Time has certainly altered my perspective, but I think we can all agree the world has changed incredibly in just the last few months. The good news is that, while many of us have been through significant changes or challenges in our past, we have always found a way to recover. As every seasoned professional, I have gone through my share of challenges — including my first day as a CSO, when I found myself responding to one of the largest recorded data breaches at the time. It was something I had never gone through before; being interviewed by the FBI before I had settled into my office was not something I had expected. It taught me that in adversity, planning and response matters. In today’s technology–driven world, the best CISOs are demonstrating their resiliency, agility and effectiveness by reevaluating their security programs with a high level of criticality. CISOs are taking the time to carefully assess the capabilities and effectiveness of their programs in order to ensure that they are successful.
Protiviti has developed The Evolving Role of the CISO, a comprehensive roadmap for technology security leaders who are looking to reevaluate their program’s and navigate a new path to future success. It is the perfect tool for CISOs to, which has become the new normal:
- Revisit the organization’s risk profile
- Inventory data and physical assets
- Reevaluate security spend and monitoring controls
- Reevaluate security architecture in cloud migrations
- Assess critical infrastructure environments
- Revisit automation and orchestration
- Improve identify lifecycle
- Improve management of third-party access
Plan and Control
For most CISOs, one of the first tasks at hand is to build out a security program. Building a security program ensures that organizational assets are properly protected and building one hasn’t changed all that much over time. Building a security program begins with the choosing of a commonly known framework — why build from scratch when It is possible to begin with a solid foundation? There are many excellent frameworks to choose from, including NIST 800-53, NIST CSF, ISO 2700, NERC 130 or ANSI/ISA 62443. Initially, most security programs were compliance-aligned – programs enacted to check a box and successfully get past the compliance audit. Today’s leading security programs are far more. They are aligned to business objectives and security risks in near real time as a true business enabler. They are living and breathing programs that continually evolve as they mature with ever-changing threats over time. Driven by leaders with passion to do what is right for their organization. Now don’t get me wrong, no single program is perfect, all programs are effective in some areas and deficient in others. Some are very good at tactical areas and struggle at the strategic. But great leaders periodically reassess. Today’s preeminent security programs change as business objectives and threats change and bake security into everything they do, reassessing people, process and technology.
Most CISOs operationalize their security programs and perform an annual maturity assessment (which everyone should be doing), but it’s tough to do so in the middle of monumental global change We regularly recommend CISOs reassess their security programs to really understand what is working and what is not. I recall a conservation I had with the head of the audit committee of a Fortune 100 company a few years back. I was the organization’s interim CISO and I was meeting this person for the very first time. As I was shaking his hand he said, “I haven’t invested in security for 20 years, why should I start now?” I was taken back by his question; surely he had spent something on security in the past 20 years? This organization had the same security tools every other company had, but they had no real program and the head of the audit committee was telling me was they were not going to change. This company had no idea what was occurring on their network, in their applications or with their employees and partners. It was pure chaos. Their program was certainly ineffective.
The “New Normal”
Change or reassessment isn’t always easy; it might seem to pale in the backdrop of our turbulent times. But change, reevaluation and evolution are healthy for an organization. CISOs need periodically to take the time to re-evaluate their security programs. Is there an effective security program in place that builds security into everything it does? Is the organization’s security program doing what it should? Is it effective at protecting what is critical to the organization? If a CISO needs more then a few seconds to respond, then it is time to reevaluate.
Initial steps to start that reevaluation include:
- Identify top business priorities in the “new normal” and align and deploy strategies to enable long-term security resiliency
- Consider conducting future contingency studies and identify ways the organization can be better prepared for the next “extreme but plausible” event
- Review expected ROI from initiatives and adjust plans accordingly
- Review and revise vendor contracts to better align to the “new normal.”