Cybersecurity has become a serious concern for companies as hacking events have increasingly run rampant. Despite the constant efforts of companies to satisfy security standards, these events continue unabated. I’d wish to suggest that companies are prioritizing the incorrect things when attempting to guard their critical infrastructure against cybercrime. Given the continued increase in breach events, I think companies become dangerously complacent with security once their compliance requirements are met. In my previous position with a serious payment card brand, I investigated merchant breaches. While during this position, I studied countless merchant breach reports where the victims had met compliance requirements, yet still experienced a breach. In many cases, these victims were also ending abreast of the front page of major news outlets. I used to be left asking myself, how do these breach events still happen when these companies are proving they're compliant with security regulations? It soon became clear to me that simply meeting compliance requirements is insufficient. While I do think compliance may be a good and even necessary part of any effective security strategy, no strategy should end with compliance. Over the years, I even have learned that real security strategy starts once you begin implementing a risk-based approach aligned together with your business initiatives. Once you start examining your security posture through the lenses of cyber risk and business alignment instead of mere compliance, you'll begin to ascertain compliance initiatives easily falling into place. In other words, compliance doesn't equal security, but security equals compliance.
Major Issues with Cybersecurity Compliance Enforcement
Working with different companies, I even have observed that positive compliance reports lure CEOs and members of the planning board into a false sense of security. This puts a Chief Information Security Officer (CISO) in a clumsy position because these reports go up the hierarchy to CEOs, CIOs, CFOs, and board members, who flip to the last page, see the compliant stamp, and conclude they “are secure.” These reports can bolster false notions of safety, causing executives to direct resources into other company initiatives. These high-level decision-makers don’t shall put their company in danger, but rather haven't been adequately educated about the critical differences between compliance and security. it's the safety officer’s responsibility to hunt out these decision-makers and educate them on how compliance reports differ from taking a risk-based approach to security that aligns itself with the organization’s business initiatives.
Effective Measures to deal with Security Enforcement Challenges
In some ways, doing so is as simple as going back to the fundamentals. Identify your most vital data and make sure you have the right controls in situ to guard it. Too repeatedly IT teams get overwhelmed with endless requests for enhancements, upgrades, and quick-to-market solutions, unfortunately resulting in security taking a back seat to deliver on business expectations and timelines. However, is it not a business expectation that we company and customer data protected? I think we will achieve the straightforward st of both worlds by specializing in the simple things. Best security practices like network segmentation, identity and access management, patching, encryption, and two-factor authentication are all things IT and Security teams should employ. But where do one start and the way does one get there? I highly recommend you begin with the book “Secure enough” authored by Bryce Austin. This is often a fast read that highlights table stake questions and methods business leaders should consider when brooding about Cybersecurity and protecting their most crucial assets. This book is out there on Amazon and will get on every business leader’s desk.
"Compliance doesn't equal security, but security equals compliance"
Identifying the proper Technology Solution Provider
When contemplating the deployment of the latest technology, I usually ask other security leaders who have already leveraged the technology in their organizations and appraise the technology through their evaluation. Additionally, having your technology providers prove they will deliver what they're selling is important in ensuring your deployment are going to be successful do you have to allow them to win your business. I like to recommend putting two or three technology solution providers' heads to go against one another to ascertain who comes out on top. To make sure these proof of concept exercises are successful, give all of them clearly documented success criteria. If one among the providers doesn't meet your success criteria, they don’t make the cut. Confine mind that success criteria should transcend discovering if the answer actually works or not.
Advice to Others within the CISO Position
First and foremost, become involved within the CISO community. If you don’t have a CISO community in your area starts one. There'll be others hungry to possess somebody else to share expertise and experiences with. Consider that today’s CISO has every disadvantage within the world. Our adversaries have us out financed and out motivated. They’re not limited by budget cuts or requests for extra full-time staff. They don’t have the added stress of handling corporate bureaucratic procedures, personnel issues, or politics. Rock bottom line, they always have the advantage. Our only chance to be within the proper position to reply to the inevitable is that if we gather as industry leaders, check our industry-related competitive egos at the door, and start sharing our experiences and knowledge with one another. Let’s be honest, we'd like all the assistance we will get. By getting involved in your local CISO community, you'll find a gaggle of peers that struggle with equivalent challenges you are doing and want to help. Lastly, I like to recommend getting involved within the Security Advisor Alliance (SAA), a non-profit organization created by the CISO community. The SAA’s charter calls us to align our security leaders, grow the safety space and provide back to our communities. These sorts of initiatives not only help educate the subsequent generation of security leaders but also move our industry forward in a positive direction. We will absolutely meet these challenges if we work together.