CISO NextCybersecuritySecurity

CISOs: Security Program Reassessment in a Dynamic World

Ron Kuriscak
September 16, 2020
4 min read

Changing Times   

Time has certainly altered my perspective, but I think we can all agree the world has changed incredibly in just the last few monthsThe good news is that, while many of us have been through significant changes or challenges in our past, whave always found a way to recover. As every seasoned professional, I have gone through my share of challenges — including my first day as a CSO, when I found myself responding to one of the largest recorded data breaches at the timeIt was something I had never gone through before; being interviewed by the FBI before I had settled into my office was not something I had expectedIt taught me that in adversity, planning and response matters. In todaytechnologydriven world, the best CISOs are demonstrating their resiliency, agility and effectiveness by reevaluating their security programs with a high level of criticality. CISOs are taking the time to carefully assess the capabilities and effectiveness of their programs in order to ensure that they are successful 

Protiviti has developed The Evolving Role of the CISO, a comprehensive roadmap for technology security leaders who are looking to reevaluate their program’s and navigate a new path to future success. It is the perfect tool for CISOs to, which has become the new normal:  

  • Revisit the organization’s risk profile 
  • Inventory data and physical assets 
  • Reevaluate security spend and monitoring controls 
  • Reevaluate security architecture in cloud migrations 
  • Assess critical infrastructure environments 
  • Revisit automation and orchestration 
  • Improve identify lifecycle 
  • Improve management of third-party access 

Plan and Control  

For most CISOs, one of the first tasks at hand is to build out a security program. Building a security program ensures that organizational assets are properly protected and building one hasn’t changed all that much over time. Building a security program begins with the choosing of a commonly known framework — why build from scratch when It is possible to begin with a solid foundation? There are many excellent frameworks to choose from, including NIST 800-53, NIST CSF, ISO 2700, NERC 130 or ANSI/ISA 62443. Initially, most security programs were compliance-aligned – programs enacted to check a box and successfully get past the compliance audit. Today’s leading security programs are far more. They are aligned to business objectives and security risks in near real time as a true business enabler. They are living and breathing programs that continually evolve as they mature with ever-changing threats over time. Driven by leaders with passion to do what is right for their organization. Now don’t get me wrong, no single program is perfect, all programs are effective in some areas and deficient in others. Some are very good at tactical areas and struggle at the strategic. But great leaders periodically reassess. Today’s preeminent security programs change as business objectives and threats change and bake security into everything they do, reassessing people, process and technology.

Most CISOs operationalize their security programs and perform an annual maturity assessment (which everyone should be doing), but it’s tough to do so in the middle of monumental global change We regularly recommend CISOs reassess their security programs to really understand what is working and what is not. I recall a conservation I had with the head of the audit committee of a Fortune 100 company a few years back. I was the organization’s interim CISO and I was meeting this person for the very first time. As I was shaking his hand he said, “I haven’t invested in security for 20 years, why should I start now?” I was taken back by his question; surely he had spent something on security in the past 20 years? This organization had the same security tools every other company had, but they had no real program and the head of the audit committee was telling me was they were not going to change. This company had no idea what was occurring on their network, in their applications or with their employees and partners. It was pure chaos. Their program was certainly ineffective.

The “New Normal”

Change or reassessment isn’t always easy; it might seem to pale in the backdrop of our turbulent times. But change, reevaluation and evolution are healthy for an organization. CISOs need periodically to take the time to re-evaluate their security programs. Is there an effective security program in place that builds security into everything it does? Is the organization’s security program doing what it should? Is it effective at protecting what is critical to the organization? If a CISO needs more then a few seconds to respond, then it is time to reevaluate. 

Initial steps to start that reevaluation include:  

  • Identify top business priorities in the “new normal” and align and deploy strategies to enable long-term security resiliency
  • Consider conducting future contingency studies and identify ways the organization can be better prepared for the next “extreme but plausible” event
  • Review expected ROI from initiatives and adjust plans accordingly
  • Review and revise vendor contracts to better align to the “new normal.”

 

To learn more about Protiviti’s Evolving Role of the CISO and our cybersecurity and privacy consulting solutions, contact us. 

Ron Kuriscak

Managing Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
17h

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More