Four Guiding Pillars For CISOs

Chuck Brooks Uncategorized

For any CISO, keeping up with cybersecurity threats is tantamount to counting grains of sand on the beach. The cyber threats come from various criminal enterprises and adversarial nation states. A change in the cyber risk environment has corresponded with a heightened need for threat awareness and information-sharing.

In a typical CISO role, there are a wide variety of architectures, systems, and jurisdictions to navigate.  Adaptability and scalability to upgrade to new security technologies and processes, poses a significant obstacle in assimilation. Unfortunately, many of core IT and Cybersecurity requirements are often difficult to reach due to a lack of resources. 

The good news is that a lack of resources can be offset by integrated technologies, organization planning, and a focused mission surrounded by a framework of four guiding pillars for the CISO. 

The four guiding pillars include:  risk management, responsibility, communication, and expertise.

4 Pillars
  1. At its very core, the practice of cybersecurity is risk management. It requires being vigilant and encompasses educating employees, identifying gaps, assessing vulnerabilities, mitigating threats, and having updated resilience plans to respond to incidents.  CISOS should have a working understanding of risk management (and risk exposure) and have context on the different array of threats and threat actors.  They should also be knowledgeable on the guiding axiom of the National Institute of Standards and Technology (NIST) Framework: Identify, Protect, Detect, Respond, Recover.
  2. Cybersecurity is a responsibility. Elements of cybersecurity include policies, processes, and technologies. Every company is unique in culture, mission and capabilities, but in terms of cybersecurity, the management (including board members) and employees are accountable for overseeing those elements. A requirement for every CISO should be instilling in leadership that cybersecurity must be treated as a company priority. 
  3. Cybersecurity’s backbone is effective communication. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of their networks.   Communication enables readiness by the sharing intelligence on threats and new security innovations. Security awareness training is also an important mandate for everyone at any company, especially the board. Having an energized work force, actively helping defend the company can make a huge impact in reducing the company’s risk profile.  I The CISO needs to be the General coordinating communications with all cybersecurity components and employees.
  4. Cybersecurity requires expertise. Ideally, a company should include a blend of internal and outside subject matter experts. SMEs should be required to report to the CISO, as well as others in senior leadership of a company.  It is always useful for executive management to get perspectives and ideas from experts on the outside. It helps avoid complacency. Areas of special knowledge should incorporate:
  • legal 
  • compliance
  • cybersecurity technology solutions and services
  • training
  • resilience
  • liability insurance
  • governance
  • policy

Information security management should include people with an ISO 27001 standard expertise and a knowledge of best practices. Prudent policy advice necessitates that companies develop strong relationships with government. The 2015 passage of The Cybersecurity Information Sharing Act promotes public/private cooperation on data threat sharing, especially with the Department of Homeland Security.

Beyond relationship with government, CISOs should be actively engaged in one or multiple peer-to-peer (P2P) groups to help provide and receive support from leaders sharing the common mission to defend and strengthen their cyber readiness.  Threats facing government and private/public companies are very real at all sizes of organizations, and it is important to come together across all business types and sizes as these attacks will continue to increase and evolve finding new ways to avoid detection capabilities.  You have heard the saying 1+1=3, essentially meaning that P2P collaboration with diversity of people, ideas and experiences lead to solutions that benefit everyone.


head shot right

Co-Written by Kathie Miley 

Chief Experience Officer