The Dos and Don’ts of Cybersecurity: 6 Tips from CISOs and Cyber Experts
Verizon's 2023 Data Breach Investigations Report revealed that cyberattacks are often executed a mere 17 days after vulnerabilities are discovered, leaving CISOs and security professionals with minimal time for breach identification and prevention.
In this race against time, understanding what must be done and what must be avoided for an airtight cybersecurity strategy becomes paramount.
That's why we've curated actionable insights from cybersecurity experts, delving into strategies for enhancing business understanding, refining communication, fostering a positive security culture, and emphasizing the significance of fundamental cyber practices.
Dive in to fortify your organization against cyber threats with knowledge and tools from some of our industry's leading CISOs, working across companies of all shapes and sizes.
Do: Explain Issues to Business Leaders in Non-Technical Terms
Secure Anchor Consulting founder Dr. Eric Cole shares his insight on why CISOs must put themselves in their non-technical colleagues’ shoes.
In his Tripwire interview, Dr. Cole emphasizes the necessity for CISOs to communicate in the language of executives and business leaders, explaining technical issues clearly to non-technical stakeholders to maintain security in an organization.
This involves translating technical solutions into business terms, like how they mitigate financial risk or comply with regulations.
Executives or board members, for example, make decisions based on the impact on the organization's risk profile and financial health. By understanding the financial implications of security measures, they can allocate resources more effectively and prioritize actions that protect the organization's assets.
But this doesn’t mean using business jargon for the sake of jargon, according to Cole. It’s about genuinely grasping business concepts to make security issues clear and relatable to executives and non-technical audiences.
“You need to get to a point of understanding,” says Cole. “[...] If you're only speaking the language [...] your lack of understanding is going to shine through. And that, unfortunately, is devastating to a CISO. Because at that point, the executives basically are going to say, ‘Okay, they don't really know what they're doing.’ And a lot of respect gets lost there.”
A recent survey from Cyber Security Hub agrees with Cole, as 72% of respondents think business acumen and communication are the most important skills for a modern CISO.
3 Ways to Enhance Your Understanding of the Business
So, how exactly does a CISO fully grasp the business they work for?
Here are three helpful strategies to consider.
- Engage in cross-departmental learning: Actively collaborate with various organizational departments, such as finance, marketing, and human resources, to gain a comprehensive understanding of the company's operations and tailor your approaches.
- Participate in business strategy meetings: Stay informed about the firm’s priorities and financial objectives to align cybersecurity initiatives with business outcomes.
- Build a cross-departmental network: Establish a network of senior members from key departments who can serve as a trusted advisory group. This collaboration offers diverse perspectives, enhances the integration of cybersecurity with other critical business functions, and means you always have an X-team in your corner.
3 Ways to Communicate More Effective in Non-Technical Terms
Once you have gained detailed knowledge of your business, how can you facilitate more productive communication in the room?
Cole offers three strategies:
- Know your audience: Executives are primarily focused on what could happen, how bad it would be, the likelihood of it occurring, and how much to spend to fix or prevent it. Have concrete answers to these questions before approaching business leaders with your strategies or concerns.
- Present both sides: Approach executives with a balanced perspective. Offer them a clear choice, like continuing current practices with a known risk, such as a 30% chance of a ransomware attack costing $5 million, versus investing a smaller amount to reduce that risk significantly.
- Avoid emotional appeals: CISOs, known for their intelligence, creativity, and drive, invest considerable effort in their conclusions. However, it's essential to present these findings objectively, helping executives make informed decisions for the organization's best interest, detached from personal biases.
Do: Double Down on Investments in Awareness Training for Employees
Sandy Dunn, a cybersecurity consultant at AICyberAdvisors and former CISO, transforms non-security employees into valuable security assets by leveraging effective communication.
Dunn recommends seeing the average employees not as the weakest security link but as key players in boosting cybersecurity.
While employees make up the majority of an organization’s attack surface, their vulnerability comes down to barriers between cybersecurity and the rest of the organization. The key to breaking down these barriers is effective communication, says Dunn.
If an employee is unaware of a crucial security-related concern, that’s a communication failure, not a failure of the individual.
Dunn argues that you can turn non-technical employees into proactive security allies:
“You want to engage people and build the human firewall. My experience breaking down barriers and engaging people has been positive. I have found most people do care, and they want to help protect their organization.”
