Organizations today have different security challenges than a decade ago. Cybersecurity used to be a specific function with a fairly narrow purpose, but now it’s a multifaceted strategy that must be embedded and instilled throughout an entire company. Everything from internal processes to how applications are built, or how matters of security risk and governance are discussed, can have a huge impact on an organization’s overall resilience to cyberthreats. The role of a Chief Information Security Officer (CISO) should be to cover all bases and take an overarching approach to strategic security management. Depending on the security culture already seeded within the business, however, that can often be easier said than done.
In this blog we’ll explore many of the moving parts associated with strategic security management, including the structure of security teams, how they can be managed remotely, how skills gaps can be dealt with, and how security and compliance should be embedded in software development.
What is the role of a CISO in 2022?
The role of the CISO has evolved a great deal over the past few years, and it can vary greatly depending on the type of organization. For instance, the CISO of a digital-native company with a team of remote workers might have different techniques and management styles than the CISO of a company with a more traditional office-based setup. And then, of course, there are now many organizations that operate with a hybrid working model, generating a further raft of important decisions and responsibilities that will fall with the CISO.
“One common notion shared by all CISOs is that security is no longer about throwing tech stacks at problems.”
Organizations need to be more nimble and agile, so security has to be about more than simply putting up barriers; it needs to facilitate modern ways of working and feed into an organization’s overall aims, whether that’s maximizing productivity or minimizing costs.
How the structure of a security team can impact cybersecurity
The role of the CISO has broadened over the years, and this extends to security teams too where a variety of different skills are now needed. For instance, an organization might have a security team member that focuses purely on application security, but their role would tie directly to other roles in information security, data management, and compliance. However, it’s also important to have non-technical people such as those in roles focused purely on communication and culture, or employee awareness training.
Companies like scoutbee, which serve big client organizations, will usually have a commercial officer in charge of making sure all compliance obligations are met for each live contract. This is a perfect example of the holistic or “horizontal” approach security teams need to take for modern organizations to become more effective and resilient. There’s still a slightly archaic mindset that plagues some businesses where each department’s concept of security is siloed; they might think that all they need is an engineer or an architect, but then they realize they also need to take care of governance, contracts, SecOps and more. Soon their team budget gets out of hand. If, on the other hand, their security strategy was centralized and holistic, they could move much more quickly as a business.
How should CISOs manage staff training?
When it comes to training staff in best practice approaches, the CISO should always avoid thinking of sessions as just blocks of time on a spreadsheet. If CISOs and security leaders get to know the staff at their organization, they will be in a position to deliver more personal training and help deal with situations as they arise. This means that staff training will benefit from more of a continuous improvement approach. Instead of scheduling a 30 minute training session for 30 employees once a month, try building closer relationships and responding to issues on the ground, leading by example and imparting knowledge in the process.
“Remote working can actually make it easier to communicate and assist in real-time rather than tracking hours and building sessions into schedules.”
Far from hampering this approach, remote working can actually better facilitate it. As we move away from presenteeism, it becomes easier to communicate and assist in real-time rather than tracking hours and building sessions into schedules. Employees can put out calls for assistance, raise tickets, or ask for advice via live-chat. They will likely end up with even more support than they might get leaning over to ask a colleague in the office.
Continuous interrogation and security by design
Security and compliance should be fundamental aspects of software development. If a vulnerability is discovered or a breach occurs because an application didn’t have the most up to date patch, instead of just patching it and moving on, organizations should be assessing why it wasn’t already patched, or why the vulnerability existed in the first place. Was there an asset management issue with the system that wasn’t identified? Was the platform not functioning as intended? Were there any policy misconfigurations?
“Instead of focusing on rapid remediation, it’s good to go a bit deeper and explore why a vulnerability exists or why a breach occurred. This is why it’s good to think of security as a quality function within an organization.”
Instead of focusing on rapid remediation, it’s good to go a bit deeper and explore why a vulnerability exists or why a breach occurred. This is why it’s good to think of security as a “quality function” within an organization. If you have a team of talented developers that are great problem solvers but haven’t been trained on how to write secure, compact code, you’re potentially leaving the door open not only to vulnerabilities, but inefficiencies and bugs that could impact productivity too.
Learn more about Greg’s experience as scoutbee’s first CISO in ourLeaders in Cybersecurity and Riskpodcast.