Vector
Vector

Choose your topics

Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Vector (7)
Vector-1
Cyber Security

Embedding cybersecurity as a culture within an organization

Embedding cybersecurity as a culture within an organization
Written by

Greg van der Gaast,

Published on

27 Jun 2022

Embedding cybersecurity as a culture within an organization

 Guest Author: Greg van der Gaast, CISO at Scoutbee
 

Organizations today have different security challenges than a decade ago. Cybersecurity used to be a specific function with a fairly narrow purpose, but now it’s a multifaceted strategy that must be embedded and instilled throughout an entire company. Everything from internal processes to how applications are built, or how matters of security risk and governance are discussed, can have a huge impact on an organization’s overall resilience to cyberthreats. The role of a Chief Information Security Officer (CISO) should be to cover all bases and take an overarching approach to strategic security management. Depending on the security culture already seeded within the business, however, that can often be easier said than done.

 

In this blog we’ll explore many of the moving parts associated with strategic security management, including the structure of security teams, how they can be managed remotely, how skills gaps can be dealt with, and how security and compliance should be embedded in software development.

What is the role of a CISO in 2022?

The role of the CISO has evolved a great deal over the past few years, and it can vary greatly depending on the type of organization. For instance, the CISO of a digital-native company with a team of remote workers might have different techniques and management styles than the CISO of a company with a more traditional office-based setup. And then, of course, there are now many organizations that operate with a hybrid working model, generating a further raft of important decisions and responsibilities that will fall with the CISO.

 

One common notion shared by all CISOs is that security is no longer about throwing tech stacks at problems.

 

Organizations need to be more nimble and agile, so security has to be about more than simply putting up barriers;  it needs to facilitate modern ways of working and feed into an organization’s overall aims, whether that’s maximizing productivity or minimizing costs.

 

How the structure of a security team can impact cybersecurity

The role of the CISO has broadened over the years, and this extends to security teams too where a variety of different skills are now needed. For instance, an organization might have a security team member that focuses purely on application security, but their role would tie directly to other roles in information security, data management, and compliance. However, it’s also important to have non-technical people such as those in roles focused purely on communication and culture, or employee awareness training.

 

Companies like scoutbee, which serve big client organizations, will usually have a commercial officer in charge of making sure all compliance obligations are met for each live contract. This is a perfect example of the holistic or “horizontal” approach security teams need to take for modern organizations to become more effective and resilient. There’s still a slightly archaic mindset that plagues some businesses where each department’s concept of security is siloed; they might think that all they need is an engineer or an architect, but then they realize they also need to take care of governance, contracts, SecOps and more. Soon their team budget gets out of hand. If, on the other hand, their security strategy was centralized and holistic, they could move much more quickly as a business.

 

How should CISOs manage staff training?

 

When it comes to training staff in best practice approaches, the CISO should always avoid thinking of sessions as just blocks of time on a spreadsheet. If CISOs and security leaders get to know the staff at their organization, they will be in a position to deliver more personal training and help deal with situations as they arise. This means that staff training will benefit from more of a continuous improvement approach. Instead of scheduling a 30 minute training session for 30 employees once a month, try building closer relationships and responding to issues on the ground, leading by example and imparting knowledge in the process.

 

“Remote working can actually make it easier to communicate and assist in real-time rather than tracking hours and building sessions into schedules.”

 

Far from hampering this approach, remote working can actually better facilitate it. As we move away from presenteeism, it becomes easier to communicate and assist in real-time rather than tracking hours and building sessions into schedules. Employees can put out calls for assistance, raise tickets, or ask for advice via live-chat. They will likely end up with even more support than they might get leaning over to ask a colleague in the office.

 

Continuous interrogation and security by design

Security and compliance should be fundamental aspects of software development. If a vulnerability is discovered or a breach occurs because an application didn’t have the most up to date patch, instead of just patching it and moving on, organizations should be assessing why it wasn’t already patched, or why the vulnerability existed in the first place. Was there an asset management issue with the system that wasn’t identified? Was the platform not functioning as intended? Were there any policy misconfigurations?

 

“Instead of focusing on rapid remediation, it’s good to go a bit deeper and explore why a vulnerability exists or why a breach occurred. This is why it’s good to think of security as a quality function within an organization.”

 

Instead of focusing on rapid remediation, it’s good to go a bit deeper and explore why a vulnerability exists or why a breach occurred. This is why it’s good to think of security as a “quality function” within an organization. If you have a team of talented developers that are great problem solvers but haven’t been trained on how to write secure, compact code, you’re potentially leaving the door open not only to vulnerabilities, but inefficiencies and bugs that could impact productivity too.

 

Learn more about Greg’s experience as scoutbee’s first CISO in our Leaders in Cybersecurity and Risk podcast.