Page 46 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 46

Getting everyone’s buy-in on security, and creating a top-down security culture, should be a top mandate
            for any CISO.


            Failure to Communicate the Right Balance of FUD and Hyperbole


            As mentioned, CISOs need to not only communicate security’s importance to the board, but also to
            employees across the company. A certain amount of fear, uncertainty and doubt (FUD) to stress the
            importance of security measures, enforce policies and avoid complacency is necessary, but creating an
            environment of exaggerated risk is not conducive to positive change and adoption of security measures.
            Conversely, enabling employees to don rose-colored glasses is likewise not effective.  Find the balance.

            Using real-world examples to educate within reason is great; however, make sure you communicate them
            in the context of your own organization and have a clear picture of your own risks as they relate to such
            stories. Offer facts and then explain what security is doing to respond and/or prevent threats in your
            organization. Even better, can you bring forward examples of what you are doing to mitigate risk and how
            it helps your business avoid becoming the next statistic?



            Failure to Adopt a Holistic Strategy

            In an excellent post on Forbes, William H. Saito, Special Advisor of the Cabinet Office and Prime Minister
            for the Government of Japan, and former Vice Chairman for Palo Alto Networks Japan, makes the case
            that it is time to stop playing whack-a-mole with threats. Randomly addressing risks as they occur does
            nothing to prevent risks overall.

            CISOs need to look at security from a holistic view–including both external and internal risk –starting with
            a big-picture concept of strategy that is unique to one’s organization, and then implement tools from there.
            Saito recommends getting away from piecemeal integrations put in place without any overarching policy,
            which translates into costly but poor integration.

            Security strategy should be proactive, with an eye on current and future threats. CISOs always should
            be striving for self-education on security trends and solutions by networking with peers, reading the latest
            news, and communicating with others in the industry.


            Failure to Use the Best Defense Tools


            New  technologies  bring  new  risks.  It’s  the  CISO’s  responsibility  to  understand  and  vet  all  new
            technologies a company considers for use and to comprehend the security risks for each. Additionally,
            the  CISO  is  accountable  for  finding  and  implementing  the  security  platforms  to  keep  those  systems
            protected –from both external and internal risks.





                                 46
   41   42   43   44   45   46   47   48   49   50   51