As CISO – especially in a new organization – you need to balance being a Cybersecurity guru and business acumen. Of course you will also need to start creating a cybersecurity strategy – or revise it if it exists – creating a budget , build your team but also spend time o manage the expectations of your stakeholders..
Below are the 7 essentials of staring your CISO role :
- Do you know what are you doing in your next 100 days Do you know all your assets , crown jewels – are they reflected in your 100 days plan ?
- What is your Incident Response Plan? Are you ready to recover from a cyber attack ? Did you asses the organization and presented the finding to the board?
- Are you up to date ? Did you prioritize the essential 10-15 critical few key controls, are they tested and ready for coverage and maturity?
- What is your scope? Are roles and responsibilities defined in writing and assigned to accountable executives and their teams ?
- Do you have a measurable cyber-resilient culture change program in place ? Don’t forget its CISO’s priority to work with the CEO/ Board and create a cyber culture organization wide , with Assume Breach in mind
- Do you know your key customers ? Did you start to reach them out and build / strengthen relation?
- Create / define your partners ! Leverage new innovations
Where do CISO’s stand today ?
The role of chief information security officer (CISO) is not what it was five or 10 years ago. According to those who find themselves in the role today, that’s not necessarily a bad thing.
In the past, it used to be that chief security officers (CSOs) were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates and cleaning spyware off of infected laptops and desktop PCs. True, that’s still the role some CSOs in Middle East region find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing the programme that balances acceptable risks against the unacceptable.
In an ideal world, today’s CISO hires someone else to handle all those technical security tasks. Of course, the question is whether you can inspire them to do what you once had to do or if you’ll turn them off with an attitude of superiority.
Being a CISO used to be a hard core cybersecurity role, however, the function of the CISO involves much more business leadership and risk management. Today, a CISO must be able to help executives at C-suite level to understand risk as it is about bits. CISOs in any enterprise organization in the Middle East must-have skills to be able explain security for non techies, build and maintain critical relationships and communicate at both senior and operational levels. Soft skills are critical to evangelizing security initiatives and celebrating wins, which need to be expressed as business outcomes.
Cybersecurity is gaining importance due to the increased number of cyberattacks and the huge losses that victims are reporting. However, in many organizations the implementation of cybersecurity comes as a consequence of a threat or an attack. Organizations can decide to mount reactive, proactive and operational cyber-defenses, or a combination of the three depending on financial capabilities and levels of exposure to threats. Having a CISO will go through the three types of approaches to implementing cybersecurity and help the organization to choose the optimal cyber-defense strategy.
The best ways to foster an atmosphere of innovation
Everything starts with having and building a team which you can relay, a team that can take ownership of ‘client problems, a team that can benchmark against the best. As a leader, CISOs prime focus should be to create a culture of innovation and build effective teams, which can focus on the work that needs to be done. We need to embrace experimentation and risk as well as listen to the teams we build and challenge as necessary. If you can empower your team with a leadership that inspires and values them, the innovation fostering atmosphere will eventually manifest itself.
What is a Cybersecurity Strategy ?
A cybersecurity strategy is a plan for managing organizational security risk according to a defined risk tolerance for the organization to meet the business and organizational objectives and goals. In addition, the cybersecurity strategy shouldn’t be focusing being secure as possible, but on being secure as necessary and for that to happen, you must balance security investments to keep security assurances strong.
Once you do that then you also need to understand the ‘threat actor factor’. Sophisticated attackers will only choose avenues that they can exploit successfully. If you look for weakest links, know your vulnerabilities and try to not have any misconfigurations, minimize the human error and have good vendors to trust you should be okay and this will build even more confidence on getting the right support from the business as well as the IT teams.
How CISOs can reduce risk?
https://www.erdalozkaya.com/how-cisos-can-reduce-risk/
To read it at LinkedIn
https://www.linkedin.com/pulse/how-cisos-can-reduce-risk-dr-erdal-ozkaya/
Microsoft Offers ‘Insights for the Progressive CISO’ to Cyber-Security Pros
https://www.erdalozkaya.com/microsoft-offers-to-cisos/
https://www.erdalozkaya.com/uae-cisos-gather-to-gain-insights-on-latest-cyber-security-trends-from-renowned-industry-experts/
CISO Definition by Wikipedia
A chief information security officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks.
They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance (e.g. supervises the implementation to achieve ISO/IEC 27001 certification for an entity or a part of it). The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.
The 7 Essentials for CISO role / Impactful start in your CISO role
Cybersecurity Leadership Demystified-World-Class Cybersecurity Leadership
