One of Monday’s RSA sessions was focused
being a leader in Information Security in an organization. A variety of security leaders delivered a series of 45 minute presentations focused on developing and directing a successful information security program.
Bruce Bonsall spoke about the first 6 months on the job as a CISO/CSO at a new company. The major theme of his presentation was how important it is to understand the culture of your new organization and how to harness and work with that culture rather than working against it. He encouraged taking the time to ensure that you understand the business model of every business unit in the organization, to spend time building alliances and building credibility with people individually, and clarifying their key business challenges.
He cautioned that failing to understand the culture would make it very hard to get things done. He suggested looking for people who have an agenda that is in alignment with security issues, which can include auditors, HR, accounting, heads of business units, and the Chief Risk Officer among others. It’s important to understand an organizations risk appetite and to realize that different organizations have different capabilities to move new projects forward.
He recommended surveying the organization, taking inventory, and understanding all the information security assets that need protecting. And then understanding what are the vulnerabilities to those assets.
Next he recommended creating a charter and a mission statement, and working with other departments to create this, to get buy in. The charter should be vetted all the way up to the CEO and possibly the board. The strategies that you implement should be built on the charter or mission statement.
He suggested finding a framework that fits your industry and using that framework to organize your plans.
Malcom Harkins then spoke about that challenges of dealing with the board of an organization. He notes that 75% of boards currently have no part in reviewing security and privacy risks, that 32.5% of boards do not receive any infosec information and that 55% of boards do not receive routine security updates. However, the increasing sophistication and number of cyber-attacks and increasing government concerns which are driving new regulations are driving the issue up to a board level concern. Harkins recommended understanding the business risks and translating security risks into business relevant conversations.
Understand the consequences and impact of not implementing adequate security measures:
• To the organization
• To the shareholders
• To the customers
• To society
He also recommended looking for solutions that help prevent security issues, and that don’t just detect and respond to them.
JB Rambaud, managing director at Stroz Friedberg, spoke about incidence response for cyber breaches. He noted that some boards are adding a board seat for someone with cyber security experience who has the expertise to ask the right questions of the CSO. He noted that it is important to know what both your external and
internal threats are.
The point about Internal threats reminded me of a statistic from
PwC’s Global Economic Crime Survey for 2016, which states that “Almost half the incidents of serious economic crimes were perpetrated by internal parties.”
The report also states that “61% of CEOs are concerned about cyber security. But less than half of board members request information about their organization’s state of cyber-readiness.”
Which all reiterates the challenging job that CISO/CSO’s are taking on, ensuring the security of a modern organization.