February 7, 2023
״The best advice I can offer any CISO is to develop agile work methodologies. Make sure you can evolve your processes smoothly and quickly without disrupting your critical mission.
Both the organizations CISOs serve and the adversaries they face have become nimbler. CISOs who cannot move at the same pace will fail.
Second point is CISOs should seek out opportunities to collaborate with peers--that means other security professionals, even if they're working for other companies. Attackers are working together as a community in the digital underground to compromise our organizations. To counter this cooperation, we need to do the same with one another.
Last but not least, CISOs should develop a risk-based prioritization when it comes to managing cyber security. In the world of cyber defense, there is always more to do than time or resources will allow. If a CISO does not have a way to prioritize the most important work using risk reduction metrics, they will not optimize their efforts, leaving themselves unnecessarily vulnerable.״
״Optimizing for risk-based prioritization has been a central goal of mine as a cyber security professional and it remains a central focus for me for 2023.״
״CISOs have to have a sense of company hygiene. Very often CISOs come into a company with a checklist of tasks needed to secure the network. But they lack an understanding of where the company is headed as a business, what their long term plans are, who they're trying to serve and how. I’ve found that CISOs are most effective when they approach security with this understanding always in the forefront of their minds.
Second is finding efficient methods to maintain data visibility. There are plenty of legacy platforms out there for monitoring machine generated data. But they’re quite costly. And as the volume of data companies are dealing with increases, keeping an eye on all of it will be very expensive. In general I believe CISOs need to be much more choosy when deciding which information they hold on to ‘just in case.’ Sure, there are legal requirements for holding on to certain data. But at the end of the day, the question is what do you really need to get the job done?״
״Bringing the perspective of cyber hygiene and orienting security efforts accordingly is a major goal of mine for the coming year.״
״Number one on my list is ROI quantification when investing in cybersecurity. Quantifying your cyber-risk instead of qualifying your cyber risk, in my opinion, allows the CEO to articulate better in front of the board and their executive team. In order to do this however, you need quality data, data on threat trends, who those threats affect, and the cost benefit comparisons for investing in a security measure versus not investing in it. Being able to present this information to other executives and the board is key to you justifying budgetary requirements and getting the resources you need for you and your team.״
״The need for quantification is why I emphasize to my team that we’re always in the process of learning. I mean, how else are we able to become aware of new risks and how to adjust our systems accordingly if we’re not learning? So I’m a student like everyone else and I hope to continue adopting that attitude into 2023.״
״It’s important to remember that cybersecurity is not a sprint. It’s a marathon. This means we must stay true to basic cyber hygiene and continually test, train and exercise to build resilience into environments. Understand your security gaps of greatest risk to prioritize risk mitigation actions. Have a CISO playbook to ensure the best utilization of people and technology resources with attention to governance and industry standards. Leverage automation so you can begin to offset cyber talent shortages. As the threat landscape changes, CISOs must make strong business cases to secure additional funding when needed to take necessary actions. And, don’t forget, you’re never on your own. Forge your CISO relationships to maintain open dialogue on critical issues facing our industry. We’re all in this together.״
November 20, 2023
Discover the insights of cybersecurity, legal, and financial experts as they react to the SEC's groundbreaking cyber disclosure regulations
October 31, 2023
Learn how CRQ can ensure you have the funds to protect your organization against the rising global cost of cyber attacks.