We recently held our second annual CISO roundtable that brought in the attendance of fifteen CISO’s for a candid conversation regarding their concerns, challenges and advice on protecting their organization. Last year’s roundtable showed that Long Island has a security community that’s hungry to learn and grow from each other. This was also evident from the attendance at the first BSides Long Island, which was held in January. It was no surprise that our second roundtable was just as lively and informative as these two events. Throughout the agenda for the night the topics covered ranged from continued challenges, improvement, and future considerations. We’ll briefly touch on a few throughout this blog so the extended community can learn from their wisdom and insights.
One area that was continually pressed upon was how to communicate effectively with the boardroom. The CISO role is one that requires persuasive and communicative skills to educate the enterprise about the current and future risks to their organization. Though this topic of conversation the tenured CISO’s gave some sage advice when it came to their boards. The first theme was to never use fear, uncertainty and doubt (FUD). There’s a time to show the risks, but using FUD is never a long term strategy to secure the organization for the long run. Also, it was helpful to create “Executive Cheatsheets” while presenting to a non-technical audience and to keep things as visual as possible. Treating presentation as a way to tell a story and get your point across, without confusion, has been successful for the CISOs when speaking to their boards. They also mentioned that being able to show comparisons on where they were last month, quarter, and year in their program was helpful to show both maturity and additional areas of improvement. They said this is even more powerful when you can compare your organization against peers in your vertical to show how well you’re being measure from an industry standard. Lastly, having a “Board friend” is very helpful when it comes to getting your point across. Building relationships with those on the board helps get your point across by having someone else assist with solidifying your position. This doesn’t happen during boardroom meetings, it happens throughout the year and finding a security champion on the board is helpful when it comes to implementing change. This helps create a benchmark that can be built upon that doesn’t really on FUD to scare the board into compliance.
Third Party Vendors and Mergers & Acquisitions
We heard quite a bit about third party vendors and mergers & acquisitions during this discussion. This is an area that all CISO’s are looking to tighten. It’s a constant concern when it comes to having your data sent to another party, acquiring or merging with another organization. The common suggestion through the conversation was to “Get legal involved early and often” and this is a theme that we’re seeing quite frequently too. Legal and information security need to be tied at the hip when it comes to dealing with data or systems when outside party is involved. Also, having a standard questionnaire used to initially assess the risk of the other party was required, but very difficult to have others standardize. It was a common area of pain for them to have assessments asked for in different formats depending on the third party. Utilizing tools like the “Shared Bits Assessment” are helpful, but aren’t as widely accepted across all industries. This caused many organizations to create their own assessments, which overrule some of the commonly used frameworks in place. Lastly, as the focus of CISOs has heavily been on how third parties handle the security of their data, the focus is now moving further down the supply chain to “fourth parties”. No longer are organizations just worried about how third parties handle data, but they want to know how these parties are sending their data too and how it’s being secured throughout the entire lifecycle (fourth party). This was another area advised to have legal heavily involved to review contracts and risk. It also changed the way many of them performed incident response based off the supply chain of data custodians.
CISO Thought Leadership
In this section I’d like to briefly mention a few areas of opinion that our CISO’s brought up that you can use to take make an educated hypothesis against.
It was mentioned that in order to have a successful program all security departments need to be within the path of change management. Meaning that the information security team should have a voice, and potentially veto power, when it comes to changes within the organization. This allows insight into everything occurring in the enterprise, without surprises, and an audit trail.
Cybersecurity is being used today as a selling point. Many times organizations are using their compliance, security posture, and program as a selling point to new clients. The world is taking security serious from a business perspective and it’s starting to hit their bottom line. The CISO’s spoke about how they’re starting to be seen as a selling point, instead of a cost center.
Lastly, the increase to have continuous security, especially in penetration testing and vulnerability management, was extremely important. They don’t want to see reports on how they were secure a quarter, month, week or even a day ago. They want something that’s going to continually probe their environment to validate that they’re secure. The checkbox security is still present, when it comes to regulations, but the security mindset of wanting to verify their security and continually search for risks is what they’d prefer and how most regulations are being written.
This is just a small overview of the two hour conversation that was held during our second roundtable. I personally learned so much from the experience of the CISO’s in the room and how they’re dealing with the ever changing landscape of risk and compliance. We’ll continually schedule CISO Podcasts over the next year, but we’re already looking forward to the third annual roundtable next year.
Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email firstname.lastname@example.org