However, they need to be given the tools and direction in order to do so.
CISOs and security teams must clearly communicate risks, threat prevention, and the role of employee actions in cybersecurity. This clarity is fostered through encouragement, engagement, and awareness training.
By tapping into employees’ willingness to learn, you can cultivate a security-conscious culture.
This means having employees who are alert to potential cyber threats, understand basic security protocols, and are proactive in reporting suspicious activities, thereby enhancing the organization's overall cybersecurity stance.
3 Ways to Build a Positive Security Culture
Here are three successful strategies Sandy Dunn implements in her organization to build a positive security culture:
- Annual awareness training: Conducting annual awareness training to cover fundamental cybersecurity practices for new employees, coupled with additional training sessions throughout the year, effectively ingrains cybersecurity into the company culture.
- Employee-focused events: Hosting Cybersecurity Awareness Month events in October and releasing monthly videos on topics like protecting personal, family, and financial data to implant better security practices in the employee consciousness.
- Embedding cybersecurity in dev teams: Working on open, friendly communication to bridge the gap between cybersecurity experts and developers. This builds trust and sparks honest conversations. The goal? To craft solutions that cleverly combine security measures with development objectives, ensuring everyone's on the same page.
Do: Focus on Consolidating Security Platforms
Check Point's Field CISO, Pete Nicoletti, sheds light on the advantages of security consolidation, complemented by Cameron Williams, CTO of Overwatch ID, who offers best practices to achieve this goal effectively.
In an interview on CyberTalk, Nicoletti explained cybersecurity consolidation as a strategic pruning of security tools.
For example, a CISO might find that they have multiple antivirus programs that overlap in function. By consolidating, they could streamline to one comprehensive antivirus solution that covers all needs, eliminating redundancy.
In aiming for a more effective cybersecurity solution, Nicoletti points out that consolidation helps:
- Simplify management and operational costs
- Lower training needs and costs
- Improve your holistic security posture
- Improve accuracy in threat detection
CISOs should create and maintain an inventory of tools and their functions, working with subject matter experts to review and find redundancies or overlaps.
3 Security Platform Consolidation Best Practices
While each organization is unique in its cybersecurity framework and solutions, Founder and CTO of OverWatch ID, Cameron Williams, offers these three best practices to keep in mind:
1. Make a Consolidation Plan
Before starting, always define specific goals and desired outcomes. For example, you might aim to reduce the number of antivirus programs or streamline identity management systems. A well-thought-out plan ensures you get all the essential protection and features needed for a solid security framework.
2. Check Compatibility
Confirm that the platform aligns with your other tools (i.e., analytics and monitoring). Smooth integration bolsters your cybersecurity strategy by enhancing data analysis capabilities and minimizing the need for additional resources at a later stage.
3. Run Ongoing Testing and Evaluation
Regularly evaluate and test the new solution to ensure it meets all requirements. This ongoing scrutiny enhances your cybersecurity strategy by identifying potential gaps or areas for improvement, ensuring robust and up-to-date defenses.
Williams also notes it’s essential to make sure that:
- Consolidation doesn't lead to the loss of essential features or capabilities
- Compatible technology is straightforward to install, configure, and maintain, emphasizing rapid deployment – automation plays a fundamental role.
For more details and tips from Williams, read his full interview here.
Don’t: Take a Siloed Approach to Risk Analysis
VP of GRC at Vendict Merav Vered warns against reactive, siloed cybersecurity approaches.
Merav Vered sheds light on a critical oversight in cybersecurity strategies across many companies. She argues that, too often, security strategies aren't tailored to the specific risks unique to each part of an organization.
For example, a weakness might be noticed in one department, like finance, but it doesn't get communicated to IT, who could be spotting strange network behavior. This disjointed approach to handling risks weakens overall cybersecurity.
Vered emphasizes that cybersecurity isn't just an IT issue; it intertwines with areas like physical security, human resources, and third-party risks. Not treating these areas as part of a unified strategy can lead to missing key risks, mismanaging resources, and, ultimately, a less mature cybersecurity posture.
