Questions Every CISO Should Be Asking When Developing Their Cybersecurity Strategy
The Chief Information Security Officer’s key objective is to prevent their organization from any form of a security breach.
The best mindset for accomplishing this objective is a growth mindset with the perspective that a breach has or is already happening. Therefore, CISOs should continually ask questions of themselves and their team- with the goal of implementing the most effective cybersecurity strategy for their unique operating environment.
Think 10 Steps Ahead
Every CISO should be hoping for the best but planning for the worst. They should think about the ripple effect of each decision and how one change or missed risk can lead to multiple attacks.
As Sun Tzu councils regarding the formulation of a strategy, “Do not depend on the enemy not attacking; depend rather on having a position that cannot be attacked.” In the planning to accomplish the latter, here are some suggested questions each CISO they should be asking:
1. Where do I feel most comfortable and secure in my enterprise cybersecurity position?
This may not appear to be a point of concern based on the perception of being strong in this objective of your overall security strategy. All too often, in such situations, there is an element of human nature to “set it and forget it.” The smart adversary recognizes it is human nature not to be as vigilant when there is a feeling of safety and security and will attack you where you feel strongest. Therefore, continue looking for ways to improve your current comfortable positions.
2. How well do I know my organization’s operating environment?
The operating environment of any organization is one of uncertainty regarding the source and timing of a potential cyberattack.
CISOs need to fully understand their network and all its connections with other systems, both internal and external. Having a good handle on all the external connections, cloud applications, and personal devices where data is accessed will help mitigate the uncertainty and keep the organization secure. It can help to identify areas of risk better and ensure adequate measures are in place to protect against any malicious activity or data breaches coming from outside sources.
Digital transformation has had and continues to have a dynamic impact on an organization’s operating environment. Increasingly ubiquitous internet accessibility paired with a mobile workforce and sensitive digital intellectual property creates a growing cyberattack surface area and a much-needed security strategy.
Operating environments are constantly changing, with varying degrees of complexity, risks, and threats. People can, and will, develop habits of response to stressful situations based on how they are trained and prepared through practice.
Do you have strong protocols in place that all employees, managers and departments follow when adding new forms of technology to your network? With multiple generations adding new graphic technology, outsourcing to use different vendors, payment systems, etc., each new connected system is an added risk. What about the external applications your employees connect their email accounts to get access? For example, with the new ChatGPT, how well is that vetted in your organization?
For some that sign up, when they connect, they give their Gmail access to signup. How well do you know those new platforms aren’t gaining more access than they should? Do your employees really read the security information? What about the other new technology that comes out that they decide to download, use to login to their devices or connect?
Do you know who owns the IP- for example- your employee shares their information or your trade secrets within this platform? Who owns it now? What if that product gets breached? How do those third-party vendors access your employees’ data? What about all the vulnerabilities that develop with new API connections? With each new integration, you open up vulnerabilities within your network. Some ways to quickly mitigate those risks are application security training because it teaches the main vulnerabilities.
Having strict guidelines in place are also imperative. At some major technology companies, they block certain products altogether.
3. How do I improve situational awareness organizationally and individually?
Situational awareness is the adaptive, externally directed consciousness built on the knowledge of a dynamic task environment and directed action (i.e., behavior) within that environment. It is the use of the sensory system of an individual to scan their environment with the purpose of identifying threats in the present or projecting those threats into the future.
A lack of situational awareness has been determined to be the number one cause of human error. Even the most experienced people can lack situational awareness; especially when performing tasks that have become routine and are perceived as mundane.
Traditional knowledge-based learning is the basis for the continuous growth in the security knowledge base of the individual. Skill-based learning models are used to create an experience requiring the employee to apply the knowledge, through practice scenarios where all the variables, relative to their role, simulate an event they might experience in the daily performance of their assigned tasks. The retention of knowledge is best achieved through “learning by doing.” Integrating knowledge- and skill-based learning as a training program provides the platform best suited for knowledge retention and improvement in the desired security behavior.
It is strategic to be proactive, resilient and capable of being adaptable, flexible, and maneuverable in an environment of friction and disorder.
Identify the Specific Risk Areas
Frequently, to get the best results, a CISO adapts their strategy to the whole organization but then addresses each individual area as best they can. Many pockets of users experience different types of risks and its important to factor those into a strategy.
Specific Workforce Population Devices/Products
For example, maybe one population of employees come from Gen Z- they may have different training they need to best understand some of the security threats in their network. They also may use different social networks that are now starting to be seen as security risks. TikTok has been banned on certain government networks- some security experts even actively prohibit their peers near them if the app is on their peer’s mobile phone due to worries of security. They also may be more prone to remote-working- so they may need extra training on best practices for remote work.
Specific Leadership Population Devices/Products
Some top leadership populations also need to be taken into consideration. Do they have more access to “master information”? Are they frequently involved in very sensitive information? There have even been stories of top companies bringing jammers to senior leader meetings to block out any form of surveillance- depending on the company’s security threats, it is sometimes not a bad option. However, check your government’s laws because sometimes it is illegal.
