Everyone has come across the question “what keeps you up at night?” And in fact, every vendor and consultant has exactly what’s needed to allow us to get some much-needed shut-eye. All of their technologies and methods play a task within the concepts below. Seasoned CIOs will check out this list and see them as obvious. Here are seven basic assumptions that a CIO should double-check to rise manage risk:
Every associate of the IT and cybersecurity teams know where the crown jewels are
Just because the CIO and senior IT staff realize it, that doesn’t mean the incident response analysts, application developers, and help desk technicians do - these are the pros on the front lines and are within the best position to detect a breach early or prevent it altogether. Answering these three questions for them can fill that knowledge gap (just remember that albeit everyone knows where the jewels are, they don’t necessarily need access):
• Where are the priority systems? Think through the whole ecosystem of the user’s interaction with those systems. For instance, key servers, databases, applications, core routers, or dedicated VPN to your Cloud Services Provider. Consider even your endpoints and mobile devices–since these are commodity technologies, enable users to simply and securely backup and retrieve their critical local working files just in case the hardware must be unexpectedly replaced.
“Security must be fully integrated into the general design from the onset”
• Where are critical/sensitive data warehoused? Many Security Operations Centers, and especially managed security services providers, monitor networks with only a vague notion about the way to prioritize and triage incidents. they're prioritizing supported the severity of the event as defined in default settings that don't weigh potential impact since there’s no context about the affected data. Most SIEMs can easily apply these weightings so ensure your team uses them accordingly.
• The way to track intellectual property? Several tools allow organizations to spot controlled information in transit and at rest. Digital watermarks, file hashes, header/footer strings, and DLP are a couple of options to try to just that. Additionally, consider the effect of cloud storage like Amazon S3, Box, Google Docs, or DropBox. If your organization uses these, deliberately apply the safety settings available. For cloud services you don’t leverage, keep an eye fixed on (or even restrict) their use from inside your organization.
Good operations and maintenance just happens
The recent Equifax breach was just the newest during a long string of examples where routine O&M would be well worth the savings in time, money, and reputation. If your IT shop filled with heroes that constantly tackle break/fix tasks, that’s a robust indicator that change management is subpar. Put the time in your team’s project schedule to handle the inevitable O&M tasks. What proportion of time does one ask? Just check out how late a previous couple of major projects were or how long lower priority projects got shifted to the proper.
Operational teams have visibility
Unify visibility wherever practical. Consider the mixing of ticketing systems and IT workflow orchestration. The sector has improved over the years, but all the operational stakeholders must be a part of the choice. Key data fields can make or break an arranged solution, and your organization’s various operational teams can tell you what their unique need for those fields are. Achieving unification is especially challenging for organizations browsing mergers.
Most cybersecurity organizations segregate security systems from the assembly systems. Over time, there’s an increased cost to take care of separate security infrastructure, Active Directory domain, and hardware or VMs. counting on the danger profile of the systems being monitored, there could also be opportunities to separate these logically with the proper ability to regulate access, monitor, and respond.
Professional development is thoughtfully invested
Sending someone to NewStuffCon because they did an excellent job isn’t the simplest value. If you don’t know where to start out, NIST maintains the National Initiative for Cybersecurity Education (NICE) framework which will assist you to structure a comprehensive education plan. Some dynamic vendors are assorting specialized cybersecurity training with other services like phishing exercises. Finally, cross-training IT personnel can give your team exposure to cybersecurity skills they will apply to their specific areas of experience.
Real cybersecurity incidents are wont to review plans
Cybersecurity incidents are inevitable. Your incident response team should periodically select key incidents, particularly people who got leadership attention, and review how the event happened and the way it had been identified, analyzed, contained, remediated, and communicated. Analyze activities that deviated from the plan. Real-life involvements are always more effectively internalized than the best-laid plans.
Adequate time and energy enter planning
Security is an integral part of IT architecture, and therefore the converse of that's true also. Too often, organizations develop system designs, send off the ultimate draft diagrams for security to review, and then become frustrated at the various changes. Security should be fully integrated into the general design from the onset.
Developing requirements is well worth the time and energy. If a requirement is defined as a selected technology, keep clarifying until the need is spelled out as an expected design function and/or outcome. Consider the danger tolerance of the organization and therefore the risk profile of the system. Don’t develop security requirements that exceed the requirements of the system.
Managers know the difference between “best practices” and opinion
This is usually synonymous with, “this is that the way we’ve always done it”. A real best practice is going to be documented in guidelines from reputable professional organizations and can have implementation standards. There’s a reason why they're endorsed by large constituencies within a profession. The individual opinions of key team members are valuable but people must be ready to articulate their reasoning, not necessarily on the spot during a heated meeting but a minimum of over many discussions with colleagues during planning.
Check out: Top Cyber Security Companies