Companies often react to breaches or focus on obvious risks in isolation, like upgrading firewalls or tightening access post-breach. This contrasts with a holistic approach that evaluates all possible vulnerabilities to create a comprehensive cybersecurity plan.
In support of this, Vered advocates for an organization-wide analysis and planning across all departments. In other words, she’s calling for greater GRC maturity:
To reinforce this unified governance, risk management, and compliance approach, security professionals can:
- Regularly evaluate all potential vulnerabilities, not just digital but also physical, human, and third-party risks
- Create security policies that encompass all aspects of the organization, ensuring they are interlinked and support each other
- Utilize tools and practices for ongoing surveillance of all systems and networks to detect anomalies early
- Conduct regular training sessions for all employees to recognize potential security threats and understand their role in the organization's cybersecurity posture
Reacting to immediate threats is essential, but it should be part of a larger, well-conceived cybersecurity plan where every department is instrumental in maintaining security.
Don’t: Rush Your Choice of Vendors
These three red flags – drawn from pitches received by Richard Rushing, CISO of Motorola Mobility – are a helpful reminder of what to look out for when evaluating security solutions.
Vendors play an essential role in establishing a robust cybersecurity infrastructure, offering critical solutions for threat prevention and response, risk assessment, and fortifying defenses.
However, it's imperative not to hastily purchase a product based on its perceived alignment with your cybersecurity needs.
CISOs and security experts should conduct thorough vendor due diligence, ensuring that a vendor's product meets your specific requirements and seamlessly integrates with your current security infrastructure.
The following warnings help you make better choices when deciding on vendor products.
1. The Overhyped Fix-All
Avoid vendors offering cure-all solutions: No product can address every risk or unique cybersecurity threat, and vendors may not fully grasp the nuances of your organization's infrastructure.
For instance, when considering the purchase of an intrusion detection system (IDS), a vendor might offer a generic solution without considering the organization's unique network structure, compliance needs, and threat landscape. This can result in an ineffective IDS that doesn't address the organization's specific requirements.
CISOs should examine the solution with experts in their team and then engage vendors in detailed discussions to ensure solutions align with their specific requirements, mitigating potential issues and ensuring a tailored fit.
2. Automatic Threat Detection
Don’t work with vendors who claim automatic threat detection without explaining their approach to unknown threats.
Relying solely on "magical AI" lacks merit.
Vendors should, instead, emphasize ongoing research and a commitment to addressing industry challenges, displaying a deeper grasp of the cybersecurity landscape. While AI is reshaping cybersecurity efficiency and prediction capabilities, using it to evade complex inquiries is not a sustainable approach.
3. Failing Vendor-Risk Assessments
Third-party vendors are often the weakest link in your cybersecurity, posing threats like data breaches and information loss.
In short, CISOs should never purchase from vendors who avoid or fail vendor risk assessments. For a more detailed discussion about assessing vendors, explore our guide to vendor risk assessment.
Don’t: Focus Solely on Advanced Cybersecurity Strategies
CISO at Irwin Mitchell, Graham Thomson, argues for the renewed importance of basic cybersecurity hygiene.
Thomson emphasizes the importance of building a strong cybersecurity foundation.
Below are three essential steps he recommends for reinforcing your cybersecurity groundwork.
- Steer clear of end-of-life software: Outdated software without support or updates is vulnerable. Regularly update or replace such software to mitigate risks.
- Implement robust password policies: Encourage the use of long, complex, and unique passwords. This fundamental practice can thwart numerous cyber threats.
- Adopt multi-factor authentication: Enhancing security with MFA significantly reduces the risk of data breaches, even if a password is compromised.
Balancing these essential hygiene practices with more advanced cybersecurity measures is the key to creating a hardy defense against a wide range of threats.
Master Cybersecurity Dos and Don’ts for CISO Success
While navigating the complex web of cybersecurity, CISOs must weave these six essential components into the fabric of their organization’s security strategy:
- Merge technical expertise with business insight
- Cultivate a culture of security awareness
- Consolidate security platforms
- Advocate for organization-wide GRC practices
- Select the best vendors
- Never overlook the basics of cyber hygiene
Your takeaway for today?
Act on these strategies, integrate them into your company’s day-to-day operations, and enhance your cybersecurity posture.
And don’t forget to subscribe to our newsletter for more actionable insights from across the cybersecurity landscape!