THANK YOU FOR SUBSCRIBING
There is a lot of literature on Cybersecurity nowadays, and therefore it is really a challenge to provide value when writing an article. The following lines go straight into that precisely, into that sort of advice that comes along experience, successes and failures. Probably the sort of recommendations I would like to receive if I now started my career in Cybersecurity. This is for sure far from a complete CISO guide. It doesn’t intend to be so.
Missing the big picture
There is a clear risk of missing the big picture in terms of risk. And missing the big picture may drive you to make the wrong decisions, overstating the importance of something that from a global perspective is not so important, overseeing a risk that is outstanding from a global perspective. This goes to the very core or risk management.
The recipe to this is to constantly make the effort of maintaining the big picture in mind. And even if we may have to drill down to fully understand a certain risk, always go back to putting things into the whole perspective of how important is this risk in the complete risk map of the company. Call it relativisation if you want.
Forgetting the basics
Fortunately enough, there is a huge amount of very valid information going around the internet and professional social media like linked-in that can help companies to address their information security risks, particularly for SME where there is very limited budget or no budget at all to spend on security consulting. All the better for those who can’t afford a Consulting firm. But the point is: are you putting into practice all this good advice. E.g. You hear about patching, you hear about personnel awareness as the first line of defence. Do you have a good process in place to ensure timely and effective patching of all your servers and user computers? Are you monitoring it? Do you have a plan to address personnel awareness, with the right audiences, contents, advice? Again: are you monitoring it?
Sometimes it’s not rocket science; it’s just about not forgetting the basics.
What about Business?
A pharma business is different from a bank, to a retail manufacturer, to an online gaming company. A purely local company is different from a multinational company. Operating in India, Spain, UK, US, are all different. Selling online is different than selling in the traditional marketplaces. If you forget about the Business you are in and try to extrapolate plans and decisions from one company to another, you are bound to get it wrong.
Common pitfalls are to fall victim of the information you have available, as opposed to the information that is meaningful
Conclusion: get to know your Business and its context in to make sound decisions as to evaluating risks and their mitigation action plans.
Don’t get obsessed with budget benchmarks
The Business where you operate, the size of the Organization, the geographies where you operate and the Culture or mix of Cultures of your People, the risk level you have, your level of maturity just to mention a few, are factors that determine the what is the reasonable budget your company should be devoting to Security.
Knowing what your peers do may be good, but obviously with the right context to understand the decisions they make.
Overstating Technology versus People and Processes
A technological background is probably the reason why many CISOs concentrate on what they are most familiar with: Technology. This is their comfort zone. But People and Processes are, or should be, a big part of what they deal with, and should receive as much attention as Technology.
Getting too enthusiastic about frameworks and standards
Frameworks and standards (NIST, ISO, etc) provide structure, help us in maintaining the global picture, and avoid reinventing the wheel. All of these advantages are true. However, getting too enthusiastic about frameworks and standards may take you to the wrong decisions for your Organizations. Some professionals may get a bit carried away by the “standard” recommendation and lose sight of what is really relevant in terms of riskmitigation, and what is not.
Get the best about frameworks and standards, but do not become a slave of them. Staying in the dark zone In too many cases, the CISO ends up positioned in the dark zone, “the guy or lady that talks about firewalls and ransomware”. It’s time for the CISO to stand up, walk around, pick up the phone, get to know face-to-face the Business leaders, time to get known, and you’ll be adding more value to your Organization.
Producing the wrong indicators
When it comes to indicators, it is so easy to come up with the wrong information, to end up building a “cathedral” of indicators that mean nothing valuable to the organization.
Even if you decide to use a standard approach like Norton and Kaplan, unless you inject a vast amount of common sense, you may end up with a lot of information that means nothing to the Organization. Common pitfalls are to fall victim of the information you have available, as opposed to the information that is meaningful.
The right indicators are those that tell you precisely this: where are our most relevant risks today?
I hope that helped! Let’s get working.