What the CISO says – Start the conversation, don’t delegate it!

Article by Alex Woerndle

As a team of Virtual Chief Information Security Officers (vCISO) and supporting cyber security and data privacy specialists, we deal with a diverse array of organisations across Asia-Pacific, Europe and the USA, from very small, to enterprise and government entities. While no two organisations are the same, the challenges with implementing cyber programs and the requirements to establish a fundamental baseline of cyber protections and readiness, are consistent. Regardless of location, regulation, language, or industry sector.

Getting the fundamentals in place provides all organisations the framework from which to build business resilience, but more importantly, it provides the cyber controls and confidence that enable the business to grow and achieve its vision.

But the ‘fundamentals’ we are talking about here are not the traditional security controls around people, process and technology. The ‘fundamentals’ discussed here are readiness activities all businesses can take to ensure the best possible outcomes for the long term.

From our collective experience across the global team, here are the 4 simple and effective things all businesses – and most importantly, the business leaders – can do, to establish the foundations of a robust, efficient, and effective security posture.

1. Start the conversation, don’t delegate it.

As a business leader, you may not have deep knowledge of cyber security. The reality is, not many do – even the ‘experts’ have their domains of expertise and gaps in deep knowledge of other domains. Cyber is a complex, broad, and constantly evolving business operation. Delegating it means business leaders will lack understanding and either delay progress as a result or provide inadequate direction to the real business risks that need addressing.

Simply starting, driving, and being a key voice in the conversation with support from subject matter experts will provide faster execution, more focussed improvements and, importantly, the most efficient investment for the best returns.

2. Know what you have and where it is.

You may hear terms like ‘asset registers’ and ‘information assets’ which, to the industry insider are common and understood terms, but have little meaning to the outsider. Unfortunately, industry jargon often complicates what is not a complex task – it’s a task that takes time but doesn’t require the skills of 20 year industry veterans with a list of certificates and post[1]nominals after their name.

Understand what you have and where it is – what websites are your employees logging into to execute their jobs, what software has been installed on devices, and what devices have been issued and to who. A simple spreadsheet of these ‘assets’ opens a very simple ‘what can go wrong’ discussion that will lead even the least technical executives down an understood path of risk evaluation, leading to clearer decisions on what we need to protect, but more importantly ‘why’ we need to protect it.

3. Raise awareness and build confidence.

Hiding, or at the least not elevating cyber discussions to the broader company and stakeholders relegates cyber to the ‘unimportant’ basket. It also creates a perception of negativity, which leads to individuals hiding mistakes, small issues becoming large issues, and a culture of blame, denial, and excuse.

Extending on point 1 above, elevate the conversation throughout the company to raise the awareness. But it goes beyond a subject matter expert, or the head of IT simply reminding everyone of the threat. Embed security near-misses, human errors, and real incidents into regular team meetings – call out proactive behaviours where a malicious email has been detected by a team member and allow individuals to own minor errors without recrimination. By raising awareness, and empowering teams to interact on day-to-day cyber matters, you build a more positive and resilient culture that will enable effective response to the more serious incidents.

4. Write down your response plan, and test it regularly.

Hoping you don’t have a breach is not a strategy. Not knowing you have had a breach is a big problem. Not having a tried and tested game plan for dealing with the inevitable incident is even worse. Incident response plans do not need to be 100-page theses. They need to be clear, concise, and effective. Without one, you will spend three times longer and possibly many more times in cost, responding to and recovering from an incident.

Developing a simple, understandable, document that clearly outlines what to do when an incident occurs is critical. But it will only be effective if you test that process regularly – firstly to assess where it may fail to work in a real incident, but more importantly to train those individuals involved in the response on their roles. So, when the time comes, everyone knows what they need to do, when, and how their role contributes to, and supports, the broader team.

Cyber security is a complex business matter. As a vCISO, one needs to navigate complex organisations to support continual improvement. To do this, they are reliant on senior management taking a leading role to influence engagement to support the investment a company has made. Proactively owning the conversation, having a broad understanding of the landscape, and encouraging openness while having a clear plan for dealing with the inevitable will set up the foundations to ensure any organisation, in any industry or country, and of any size, can build effective and sustainable resilience.

Alex Woerndle is Co-Founder and Director of MyEmpire Group, a specialist cybersecurity company focussing on security teams, security management and vCISO capabilities, with operations in Australia and the United Kingdom, servicing the APAC and EMEA regions respectively.