The CISO’s Key Mandate
What exactly does a CISO do? CISOs develop the vision and strategy for the organization-wide information security program and execute on that strategy. The CISO informs senior executives and business units about cyber risks and recommends controls to mitigate them. On occasion, especially in the financial sector, some CISOs are responsible for an organization’s privacy program.
This role requires the implementation of numerous security controls to protect sensitive and confidential information. A CISO’s team consists of dedicated security and privacy professionals, who develop policies, perform security assessments, and test security systems. The team also implements a variety of information technology solutions to protect sensitive information.
Criteria of a Successful Security Program
From a CISO’s perspective, of the three primary elements required for any enterprise to achieve a secure environment, the first is to ensure the security program is risk-driven, not compliance-driven. While a privacy program is traditionally compliance driven, a successful security program must be risk-driven. This requires an understanding of the threat landscape, investing in security intelligence, as well as consistently altering and adjusting controls based on changes in threat actor tactics.
Regulations will always lag, and threat actor tactics are a leading indicator of which risk-based adjustments are required. It is essential to be able to quickly adjust a security strategy based on threat actor tactics. This is done by the enterprise through the consumption of security intelligence from multiple sources and validation of the intelligence. Today, the alacrity and quality of the decisions made by a CISO related to shifting the tactics of threat actors will have more impact on an enterprise’s security posture and resiliency than the effectiveness of conventional controls from a risk framework.
The Importance of Unconventional Controls
The second element of a sound and secure security and privacy strategy is to recognize that innovation — as well as investment in unconventional controls — is essential for any resilient enterprise offering products, services and capabilities across the digital landscape. Innovation in the techniques, the technology, and how we use them may mean the difference between a breach having an enormous effect and crippling the business, versus an enterprise that can sustain a breach and have no measurable negative business impact.
Cyber threat actors seek the most efficient way to achieve their objectives with the least amount of effort. If enterprises respond by consistently changing their controls, they can create friction for threat actors who are forced to continually adjust their tactics. Today, significant changes occur every day in the policy, practices and measures of enterprise residual risk. One of the most interesting aspects of this daily pace of change is that the majority of the changes in controls are in unconventional categories. Ensuring that an enterprise is a less attractive target is about as good as it gets for a CISO and is dependent on the organization’s level of agility in adjusting unconventional controls.
Metrics Versus KPIs of a Security Program’s Core Function
The third consideration to keep in mind is that while it’s easy and common to measure particular processes, metrics are not what is critical in security. Measuring statistical trends is important, in the right context. However, assessing the key performance indicators (KPIs) of the core functions of a successful security program, and determining the health of those core functions, is more important than metrics. Measuring the health of core business processes and underlying security controls is what gives security leaders a critical baseline to determine the health and resiliency of their security and privacy program. CISOs do not own key business processes, so they must embed security controls within them, instrumenting business leaders with the information (KPIs) to make essential business decisions. There are techniques by which this can be done, all the while lowering the total cost of IT ownership at the same time and improving the consumer experience.
Balancing Security and Facilitating The Customer Experience
Managing new privacy paradigms and maintaining an ongoing level of trust with consumers will remain an evolving challenge for enterprises going forward. Consumers do not trust large commercial enterprises or governments. Yet, establishing a brand that is based on consumer trust is essential for success and survival in the marketplace. Technology advances offer the potential to go well beyond consumer trust and privacy thresholds, yet the devil is always in the details. Incorporating a mature, advanced analytics solution with identity analytics along with user and entity behavior analytics at its core to protect consumers and build better online experiences, is a worthwhile investment. With an array of well-chosen and proven security analytics solutions, the prospect of straddling the line of trust is decisively empowered.
The Necessity to Act Now
A successful security program is proactive – designed to get ahead of cyber attacks before sensitive or confidential information is taken. Gurucul’s behavior based security analytics and intelligence platform should be a key component of any successful security program for large enterprises. Contact us to get started with unconventional controls that leverage machine learning and big data.