CYBER BUDGET
A new Chief Information Security Officer (CISO) has more problems to confront at the workplace than most people know. In a typical day, he faces skills shortage, infrastructure complexity and glitches related to compliance and regulation. On top of these is the most nagging paucity of funds.
No wonder then most of the CISOs are skeptical about the results of their efforts. In a survey of more than 500 CISOs, 67% believed that their company lacks the ability to ward off a data breach. More than 50% believed that their organization was unable to protect their data from unauthorized access. Much worse was their admission that businesses have not kept pace with the level of sophistication and technology used by hackers. This unfortunate state of affairs is enough incentive for hackers to launch more attacks and be more daring in their occupation.
On the opposite side, the new CISOs are left to brood over the future of security. They worry and fret all the time about the steps they will have to take to set
the security program in motion. More than 66% of CISOs interviewed thought that their jobs would be more stressful.
Here are some recommendations which should enable a CISO to keep pace with the demands of information security governance.
WORKING WITH FRAMEWORKS
To begin with, a new CISO has to make a decision about choosing a framework. It can be ISO, COBIT or NIST. This is an essential step in setting up an effective and speedy information security program for the organization.
Frameworks cut out tedium while implementing information security processes and procedures. Frameworks have predetermined procedures which eliminate the need to work out details at every step.Among the three frameworks mentioned above, ISO is widely accepted across the globe. While ISO 27001 provides control for information security program certification, ISO 27002 supplements it by working on the detailed requirements placed by ISO 27001. In essence the ISO 27000 series of quality controls relates to different aspects of information security.With any of these in place, the security needs of an organization are fulfilled and there is a provision to easily determine future strategy on information security.
THEORY AND PRACTICE
A properly designed IT infrastructure is key to a safe system. The configuration of firewalls and servers depends on the infrastructure. Regular review of firewalls and server configurations is a routine exercise and a proper procedure to ensure smooth functioning of the system. In some businesses and organizations such facilities do not exist. Such companies are advised to install and implement a system that ensures trouble free operations.
A facility of vulnerability scans and penetration tests is also an important to remain alert to the dangers that lurk around large and small businesses. Vulnerability scans and penetration tests are in fact initial steps toward deep dive inspection of the systems installed at the businesses and organizations.Having a sound technology base is fine but an equally important aspect of the whole exercise is to provide the employees and staff members with knowledge base which would enable them to comply with the recommended practices. A set of policies must be in place about password management, access management and other business practices. Without well-defined policies, it is not possible to protect an organization’s information assets. But in doing so, it is also important to avoid rigmarole which would make a jumble of policies and procedures. Policies and procedures should remain separate areas. Procedures are transient in nature. Organizations face functional difficulties and change in procedures is fairly. That is exactly not the case with policies.
A CISO is responsible for making sure that the policies are first enunciated and then practiced.
RULES OF GOVERNANCE
Coordination and cooperation across all departments of the organization are fundamental traits for a successful information security operation. It is essential for all concerned staff members to review the policies and offer their own perspective. This is of immense help in formulating guidelines that suit every area of activity, not merely the IT department.
Soon after evoking interest of all departments of the organization, a CISO would attempt to form a governance committee drawing representatives from audit, legal, C suite and several other departments of the organization. The governance committee works with an aim to provide different angles that help in formulating an effective policy. And this paves the way for a long term management and training program related to cyber security.
AWARENESS AND TRAINING
All employees have an innate tendency to demonstrate their loyalty to the organization. They are always willing to comply with the rules and guidelines if they are
aware of them. A CISOs job is to streamline the processes and procedures.
A CISO needs to establish an all encompassing security training that prepares every employee to follow rules within the parameters of his scope of work. In essence, the training awareness would be audience-based which implies that a CISO will address his IT staff differently from, say, a finance employee. To an IT professional, a CISO would talk about cyber security policies, servers or routers from the technical standpoint. In contrast, he would talk about password management, phishing and avoiding suspicious links when addressing general employees who do not have a deep understanding of
IT or cyber security matters.
THE AWARENESS AND TRAINING PROGRAM SHOULD BEGIN RIGHT WHEN A NEW EMPLOYEE JOINS THE ORGANIZATION.
A CISO would make sure that new inductees are clearly informed about procedures to follow in matters of information security. The time is just right because it is easy to drill in the information when new employees do not have pre conceived notions about the procedures. Once they are imbibed in the minds, they will become their innate qualities
C-SUITE FACTOR
The first step a new CISO takes soon after joining an organization is to develop a rapport with the cluster of most important and influential senior executives, commonly referred to as the C-suite. A deep understanding of how they conduct their business, set priorities and liaise with their colleagues or other department heads is something that puts the CISO in good stead. That will make the task of implementing information security guidelines easy and smooth.
Corporate culture isn’t something uniform everywhere. It differs from one place to another in many ways because of the individual characters that make up the organization. Once a newly inducted CISO gains that knowledge, especially the part that relates to the C-suite, the roadmap becomes clear and the job of implementing policies and processes would be a breeze. Immediate establishment of frameworks, for instance ISO 27000 series, creates an impression of being organized and purpose driven. This perception is important for it wins the cooperation and willingness of the all important and influential cluster of individuals that steers the organization. The C-suite.
FINAL WORDS
A new CISO’s job is challenging and hectic from day one. He should define short and long term goals and get to work on them immediately. It is common sense that everything would not change in one go. It will take time.
A new CISO makes sure that his journey toward a secure and safe workplace, where information assets are jealously guarded, starts from the day he joins the organization.