A CISO Point of View

Building a Cybersecurity program from the ground up requires the adoption of an existing framework such as NIST, COBIT, ISO, etc. This adoption will speed up the process of building all the layers of protection that were developed and tested by many organizations for long periods of time.

The goal is to make the organization resilient. Of course, along the way, the layers of protection will prevent the majority of incidents, but eventually, sloppy Information Technology practices or events of nature will lead to a disaster. A seasoned CISO realizes that no matter how much effort and resources are put into all the layers of protection, eventually, the need to recover to a healthy state is the most important layer and prepares for it.

The challenge is on!

CISOs across all industries, including Government, are in the middle of implementing, maturing, replacing, testing, and monitoring security layers with varying success levels. A successful program depends on budget, people, technology, and skill. When people say ‘Cybersecurity is hard,’ it is because typically, it is not well funded, poorly staffed, using immature technology, or is riddled by a strong skill shortage. For the past 30 years of my career, I have been part of this challenge, and it seems that, so far, there is no fundamental change in the industry to disrupt what we have been doing for so long. If we will be doing the same thing for the foreseeable future, can we do it more gracefully? 

I believe that there is one ingredient that is missing in this massive challenge, sympathy for the impacted people. Let me begin with the Cybersecurity staff. They are asked to become business oriented, understand business objectives, strengthen the reputation of the organization, and build customer trust. 

They are asked to be on top of the latest technology, to be part of a team with the right mix of technical skills, to develop a solid set of security management skills, to adhere to a well-defined framework, and to have a solid understanding of the organization mission and goals. Bottom line, we are asking a lot from Cybersecurity staff.

Another technology staff is stressed out because we ask them to apply more rigor to their practices. In the past, falling slightly behind on patches or larger versions was normally accepted and perhaps financially more appealing. Today, we ask them to maintain systems to the latest version with the last security patches at all times. We ask them to minimize functionality, harden systems, disable unused services, and maintain tight access control to all resources. Ensure that micro-segments are configured optimally in development, test, and production environments. In the past, if it worked, that was a measure of success. Today, it has to work securely and has to be implemented with a secure architecture and all applicable controls. This is overwhelming!

" Ensure that micro-segments are configured optimally in development, test, and production environments "

The rest of the staff in the organization is also under additional stress because they are constantly targeted by spear phishing attacks and social engineering attacks.

We ask them to become experts in recognizing an attack in different vectors such as email, texts, phone calls, and in person! There are plenty of sad stories in which victims lost life savings and, in some cases, large personal assets. They are constantly being targeted everywhere!

Businesses are asked to spend more money on Cybersecurity and to protect customers’ data. Some fail to adapt and are victims of ransomware, extortion, and theft. Costs are rising because now Cybersecurity needs to be embedded in everything they do.

Large companies are targeted by nation-state actors with unlimited resources to steal intellectual property and disrupt business. CXOs are constantly challenged to adapt and meet the demands of the new Cyberworld, or they get ousted by more security savvy individuals or as a result of a large incident.

I am not saying that all these pressures should go away or suggesting that we don’t ask everyone to contribute to Cybersecurity; what I am saying is that we can do it more gracefully.

We need to acknowledge and sympathize with the individuals that are under constant pressure from Cybersecurity demands. We need to thank them for all the effort required to adapt. We need to let them know that without them, a Cybersecurity program would not be nearly effective in meeting the demands of a modern organization. Unfortunately, things will continue to be more challenging, so please hang in there!