CISO Best Practices for Managing Cyber Risk
Leading CISOs have offered best practices for security leaders on how to manage cyber risks effectively during the ISC2 Security Congress 2023 in Nashville, Tennessee.
Andrew Smeaton, CISO at Affiniti, and Greg Rogers, CISO for the State of Maryland, set out a range of tips on how to undertake cyber risk management sustainably amid an increasingly complex threat and regulatory environment.
1. Use Appropriate Frameworks
Cybersecurity frameworks are “the best place to start” in cyber risk management, said Rogers.
However, not all frameworks are going to be necessary or relevant for every organization. He urged CISOs to look at factors like the size of the company, their current risk management program and their sector when deciding which frameworks to use. For example, ISO27001 is often useful for organizations who are at the mid-point of their risk management journey.
For those at the start of their journey, frameworks like NIST’s Cybersecurity Framework may be more suitable.
2. Understand Regulatory and Contractual Obligations
Smeaton outlined that in the first 100 days of taking a role, CISOs should learn which cybersecurity regulations and contractual requirements their organization must adhere to.
“It’s surprising but not all organizations are adhering to what’s mandatory,” he noted, adding that CISOs should engage with the company’s legal officer if they are receiving pushback on taking measures to be compliant with a particular obligation.
Understanding these obligations in full also helps security leaders develop the best ways to implement them – “finding the middle ground between the letter of the law and impact on the business,” said Rogers.
He argued that if an organization has good security in place, “compliance will generally follow.”
3. Create a Sustainable Vulnerability Management Program
While it is generally thought that organizations should quickly mitigate any vulnerabilities given a CVSS score of ‘Critical,’ Rogers noted that “often we don’t have the resources to do so.”
He said that a critical vulnerability does not necessarily pose a high risk to your organization. Therefore, security teams should develop an internal definition of what is a critical vulnerability to their organization, analyzing factors like exploitability rates and what systems are affected.
This enables CISOs to develop a realistic vulnerability management program that prioritizes the most dangerous threats to their organizations.
4. Focus on the Basics
Much of the marketing in cyber makes wild claims about attackers being highly sophisticated, and emphasizing the threats posed by nation-state actors, Smeaton and Rogers noted.
However, the reality is the vast majority of attacks are not sophisticated, such as social engineering and cracking passwords. Therefore, they urged CISOs to avoid the noise and focus on the basics of cybersecurity, such as implementing MFA, patching and access management policies.
“Focus on securing that foundation,” advised Rogers.
5. Consolidate Security Toolkits
Smeaton said that many organizations have purchased an excessive amount of security tools, citing one case in which a company had 19 separate tools. This makes it impossible for security teams to manage.
Instead, CISOs should prioritize “consolidating and concentrating” their toolkit.
Rogers added that “the fewer tools you have, the better you are at using them.”
6. Communicate Risk Effectively
The two CISOs advocated a shared responsibility to cyber risk, with buy-in from business leaders and rest of the organization of what level of risk they are prepared to accept. Rogers noted that there has to be some level of risk acceptance, as it is impossible to protect everything in the same way. The priority areas must be continuously re-evaluated depending on the needs of the business.
This process requires good communication, and from the CISOs perspective, explaining risks in a language familiar to their target audience.
“Know your board – try and understand what they’re going to be concerned with,” advised Smeaton.
Using data to highlight cyber risk is important, however, Rogers advised keeping this as simple as possible and “not doing metrics for metrics sake.