How CISOs Support Cyber Risk Management
February 1, 2021
25 min read
What is a CISO and what do they do?
The Chief Information Security Officer (CISO) is a security program’s leader. The CISO is responsible for establishing the organization’s security strategy and protecting organizational data.
Besides leading the security strategy, a CISO is the point of communication between the security program and other executives and decision-makers throughout the organization. The CISO communicates any changes or updates from the security program and is responsible for making sure any decisions they’ve made are executed throughout the security program.
Understanding and managing risk is a large portion of a CISO’s role within an organization — knowing where an organization’s environment might be vulnerable will help decision-makers and executives make informed decisions about the business moving forward.
We’ve compiled some advice and best practices for CISOs to successfully monitor and manage the risk in their security programs.
Common Areas of Risk
Effectively monitoring risk means knowing where to look for them. While a security program should monitor every area of an organization across every department and at every level, there are common areas of weakness that CISOs can look out for.
While this isn’t an exhaustive list, these areas are good starting points to understanding the current state and risks
Outdated Policies and Procedures
Maintaining security policies and procedures is critical to keeping your organization and data safe. The cyber security threat landscape is constantly changing, which can make it difficult to keep up with new risks and attack types.
Ideally, your security program should grow alongside any organizational changes, such as updated business goals, new technology, or changes to any organizational policies.
Regularly measure the performance of your security program according to goals set by decision-makers and stakeholders; this will minimize the amount of time a vulnerability exists due to any out-of-date policies and processes, reducing the risk the organization is exposed to.
Misconfigured, Unconfigured, or Unsupported Technology
In line with maintaining security program policies and procedures, any technology and tools used in the organization should be configured according to the established policies.
Unconfigured tools and technology can be easily exploited by attackers and bad actors; configuring any tools your organization reduces the number of ways an attacker can gain access to your environment.
Patches are often released by developers to address any performance and security issues within a software. Maintaining a regular patching schedule will reduce the amount of risk that your tools present to your environment. If your team is using a software or application that is no longer actively supported, make sure to take precautions in its configuration or the way it’s segmented in your organization.
User Access and Identities
Privileged accounts are a cyber attacker’s dream. With greater access to the environment and restricted data, a compromised account with administrative access can wreak havoc on an organization’s environment, whether directly or through backdoors and loopholes created by attackers.
Accounts with administrative privileges should be regularly monitored and deactivated when they’re not in use. Keep a log of any new accounts created and have a process in place with HR or other business areas to check the validity of any new accounts with new hires, contractors, or updates with an employee’s access.
Besides account creation and a deprovisioning process, keep an eye out for any suspicious activity such as multiple failed attempts to log in or trying to log in at times outside of a user’s normal hours.
Have a plan in place for how to respond or investigate in the event that suspicious activity is detected — responding quickly to an incident can make all the difference.
Outdated Security Architecture and Data Map
On a high level, a security architecture diagram should show the layout of your environment from the endpoints to the servers and any applications and any preventive or detective safeguards in between.
An updated security architecture and data map are valuable to understanding the way sensitive information travels through the environment and what measures are in place to protect it in transit or at rest.
Keeping your security architecture artifacts updated will make it easier to get a high-level look of the network and environment to identify any gaps and potential vulnerabilities. Planning security projects around an outdated security architecture will make it more difficult to improve your security program’s current state and might lead to redundant or unnecessary projects.
Are you doing everything you can to protect your environment?
Program Areas to Build and Maintain
Along with monitoring and working with executive leadership to monitor and mitigate risk, a CISO’s job is to establish and lead the security program’s strategy. Keeping the security program updated and in line with business goals also makes it easier to understand and communicate about any relevant risks and vulnerabilities.
While every organization should have a fully fleshed out security program, there are a few key areas that will make risk management easier.
Identity and Access Management
Identity and access management policies deal directly with the types of accounts users get, how they’re instated, and how they’re deactivated when these permissions are no longer necessary.
Formalized policies and processes in place to manage user permissions will help your organization track and manage the number of active privileged accounts in your environments at a time. Regularly managing which users have access to what data will reduce the chances of an attacker using outdated account credentials to steal information.
Third Party Risk Management
Risk in your environment isn’t the only risk to keep an eye on. Increasingly interconnected business environments between partners, vendors, and suppliers also means interconnected risks.
Managing third party risk is an increasingly important part of an organization’s security strategy, especially if third parties and suppliers handle any sensitive data or have direct access to the environment.
Conduct assessments of your third parties’ environments regularly and monitor the access that they have to your environment and when.
Security Awareness Training
Regular cyber security awareness training for all the employees in an organization is important to protecting them from threats they might encounter during their duties.
Keeping employees up to date on the latest threats and reminding them of the appropriate procedures to report or respond to a potential threat will reduce the potential for mistakes
Business Continuity Plan
Do you know what to do in the event of an incident? Can your organization function and maintain operation in the middle of an incident?
A business continuity plan ensures that you and the team understand what kind of impact an incident will have on the organization and puts a strategy in place to continue operations and work toward recovery.
Managing risk is only one of many functions that a CISO has to fulfill, but it’s one of the most important to maintaining a security program that complements an organization’s goals.