Specific Departments' and Job Dutites' Devices/Product
Alternatively, the other demographic may be based on specific job duties or departmental needs. For example, sales-related roles have more outgoing job duties like calling from remote areas, sharing public information with potential customers, talking in public areas where bystanders could be listening, exchanging messages with strangers, etc. Sometimes salespeople need to respond immediately to urgent requests from C-Levels or even potential customers to close deals. These “urgent requests” are also training material on security awareness for phishing schemes- so salespeople need to know when something is in fact fraud or part of their job.
Also, for some departments, they may be getting more inbound messages from strangers. If your organization has an investment arm, they may be getting cold emails from eager entrepreneurs interested in showing their hustle- which means it could either be viewed as admirable or a security risk. CISOs need to take into account all forms of employees’ roles, duties, daily activities, etc. to build out the most robust and scalable security infrastructure.
Last, it is also important to consider your third-party databases or cloud infrastructure. Some companies and industries are adamant about having their cloud storage on their own server and not shared with any other companies in case something accidentally gets crossed. Some companies even go as far as to have their cloud location in a certain region based on government laws or even state laws. Those cloud vendors usually are SOC Compliant, meaning they have to follow certain protocols but some CISOs would rather be overly cautious than jeopardize security breaches from third-parties.
4. What are the current threats to which this organization is most vulnerable to exploitation?
In cybersecurity warfare, the attack method(s) being used can be addressed through threat intelligence. The more significant vulnerabilities to address are those within the unique operational environment of the organization or individual role most easily exploited by those TTPs. This rigorous self-examination requires more than an annual vulnerability scan or penetration test. Such an effort requires forward-looking planning and rigorous self-examination.
Identifying the ease of exploitability to the biggest cyber threats to the organization can direct the focus on improving security in the most at-risk areas.
Prioritizing the cyber risks your company faces moves your cybersecurity strategy from reactive to proactive.
5. How are we managing our third-party risk and where is there room for improvement?
Although we previously addressed some of this more granularly, third-party risk across the organization is a primary CISO consideration. It has typically been addressed in a siloed fashion, with individuals in the organization looking at specific risks, usually within the supply chain. The proactive managing of risks to certain functions or aspects of the business may have been right at one time, but the increasing reliance on third parties as an integral part of the organization’s operations requires a broader business exposure in order to gain an understanding of the overall enterprise risk exposure created by operating with these external third parties.
The reality that these third-party vendors may not have the same security controls or processes in place as your organization does means holding all third-party vendors accountable to appropriate security controls and standards to ensure that any stored or processed data stays safe.
In many countries, third-party compliance is a legal requirement.
6. How resilient is my organization?
Many organizations have policies and procedures in place as part of regulatory compliance. The more important element in being resilient is the efficiency in the execution of those policies and procedures in an environment filled with chaos, uncertainty, and the resulting emotions that affect decision-making.
The most efficient execution of the policies and procedures that have been established is the product of “learning by doing” and the behavioral habits such training creates. Training scenarios involving most likely attack vectors to be used by an adversary in your operating environment will best prepare the team to respond in a manner that most rapidly leads to a return to normal operations.
Key stakeholders and decision-makers across internal and external counsel, public relations, disaster recovery, crisis communications, business continuity, security, and executive leadership should be involved in this scenario. This is also a good opportunity to align on the decision-making resources that might be needed (i.e., who is going to lead which workstream and what will the decision-making process look like?
7. Are we investing strategically in our cybersecurity defense program?
The Defense-in-Depth model of most organizations has, for the most part, been driven tactically, with little if any strategy, in response to the public notification of a breach and the subsequent security vendor technology/solution proposed as the answer to protecting an organization from being a victim of the same or similar attack vector.
The result, in far too many instances, is an organization with greater than fifty technologies that, for the most part, are not integrated and are limited in their ability to complement each other in a manner that creates a synergistic effect and places an opponent in an inescapable, hopeless situation, otherwise known as the “horns of a dilemma” that causes the attacker to respond to the defender’s actions and increases the adversary’s cost if they are to maintain the attack.
Once again, Sun Tzu council serves as advice, “Strategy without tactics is the slowest route to victory; tactics without strategy is the noise before defeat!”
The best strategy is one that attacks and defeats your opponent’s strategy. The strategic management process to develop such a strategy begins with the determination of the strategic mission, vision, and objectives, followed by an environmental and organizational analysis and then the formulation of the strategy to be implemented.
Answering these questions will provide knowledge to aid in the environmental and organizational analysis and strategy formulation stages and contribute to the development of that best strategy.
Answering these questions will provide knowledge to aid in the environmental and organizational analysis and strategy formulation stages and contribute to the development of the best strategy. Thinking ten steps ahead of what could result if one part is broken is the best solution to designing the most comprehensive cybersecurity strategy- all while being open to improving it as new threats arise.
ThriveDX Security Awareness Training takes into account the continued risk landscapes and proactive and reactive training for all types of employees is one step to preventing cyber attacks from happening.
ThriveDX Application Security Training will help design the most common programming threats to help block out holes that could become major risks that get duplicated because code vulnerabilities are like telling a builder to build a house the wrong way- once the builder teaches the new builders, the vulnerabilities scale.
Reach out to learn more about how ThriveDX can help with your strategy.
Protect Your Organization from Phishing
Explore More Resources
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.