John Pescatore, Director at SANS Institute and former Gartner fellow, proposed five valuable approaches that have come as lessons from his conversations with CISOs who have been successful at applying them in their organizations
The RSA Security Conference was full of lessons for the Chief Information Security Officers. At a session on 'Briefing the Board' spearheaded by John Pescatore, Director at SANS Institute and former Gartner fellow, he said that a lot of CISO or security professional don't do a wonderful job of briefing their security programs and strategies to the board of directors.
Often surveys have revealed that budget was security professionals' biggest stumbling block to adopting advanced security processes and technology in their companies. This is because the boards suffer at their CISO's inability to report and discuss the state of security in their organizations.
Pescatore proposed five valuable approaches that have come as lessons from his conversations with CISOs who have been successful at applying them in their organizations:
1. Get your basics right
Most successful CISOs have succeeded in protecting their companies and customers. Their companies weren't on the front pages or suffered a breach. Even if it did, they were able to control it. The CISOs must know their primary job of encryption, protection, incident response, etc.
2. Get other people to do their part
That's perhaps the biggest obstacle. A CISO might have the best intentions to improve the information security of his organization, but without the support of business line managers, IT admins, users or software developers, the CISO's efforts might go to waste. Therefore, "a good security program or strategy must convince people to do things well," said Pescatore.
3 Support from above is the most powerful force to break through
Some of the things that successful CISOs do well: a) Communicate with/report their boards and CEOs on the 'state of security' of the organization on a regular basis b) Get their support to change to increase security, introduce training programs c) Discuss why you need and what you need to improve the security. All these things also help them convince CEOs and boards to back a CISO's security strategies to drive change, said Pescatore.
4. Reduce your cyber incident impact
Almost invariably, organizations with the least cyber incident impact have the strongest CISOs and Security teams, said Pescatore. According to a survey conducted by SANS Institute in 2016, about 980 documented breaches took place in 2016 - a significant 20% growth in breaches from 2015. But 9,020 of the Fortune 10000 companies did not report a single breach. "What did they do differently?" asked Prescott. A lot of these big companies, though weren't able to prevent the breach, but were able to detect and rapidly mitigate the breach.