Adam Burns, Director of Cybersecurity at Digital Guardian by HelpSystems, offers some top tips for building a culture of cybersecurity and ensuring productive communication between the CISO and the board.
Technology is no longer just the backbone of a business, it’s the driving force. The complex set of skills required to advance an organisation in this challenging digital age – in the context of brand-crushing security challenges – is immense.
The CISO (Chief Information Security Officer) is a critical business advisor who leads security teams to compose strategies, select solutions and drive those strategies forward. Aligned to business objectives, they collaborate at board level on security strategy, cyber-risk and building security into Digital Transformation. They ensure security runs right throughout the business and their role is continually evolving.
For years, the CISO’s value wasn’t truly recognised, but it has since grown to become an integral part of many executive boards. Yet, sometimes, the CISO-board relationship isn’t there or they’re not getting the airtime they deserve.
For boards, it’s worth understanding the vital security needs for safeguarding a business’ biggest assets and its reputation. While different facets of the business have their own vested interest in security, it’s critical to take a holistic approach and give the CISO autonomy to make critical security-related changes company-wide – for several reasons:
Investment in cybersecurity protection
Global cybersecurity spending increases each year in line with the increasing scale of security threats. ISG Research reports that cybersecurity spending has nearly doubled year on year. It accounted for 4.7% of total IT spending in 2020, up from 2.5% in 2019. Yet many organisations still don’t invest enough to be adequately protected.
Insufficient cybersecurity budgeting is a risky business, which can open up weaknesses across the business. Those with outdated technology have reduced visibility across their ecosystem, leaving arguably their biggest asset – data – at risk of threats. Investing in security skills and building a robust team is vital to be able to use the latest technologies, AI and Machine Learning, to detect and act on any suspicious activity or threats as soon as they arise.
Getting to grips with realistic metrics
Security teams are regularly asked to provide figures for how many breaches they prevent every month across the perimeter and endpoints but it’s difficult and misleading to give these figures. Unfortunately, these numbers aren’t representative of the genuine hard work of the team. It’s better instead to set metrics which can build trust, which might include details such as:
• Threat dwell time – The duration the adversary is in the system prior to discovery
• Patching and vulnerability – Time taken for the team to fix an issue or issue a security patch
• Checking the mean time to closure
• Documenting how many incidents the team has detected and resolved
• Measuring the results of newly integrated security products or initiatives, such as Multi-Factor Authentication or phishing awareness training.
Building a culture of cybersecurity
Responsibilities for cybersecurity extend way beyond the CISO, across the security team and to every IT user in the organisation, from executives to interns and even wider network stakeholders such as business partners. Therefore, CISOs must build a culture where all team members share the vision and goals of the programme and are clear on their individual role in company safeguarding. It’s most effective when this messaging comes from the top down.
It’s important to maintain continuous training while managing a new security initiative, especially when onboarding new employees. A risk assessment performed together with phishing exercises will keep security front of mind for employees.
Any organisation which operates in silos will have greater challenges to boost security strength across the business. If each part of an organisation is interwoven with one another, with shared security goals, that organisation will always be working the hardest to protect its assets.
The CISO will be the biggest influence on company security behaviour and decisions. When workers are stuck in their ways, it can be a challenge, but tightening up vigilance and promoting a security-first culture across every department and job role will keep the hackers at bay.
Aligning your cybersecurity strategy to an acceptable framework
Increased security doesn’t happen overnight. It’s a long-term strategy, which involves not only expert technology but also the values and integrity of company workers to develop a robust platform.
It’s a great starting point for the CISO to identify and share with the board how advanced the organisation currently is in terms of control maturity. This will help to develop a plan to achieve higher levels of maturity over time.
At a national level, the UK’s National Cyber Security Centre (similar to The National Institute of Standards and Technology (NIST) in the US) works to make the UK the safest place to live and work online. The Cyber Assessment Framework (CAF) was originally part of the NCSC’s support to the UK implementation of the EU NIS Directive, in 2018. This framework helps to set the standard in cybersecurity.
Whether a CISO is an active participant in board meetings or not, the industry is increasingly aware of the huge business impacts of security breaches. More needs to be done to create a culture of security and to empower the CISO as a valued leader within the boardroom and the business.