR provides a holistic view of threat and vulnerabilities across endpoints, email, servers, cloud workloads and networks. XDR uses automation to sift through and correlate volumes of threat data. It then shores up fewer – but higher-fidelity alerts – across all security layers. This ultimately means wedding out the number of false positive alerts.
According to ESG, companies that implement XDR see 50% fewer successful attacks. For a CISO evaluated on performance, the ability to see the entire IT environment and respond faster to threats will help maintain a strong security posture.
Organizations often do not have proper authentication and authorization rights in place for its employees. As we all learned when Edward Snowden leaked highly classified information from the NSA, it’s dangerous to give privileged access to employees or contractors who don’t need it to do their jobs.
As such, CISOs need to pay close attention to the ratio of privileged users to non-privileged users. If there are too many privileged users in a company’s IT environment, the business opens itself up to insider threats. Additionally, privileged users are a gold mine for malicious hackers, giving them access to more sensitive data if they can steal the login information of privileged users.
Most CISOs now follow the principle of least privilege, where IT grants users the permissions they need to do their jobs, and nothing more. But many cybersecurity teams still monitor privileged users manually by doing once-a-year user access audits. To avoid another Snowden, there should be an automated process to turn off credentials whenever any privileged users leave the company or even move around within the organization.
The need to automate access rights has spawned a zero trust security approach. The appeal of zero trust to CISOs is that it validates the risk and health of every single user or device before connecting them to a network. After the connection is made, a zero trust architecture continually monitors the health of the device, user identity or application. If anything changes, the connection will be automatically terminated to limit the impact if a malicious hacker takes over a user account.
Much like with XDR for detection and response, a zero trust approach for managing user access gives CISOs the visibility, automation and continuous monitoring to stay ahead of data breaches.
Human error is the major cause of 88% of data breaches. Whether it’s your staff employees, your executives or your IT and security teams, people make mistakes that malicious hackers are waiting to exploit. Consistent training is a must-have for any successful cybersecurity plan.
Training will look different for each department — from educating staff on identifying business email compromise (BEC) and phishing scams, to ensuring IT teams have the proper skills to do vulnerability assessments or deploy virtual patches — but company-wide security awareness training is a great way for a CISO to unite the organization and boost morale.
Here are two cybersecurity training best practices for CISOs to keep in mind:
- Make the training relevant for each person’s job responsibilities so people won’t view training as another work obligation. For instance, executives should be educated on the financial and reputational damage caused by a data breach. Whereas employees should be trained and tested on how to spot and report phishing attacks.
- Ensure awareness training is working. No single metric will be able to measure the effectiveness of cybersecurity awareness training. However, CISOs should look for real world results in the wake of training. This could include an increase in employees reporting phishing attacks or a decrease in actual security breaches.
Consistent cybersecurity awareness training ties back to the culture buy-in discussed earlier. High-performing CISOs know that to create a cybersecurity-minded culture, everyone needs to be operating out of the same playbook and feel like they’re contributing to the company’s security.
The CISOs as high-performing visionary
Every successful football coach has had to grow into a high-performing visionary who can focus on the details of winning but also see the big picture better than opponents.
In the same vein, winning CISOs must see the details by tracking standard security KPIs while monitoring the big picture with a cybersecurity plan based on XDR, zero trust, and cybersecurity training. CISOs who can deftly balance the details and the strategy of the job will be the high-performing visionaries that digital enterprises need now more than ever.
For more information on cyber risk management, check out the following resources: