Security maturity – getting beyond the blame game

16th April 2020

Stuart Reed
VP Cyber

The CISO role is changing. Where once the responsibilities were mainly technical, today’s cyber chief communicates at every level inside the business, and sometimes outside as well.

That can mean putting customer concerns about privacy or supply chain vulnerabilities to rest, speaking to the press as an expert source on the implications of an exploit, or explaining the steps they’ve taken to mitigate the consequences of an attack.

As the CISO role matures, the organization’s understanding of what CISOs actually do has to evolve as well.

He or she is more than just a highly-skilled technician using the latest technology to do battle with attackers. Yet when a breach does occur, the CISO is still seen by many insiders as the only responsible party.

That has to change.

Achieving a mature security posture requires having a mature understanding of the cyber threat – and accepting that it’s bigger than any one woman or man.

Getting past cyber defenses is a global industry, employing tens of thousands of highly-skilled, highly-motivated and tenacious individuals. Some are criminals and simply in it for cash; others are senior IT professionals acting on behalf of national governments.

Of course, you still have to get the basics right: good password hygiene, patching your systems with the latest software updates, understanding where your data is at any given point in time. Those requirements are foundational and need to happen, but even the importance of baseline requirements should be recognized across the business.

Responsibility for cyber security isn’t confined to an individual, department or function. Boards are waking up to the broader relevance of the CISO role and how critical it is to organizational success. However, many senior executives still don’t realize that they themselves play a role in ensuring good security posture.

They need to support a program of ongoing investment in technical capability but also be fully behind attempts to build a culture of cyber awareness across the companies they run.

To be successful, today’s CISO needs to feel empowered, supported and enabled by the board. That’s the only way to ensure they can lead effectively and implement the measures needed to strengthen security.

Defining the role of cyber security in the organization

Cyber security must play a very integrated role, especially as we become far more reliant on digitization. Even the most traditional industries are now embracing digital technology to stay relevant in their existing markets. Sometimes it’s because new competitors are disrupting their traditional models; in other cases they want to move into new markets or take advantage of new revenue opportunities. As you embrace the strategic nature of digitization, your digital attack surface becomes broader, and that opens up many more opportunities for bad actors to take advantage.

Staying secure in the cloud

Organizations need to be concerned about cyber security full stop. Cloud should be no different in terms of the overall approach. Anything that requires a digital touchpoint, whether that’s on-premise, in the cloud or attached to a hybrid approach, requires due diligence. You have to understand the implications of the decisions you’re making as an organization when new digital initiatives are on the agenda. Understanding how to sustain visibility of potential threats when you’re in a cloud model, and retaining that level of control and responsibility, is really important.

People or technology?

People ultimately define any organization, and the notion of collective cyber responsibility is one that needs to become front of mind. Everybody has a role to play in terms of security posture so educating your employees and having them understand precisely the role that they play – and having that supported by the right processes – is vital. Of course, that needs to be underpinned by the right level of technology to help those with primary responsibility for mitigating or closing down vulnerabilities.

Raising and sustaining visibility of potential threats

We’re speaking to CISOs about the need for a broader network detection and response capability, and how to maintain it regardless of how wide the perimeter spreads. Trust is a recurring theme in these conversations, as they need to trust that whoever they’re bringing in from a technology perspective can deliver what they need, or enhance the security posture on their behalf. That’s where a defense solution which uses the DNS really comes into play, as tell-tale signs of suspicious or malicious intent can be observed there. If you’re able to analyze DNS traffic, you’re able to attain early warning signals, step in front of them and mitigate the impact.