CISO to CISO
One of many constants in cybersecurity is change – change in the threat environment, in the sophistication of attacks, in the tools bad actors utilize, in the availability of resources… and the list goes on.
The IT community has long been a valuable source of information and support for security leaders, who must keep pace with change. Recognizing this, Open Systems established SEC.OS: Security Experts Circle – Open Systems. This invite-only group consists of North American and European-based cybersecurity experts who meet periodically to build relationships, collaborate, share information and hear from guest experts – all in the context of an “off-the-record” discussion.
Recently, SEC.OS gathered to hear from Neil Daswani, Co-Director at Stanford University’s Advanced Security Certification Program, and formerly with Twitter and LifeLock. During his session, Neil deep-dived into many top-of-mind topics facing enterprises today. Below are four key recommendations he agreed to share:
Work From Home
With so many employees working from home (WFH) month after month due to the COVID-19 pandemic, enterprises face a new challenge in managing potential breaches because they now lack visibility into the security setup of their home-bound employees. Traditional security models and compliance-based programs may fall short in providing adequate monitoring or protections. And there are multiple solutions that can help enterprises regain control of their employees’ hardware and software.
Neil’s POV: Many companies are on the path to adopting Zero Trust Network Access (ZTNA), in which identity becomes the new perimeter and the way to regain visibility. However, ZTNA is not one-size-fits-all and can take significant time to implement depending on the current state of your network, the overall sophistication of your planned implementation, and the appetite of the enterprise-at-large to adopt.
Our Tip: Compliance can help you with your security, but it alone doesn’t make you secure. It’s worth considering what your long-term migration to the “new normal” will be and use that as a foundation from which to build your remote access strategy. Starting with the end in mind can save your organization countless hours and dollars on engineering tasks. Additionally, finding a partner that can design-in key security functions (e.g. – ZTNA, CASB, etc.) as part of their network design strategy can drive greater scale, flexibility, and operational efficiency for your enterprise.
Business Needs vs. Security Needs
IT organizations have always experienced conflicts when prioritizing security needs over the needs of the business. This is especially true at present, as the economy fluctuated in 2020.
Neil’s POV: One practice for speedily resolving such conflicts is to always prioritize business needs first. Your mindset must be that security exists to support the broader business, and you must understand your business. For any change to stick, a business case must be made for a new security measure, linked to the overall company objectives.
Our Tip: A deeper understand of business priorities can create not only a healthy balance between business and security needs, but also strengthen your security posture overall as you come to understand what matters most to your enterprise.
Internal Buy-in, Funding & Support
Many CISOs face challenges obtaining funding for new security initiatives approved by upper management.
Neil’s POV: Build good relationships with managers outside of security and IT who can advance your cause. You can become a trusted advisor to these people by sharing stories that illustrate how breaches occur, the real and potential impacts of breaches, and how to mitigate them. This approach can help you secure knowledgeable allies to secure funding.
Another successful approach is to use internal audits to build support for a CISO’s projects and priorities. Audits, along with the auditors, can help illustrate the factors influencing recommendations and drive home the business case.
Our Tip: Find allies who can support you. Get them on your side by sharing stories and information. And a third-party opinion can, at times, be helpful.
The Pandemic Accelerated Cloud Adoption…Mostly
Cloud adoption has definitely been pivotal for business continuity during the COVID pandemic – but not without issues.
Neil’s POV: While apps like Office 365 and Zoom in the cloud has been helpful, the increased threat of cyberattack requires organizations to closely review the effectiveness of their security controls to ensure the apps don’t become opportunities for intrusion.
Despite the advantages however, not all organizations are moving to the cloud faster than they were pre-COVID. Continued reluctance, primarily due to management teams not recognizing how the cloud can transform their organizations, is the key reason for this.
Our Tip: Cloud adoption is here to stay, however like any new adoption, it should be implemented considering potential risk and mitigations.
We launched our Security Experts Circle (SEC.OS) as a global forum for security experts to connect and learn from peers working across a variety of industries and geographies.
Our quarterly roundtables with senior leaders in Europe and the Americas are lively and informative, where participants discuss a variety of timely security-related topics. The group offers suggestions, observations, points of view, and insights that come from their own hands-on experience.
In addition to Neil, upcoming speakers include Serge Droz, Chairperson, FIRST (Forum of Incident Response and Security Teams), and many others.
Interested in joining other industry leaders? Learn more about how you can join SEC.OS here.