Share with Your Network
CISOs today have plenty on their minds, from headline-grabbing vulnerabilities to the at-home implications of global unrest.
When you have so much fighting for your attention, it helps to prioritize. So here is a list of priorities that we think deserve the attention of CISOs right here, right now.
1. Shoring up supply chain vulnerabilities. Disrupted supply chains are impacting virtually all products and services, and they’re not likely to go away anytime soon. In addition to logistical challenges brought by pandemic illnesses and lockdowns, we’re now seeing hackers make targeted efforts to “fracture” the supply chain by exploiting known vulnerabilities in software, operating systems, and devices. (In fact, 47% of attacks against manufacturing organizations last year targeted vulnerabilities in unpatched software.) Since every organization is a link in someone’s supply chain, CISOs should investigate what they can do to protect themselves, and their own supply chain. Here’s where to start
2. Pursuing security resilience. Amid all this disruption, organizations are investing in resilience: financial, operational, and otherwise. But those investments are at risk when enterprises continue to rely on stand-alone security environments focused on threat prevention. In today’s enterprises, everything is connected and every user is a potential liability, which makes security resilience even more of a business imperative.
In a resilient security environment, companies can close the gaps to ensure everything in their infrastructure is protected, see more of the data and context that helps them anticipate what’s next, prioritize the alerts and vulnerabilities that matter most, and automate tasks that are currently consuming far too much time. Learn more here.
3. Improving board communication. It’s a rare board member who cares about CVEs, remediation SLAs, or vulnerability survival rates. What do board members care about? Risk—and what you’re doing to reduce it. Effective board communication begins with finding ways to meet board members where they operate. They want to know what’s happening to ensure the success and resilience (there’s that word again) of the business.
Key to this is showing how the security team is mitigating cyber risk and, as a result, lowering the risk that cyber threats pose to the business. Check out these three tips for improving board communication.
4. Making risk reduction a team sport. Did we mention risk? We sure did, because lowering risk should be on everyone’s mind, not just the CISO’s. If that sounds like too heavy a lift for already busy security professionals, know that it doesn’t have to be. Today’s advanced security and vulnerability management platforms use intuitive dashboards and risk scores to make it easy to know where a department or remediation team stands, and how its risk reduction efforts are improving over time. Some groups even compete against each other to see who can achieve the lowest risk score.
By making risk reduction a team sport, you create the kind of healthy cybersecurity culture that has everyone working toward the same thing. Learn how here.
5. Mitigating staffing shortages. In the battle against the cybersecurity staffing shortage, security organizations are losing. From 2018 to 2021, the number of unfilled cybersecurity jobs grew by 3.5X. In India alone, cybersecurity job openings are expected to reach 1.5 million by 2025. With more jobs than bodies, what can CISOs do?
One answer is to eschew old methods of securing the business in favor of more modern approaches that automate formerly manual tasks and take the guessing game out of determining which fixes are worth your limited time. Take vulnerability management. Many organizations still approach this vital function of their security operation by relying on scanner-based prioritization or even tracking CVSS scores and then hacking out spreadsheets to hand to remediation teams. This approach is demonstrably terrible and actually is barely more effective at reducing an organization’s vulnerability than simply randomly choosing which vulnerabilities to patch—and in fact, is just a little better than doing nothing at all.
But a highly automated risk-based vulnerability management environment that uses exploit data to gain essential context around remediation decisions can reduce your exploitability by 11X over CVSS. Get the research here.
Fight risk, not fires
It isn’t easy fighting multiple fires at once, but a proactive and effective CISO shouldn’t have to. Evolving from managing fires to managing (and minimizing) risk means understanding how to cut through the noise to see where your attention is best applied.
Topping your to-do list with these priorities might save you work (and worry) in the long run. And that would constitute a win in virtually any CISO’s book.
For more insight into instilling your role (and your security operations) with the resilience it needs to rise above the increasingly sinister threat landscape, see what Ed Bellis has to say about How Not to Be a Crisis CISO.
