A Guide About Priorities For Chief Information Security Officer (CISO)

Priorities for CISO

In a previous article, I spoke about the Chief Information Officer (CIO), their duties, and how they should respond to a data breach. In that article, I termed a CIO as ‘the sacrificial lamb of a data breach.’ A CISO’s job is similar to that of a CIO, but there are a few differences which I will cover later. A Chief Information Security Officer (CISO) also joins the CIO in being the ‘sacrificial lamb in case of a security incident.’ Again, I am not making this up. CISOs of Capital OneEquifax, and Uber are just a few examples of CISOs who faced the sack after a security incident. So, in a job in which the stakes are so high, what should the priorities of a CISO be? Let us first start by understanding who a CISO is.

Who is a CISO?

A chief information security officer (CISO) is the senior-most executive who holds the responsibility for establishing strategies to ensure that an organization’s data and information is secure. Traditionally, a CISO works together with the CIO. The position CISO is often used interchangeably with the titles of Chief Security Officer (CSO) and Vice President of Security. CISO generally reports to the CIO or CEO.

Responsibilities of a CISO

  • Security: The CISO is responsible for establishing mechanisms for real-time monitoring and analysis of threats.
  • Insiders: The CISO must ensure that there are no disgruntled employees or internal staff who are misusing, stealing data, or indulging in corporate espionage.
  • Cyber Intelligence: The CISO should know of any developing threats. The CISO is also responsible for advising the board of potential security problems that may arise while acquiring a business.
  • Security architecture: The CISO is responsible for ensuring that the IT infrastructure is secure and up to date.
  • Access control: The CISO should actively employ access control mechanisms so that the employees have access to just enough information to do their work.
  • Security management: The CISO must ensure that regular patches and updates are rolled out or installed.
  • Forensics and incident response plan: The CISO must actively participate in investigations and activate the incident response plan in case of a security attack.
  • Governance: Lastly, the CISO is responsible for ensuring all the above responsibilities are run smoothly with the support from the board.

With the rise in cybercrime and a digital world, the CISO role is evolving and getting more critical by the day. A CISO needs to have their team aid them in various aspects of the responsibilities. In this evolving world, a CISO also needs to move to a role in business and accountability. So, what priorities should a CISO have in today’s world?

Priorities for a CISO

  • Identity management and Access control: This must be the biggest priority for a CISO. The CISO must ensure that employees get access to only those resources and information sufficient to carry out their job. The team must ensure that the users are accessing resources for the right reasons at the right time.
  • Adhering to laws, regulations, and compliance standards, every region, and country has its data and privacy laws. Furthermore, specific laws are set as standards that all businesses need to observe around the world. For example, GDPR is global due to the number of businesses it affects. A CISO needs to take care that these laws and regulations are adhered to for a successful business.
  • Zero Trust policy: This means that resources and data should be protected by encryption and insiders as well as outsiders should present their identities to access them.
  • DevSecOps: CISO should integrate their team in DevOps to make it DevSecOps. The integration and collaboration of the development, security, and operations teams must be ensured in this evolving world. CISOs should encourage this practice to make sure that cybersecurity is consistent in the business.
  • Corporate and Personal IoT Security: With the rise in connected devices, creative hackers, special attention should be given to IoT devices at both corporate and personal levels. IoT devices are often connected to the organization’s resources like servers and laptops, and if such an IoT device gets compromised, the entire IT infrastructure becomes vulnerable.
  • Education and Awareness: This point may be last, but it is essentially a fundamental priority the CISO should have. Every employee in the organization should be made aware of the risks and threats. As I have mentioned in many of my previous articles, employees are your business assets and security vulnerabilities. Educate your employees over potential threats and how to respond to them. The CISO should also conduct mock security incidents to help employees understand how a response plan would work. CISO should also adopt a policy of ‘If you see something, say something‘ policy. It is instrumental in detecting fraud and corporate espionage. Lastly, innocent and untrained personnel are significant threats to your company, and steps must be taken to educate them about security. 

COVID-19 Pandemic: A special list of priorities a CISO should have in these uncertain times

The Covid-19 pandemic has affected business worldwide, and often in these troubling times of disease, mass layoffs, and an imminent recession, we forget an important aspect – security. The world may have stopped for some people, and a year is getting lost in front of our eyes, but it is not the case for malicious attackers looking to profit off people’s vulnerabilities during these times.

As I sit today writing this article from my home, I couldn’t help but include this point. I realized that this pandemic isn’t a one-time thing. As a history enthusiast, I know very well that pandemics will happen in the future or other events with equally, if not more, disastrous effects. We need to adapt to this new normal in which a CISO should also prepare for these uncertain times. Here is a list of priorities I feel a CISO should have during this pandemic and the future ones.

  • Secure your remote users: As lockdowns were imposed in countries across the globe, CISOs were in a race against time to get remote work capabilities up and running. This led to ignoring security a little bit. CISOs should employ mechanisms like on-the-fly risk assessments and control adjustments effectively. 
  • Educate your employees: As remote work increases by the day, CISOs train employees of the possible security threats and risks in these times. Virtual workshops should be conducted to educate your employees about the threats of remote work and how an individual can help mitigate it at the employee-level.
  • New tools: Often, troubling times lead to innovations. Similarly, CISOs should identify or develop new tools and implement them to enforce and monitor security while keeping the business’ workflow intact.
  • Endpoint security controls: In a matter of days, organizations had to deal with a massive work from the home population who will be on their home connections. CISOs should have two priorities – providing network access by the use of VPNs and block malware by the use of anti-virus software. Special attention should also be given to mobile device security. The goal here is to bolster security. Furthermore, multi-factor authentication should widely be used.
  • New Phishing techniques: Malicious actors are devising new ways to leverage the current circumstances to their favor by feeding on victims. CISOs should devote considerable time and energy in making people aware of phishing threats posed through email or other communication outlets, like most recently, the entire Zoom issue.
  • Artificial Intelligence: Working from home, social distancing and lockdowns will limit the responsibilities of the CISOs, and there’s only so much they can do at this point. What can I say, these are helpless times. This is the time for AI-powered tools to come into play to aid you with security.

How can Cloudanix help a CISO and the entire operations team?

Cloudanix has several hundred audit controls for AWS, GCP and Azure mapped with all the popular compliance frameworks. With one-click integration, you and your organization can find out how far are you from achieving a secure environment for your brand and users.