Office Hours Recap: How CISOs Can Drive Value in Times of Economic Uncertainty
In the current atmosphere of economic uncertainty, many CISOs are faced with maintaining tighter security with even fewer resources. In our first Secureframe Office Hours | Ask an Expert for CISOs, Secureframe CISO Drew Daniels pulled from his 20+ years of experience as an information security expert to answer questions about maintaining a strong security and compliance posture during times of economic uncertainty.
During the 30-minute, live Q&A, Drew answered questions on topics ranging from best practices for technical and organizational safeguards, ways to involve key stakeholders across leadership teams in security initiatives, and how CISOs can prioritize and drive value across their organizations. If you missed it, we’re recapping some of his answers below.
1. What are some manual and low-value activities that CISOs work on today that could be automated so that more focus can be placed on higher priorities?
Drew: There are two things that CISOs focus most of their time on that immediately come to mind.
First, there is a lot of tedious and repetitive work in the compliance space that is ripe for automation. Many compliance tasks are straightforward comparisons of one list to another list and because they have to be done on such a regular and frequent basis, it’s something CISOs always have to be working on. Compliance teams get stuck working on things they don’t enjoy that are tedious and repetitive. Those things can and should be automated.
The second thing is that today, business moves so quickly. Technologies and risks can be introduced incredibly fast. As an example, I recently read about a situation where someone spun up a new compute resource in AWS and published code to it to do some testing and forgot it was there. Within 15 minutes that service was hacked because they hadn’t done security due diligence. It is very easy for someone in engineering to spin up a resource in the cloud — you can have a website, compute engine, or system endpoint up within 5-6 minutes. This is the second reason automation is essential: you can’t operate at the speed at which these resources can be detected and attacked. You need to have automation that can find and pull these different signals together 24/7 so that you know as soon as there is a threat.
2. What are some of the most valuable things CISOs can do, and how can they better focus on those high-value objectives?
Drew: CISOs should be focusing on operational risk. Risk assessments are incredibly important and inform not only where your threats are, but also where your assets are.
What data is most important to the business? That’s an important conversation to have with your executive team. Is this customer data important? If it is, we need to spend some money and resources to secure it. A lot of people fail to present meaningful data to executive teams and explain why those security measures matter.
3. How extensive should technical and organizational measures be?
Drew: There’s several references to technical and operational measures in GDPR and other privacy regulations, as well as in a few other security frameworks. In general, you need to perform a risk assessment where you identify threats and assets. The results of that assessment will guide you on the safeguards that you will strengthen your posture against bad actors. If a technical security person looked at your safeguards, would they consider them reasonable? SOC 2, ISO, even NIST and CMMC as well as GDPR don’t necessarily specify to the letter what organizations need to do. They’re looking for you to have a reasonable standard of security that is also genuine for your business.
You need to actually look at your risks, threats, assets, and who has access to them and how data flows through the organization — data flow diagrams are critical at this stage — and be strategic about the measures that you should put in place. That said, most organizations need to put a few security controls in place regardless of threats, such as inbound protections and compliance automation to detect, identify, and process those threats.
4. What are some best practices for drafting and implementing an incident response plan and/or policy?
Drew: Too many organizations create an incident response plan and then set it on the shelf and never look at it again. Incident response policies should be manuals that are regularly tested, ideally a couple of times a year, where you put various elements of the incident response policy into real-life scenarios such as a tabletop exercise. The response plan has to be succinct and to the point, without meaningless jargon or filler. When a crisis hits, you need someone to be able to look at it and know exactly what they need to be doing in that moment to triage the event, assess and minimize any risk, and then do a root cause analysis.
Practicing the incident response plan on a regular basis not only ensures that your plan functions as it’s supposed to, but it also serves as a forcing function to make sure it’s current and updated. You might have contact information for key people — someone in sales that’s helping to understand if there are customer inquiries coming in related to the incident, someone in marketing who’s managing social channels, a team leader or point person running the play out of the CISO’s organization. If you don’t practice this plan you’re not going to notice that maybe someone has been promoted to a different role or left the organization, and if you get to a place where you’re in an actual incident, basic things like that contact information being out of date can put you dead in the water.
The second thing you have to do is find champions and get teams involved in the incident response process. Engineering, sales, marketing — they’re the best eyes that you have. They’re the ones that are going to spot something and can help you cut these events off at an earlier stage.
5. What are some of the basic safeguards that a CISO should have in place around an information security policy?
Drew: In my experience, an information security policy has been an inward-facing document meant to help identify and isolate the requirements you want employees to adhere to. So an information security policy is going to include acceptable best practices. It’s also going to focus on how the organization will enable employees to be part of the security program, not part of the security problem.
Don’t write an information security policy that’s generic and doesn’t make a lot of sense to your employees. Get input from other leaders about requirements and hold them accountable. As I referenced earlier, anyone can spin up new technology given the right access. So unless security is making the determination for every one of those things—which I would not recommend because it’s going to be a bottleneck—you need to be able to democratize aspects of information security out to the leadership team so that they know: this is a do, this is a don’t, approve this, don’t approve that. That’s the key.
6. With the current state of the economy, we all have limited budgets. How can CISOs best prioritize? What cybersecurity services should they consider outsourcing?
Drew: Some of you may be facing factors where you have to cut, and there’s an emphasis on the effectiveness and efficacy of your program. You have to be able to show where you started and where you are now by spending the dollars and the resources that you have wisely. How is the thing you’ve invested in benefitting the organization? You have to be able to show KPIs and metrics that help prove that fact. If you can’t do that, you’re more likely to find yourself in a situation where the budgetary powers that be will say you haven’t proven that you need as large a budget. Oftentimes security gets tripped up by using too much technical jargon and not enough common dialogue so that people understand what that program is and why it’s important.
I do believe that if you’re doing governance, risk, and compliance (GRC), you should outsource some of that. You should have checks and balances in place to make sure you’re still getting the efficacy of the program that you want, but it all goes back to what I said at the very beginning. In the end, a lot of tasks in compliance are repetitive and tedious and happen on a specific cadence. If you don’t automate, you’re going to have to dedicate resources to work on tasks that I don’t think I’ve ever seen a compliance person truly enjoy. Personally, I want people on my team that want to do something innovative, stretch their brain, and get more knowledgeable in the space.
It’s really hard to find good security professionals. Look for people within your organization that you can train up and turn into more of a security person because they’re eager and they’re already committed to your vision, mission, and values. I often do this with DevOps where I have them take on a blended SecOps role by showing them how to automate some of the security infrastructure and then having them manage it for the organization.
CISOs should be investing in things that help them automate manual processes so that they can focus their team and themselves on higher-priority projects within the business. Give your team opportunities to learn and grow in their role by doing other things than manual tasks.
Enable the people on your team to be successful by offering a guiding hand without them having to come to you with everything. As an example, at a previous organization, I wanted them to build a completely automated vulnerability management process that involved spinning up some scanning resources. It was something completely foreign to the team so I walked them through how I’d done it in the past using Terraform and how this could be done fairly simply. They were able to design and build it.
Give your team big, audacious projects where they can have some real ownership and grow in their career while serving as a coach and mentor to help and provide guidance along the way.
Stay tuned for the next Secureframe Office Hours | Ask an Expert
We’re going to continue to host regular Secureframe Office Hours throughout 2023. Stay tuned for updates or view our past webinars on demand.