Evolution of the CISO
The role for CISO has evolved in last two decades, In early year 2000 – organizations require security information officer to focus on regulatory compliance and interaction with external auditors and business stakeholders to define IT security requirements. They coordinate audits to ensure that business process are complaint. During the year 2005 – Cyber risk has been treated as IT Risk and additional responsibilities for IT Security risk officer becomes part of CISO portfolio, but still resides under CIO business unit. In the year 2010 – adoption of social, mobile, analytics and cloud (SMAC) has made organizations to define corporate security strategy for CISO office to focus of security policies and procedures, certifications/audits, governance, risk and compliance, physical and environmental security, access management & security event monitoring. After the year 2015 – with regional data protection acts, privacy regulations, increase in data breaches and security incidents, merger and acquisition has led CISO office hold more responsibilities to evaluate and adopt advanced security technologies within corporate environment across defense in depth layers.
We’re heading towards digitization age – where B2C and B2B heavily rely on digital platforms. Now, Cyber risk is business risk – CISO representation at board level is important to provide business solutions. Hence in the year 2020 – CISO’s should redefine the corporate security strategy. In this article, let’s focus on the factors need consideration.
Eight key factors to redefine Corporate security strategy
In our uncertain world, market perspectives are changing so organizations need to think about strategy, whether they are valid in the short- or long-term. In corporate cyber security – CISO office need to think how to utilize existing capabilities and build new ones to stay relevant in market. Security leaders should think deep to act fast. Strategy is still what it has always been: the art of taking action under the pressure of the most difficult conditions. The eight key factors need considerations while redefining corporate security strategies are detailed below
#1 – Multi Cloud Security
Increased adoption of cloud and shared responsibility model, organization are confused with enforcement of cloud security controls such as vulnerability management, policy enforcement, security visibility, threat detection and investigation, identity access management, data protection and continuous compliance. Traditionally corporate security functions develop polices and procedures that will be implemented by their IT function. However, in cloud and with multi-cloud scenario (across regions and providers including AWS, Azure, GCP, Alibaba, Oracle & IBM) – IT function have limited responsibilities and its important to understand cloud dynamics and economics while developing security strategy to avoid cost over runs.
#2 – GenZ
Modern workforce in today’s organization are of birth years after 1995 known as GenZ. They’re mobile first generation and are tech savvy. They are more comfortable using collaboration tools such as WhatsApp as compared to Microsoft teams. They often doesn’t care about privacy and acknowledge that their private information are out in the social media platforms. They use more than one device to connect corporate network and expect access from anywhere to be more productive and empowered. Corporate security need to consider this social media generations requirements as part of strategy development and execution
#3 – Privacy
Developed nations has national cyber security strategy and enforced privacy regulations and data protection bills/ acts to secure their citizen’s sensitive data such as personally identifiable information and health records. Corporate security strategy should consider the role for data protection officer or information protection officer based on the privacy regulations to fulfill the defined responsibilities applicable for those legislative boundaries
#4 – Breach Readiness
Corporate security strategy should have programs that are documented and drills to be conducted based on ‘assume breach’ scenarios. It require collaboration with various stakeholders to identify, detect, protect, respond, recover from cyber security breaches. Organization often lack expertise on breach response and struggle to overcome from cyber attacks. The CxO involvement during such situation need to be carefully demonstrated to showcase preparedness of worst scenarios, if occur
#5 – IoT/ Smart Devices
Future business are more interconnected with the magnitude of sensors, IOT platform and smart connectivity. Organization should identify the existence of these devices within their corporate network and assess how access are granted, how communication are established and what kind of data/ traffic being exchanged. Corporate security should develop strategy to manage the life cycle from inception, to service fulfillment and to decommission
#6 – Dev Sec Ops
Digital consumer has increased never before and led business to develop applications that are available in marketplace. Developer community adopts agile coding practices in CI/CD pipeline that requires automation and orchestration of application tools to perform tests. Often developer community lack security expertise and don’t think from attackers perspective and make functional requirements to fulfill. In-app protection, bot management, fraud management and API security are becoming essential. Corporate security should consider security best practices for applications from SDLC to being in production
#7 – Data Owner
Many organizations today doesn’t have enough data protection strategies, because they don’t know who’s the owner of data. Likewise HR function may not have technical expertise to secure employee’s sensitive information and Procurement function may not articulate the security requirement to safeguard commercial data. Corporate security need to develop data security program to identify sensitive data, its owner, how its been processed, stored and transported.
#8 – Awareness
Employees often fall prey as victims to cyber criminals due to lack of security awareness. Undergoing compute based training (CBT) on cyber security awareness courses, phishing campaigns, publishing posters and other traditional methods doesn’t provide maturity to organization on its security awareness training programs. Corporate security should consider situational security awareness programs that are tailor made for the employee’s role in the organization.
- Enterprise can’t protect threats, if they don’t see it.
- How to achieve 72 hours for breach notification
- CEO’s guide to ensure compliance with GDPR
- Cyber Threat Intelligence Sources
- Digital workplace security for social media generations