CISOs are battling for the right insights to make decisions, the right amount of budget and resourcing, and the right seat at the table. It’s time to take control and ownership over cyber risk management.
5 Ways to Transform Your Security Program
Tags:
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security leaders was already changing heading into 2020, with decreasing budgets and increasingly skeptical boards citing little change in security performance to show for their investments.
All of that was accelerated in March when COVID-19 transformed into a global pandemic, and drastically changed the way we work. Suddenly everyone was working from home, business operations had to shift rapidly, and legacy processes across the board were left struggling to adapt. Since then security leaders are under enormous pressure to do things faster, cheaper and deliver results, stressing programs that have relied on traditional or one-size-fits all “best practice” methods for managing their security.
But for the forward thinking leader, this time of unprecedented transformation can be a time to thrive for those who embrace it, and turn security into a leading enabler of the business.
Here are five ways you can transform your policies processes, and management of your third-party risk and security performance programs.
1. Measuring Program Effectiveness
How much are you spending, and what are the results you’re delivering to the business? Focusing on results is critical here, but they have to be the right results. Too often security leaders focus on what was accomplished instead of the business impact, and often neglect to provide context for their reporting.
Instead, security leaders, executives and board members should focus on how security is aligning with the overall objectives of the business. For example, if one of the objectives is to reduce downtime in a SaaS product, security might report on the speed with which new cloud vendors are being onboarded and reassessed, as well as an increase or reduction in vulnerabilities found throughout the attack surface.
2. Addressing The Expanding Attack Surface
The attack surface was already growing before the COVID-19 pandemic, but it has absolutely exploded since March 2020. With the large scale shift to work from home, any idea of a perimeter has disappeared, while the reliance on apps like Zoom, Microsoft Teams, Google Drive and Slack has seen new technologies both onboarded faster and become more critical to operations than ever.
While security teams often did what needed to be done to adapt to changing circumstances, there needs to be a long term strategy for how to manage the ever expanding attack surface. Security teams need to prioritize getting visibility into their entire attack surface, including shadow IT and any corporate associated assets like old URL’s or domains, understanding what their 4th, 5th and nth party risk is, and what their work from home risk exposure is.
3. Focusing On Measurable Risk Reduction
For far too long security teams have bought technology and tools and without knowing exactly what they’re trying to prevent. While this approach may have worked in the past when the perimeter was the four walls of the corporate office, it is far from effective in the era of vast vendor ecosystems and far-ranging digital ecosystems where a more proactive approach is needed.
Instead of measuring how security controls are working, security leaders, executives and boards should focus on risk. This will both help to generate actionable and proactive strategies and plans, and give security leaders, executives, and board members more meaningful cyber security KPI’s to track to understand how the actions of the security team or the rest of the business are impacting the organizations cyber-risk profile.
4. Optimizing Cost and Finding Efficiencies
One of the most effective ways to make your program more efficient is to increase the use of automation. This is most apparent when it comes to Third Party Risk Management programs.
Automation can also make securing your work from home and cloud attack surfaces more manageable by helping you spot the gaps in your security visibility, and making asset inventories more complete. This cuts down on the hours required to build, maintain, and monitor asset inventories, or chasing down shadow IT.
5. Communication Is Key
For Security Leaders:
CISO’s must communicate with board members and leadership in the business terms they are used to dealing with. That means framing the performance of your security program in terms of outcomes, risk reduction and business impact.
For Board members:
Board members and senior leaders also need to become better at providing direction to security leadership. Boards have a responsibility to investors, shareholders and customers to ensure cybersecurity is properly implemented. They can’t just sit back and accept what is reported on. Boards have the right to ask questions and give direction and guidance to security leaders. But to do that, board members and executives need to become better informed about security strategy and how it fits into the overall business strategy.
Implementing the above steps can have a sizable impact on the effectiveness of your program in a relatively short amount of time. By focusing on performance, risk and communication, security can take a leading role in enabling the business to navigate these challenging times.