Did you catch our recent webinar with SecureWorld?
CyberMaxx’s Jarod Thompson, Director of Engineering, and Joe Diver, Chief Information Officer for Signature Health, discussed emerging issues in cybersecurity.
Targeted toward Chief Information Security Officers (CISOs), the two addressed how cybersecurity leaders can manage the balancing act of their roles. From offensive vs. defensive tactics to the true cost of cybersecurity to balancing budgets with strategy demands, it’s all covered here.
Taking answers from the Q&As, here are the top insights you can use to improve your cybersecurity program and build cohesion with other C-Suite leaders:
What’s the value benefit of basic cybersecurity? Is it usually cheaper than not implementing the essentials?
CISOs often have to validate a cybersecurity investment. The challenge is showcasing its value to the board to get budgets approved. It’s not as tangible as other outcomes, such as revenue from sales or production from operations.
Yet, implementing basic cybersecurity measures, while seemingly a minor cost, saves more in the long term by reducing the risks of breaches and subsequent operational and reputational damage. As Jarod Thompson explains:
“The investment from a cybersecurity perspective is…placing funds in an area to prevent something, hoping it never comes.”
Joe Diver then proposes the importance of educating the board on the value of implementing the cybersecurity basics. For instance, explaining:
“What impact does it [a cyber incident] mean for customers if we have this risk? And how much do we want to invest in it?”
Joe continues, “The benefits of cybersecurity may not be immediately apparent, yet the protection it offers is crucial.”
What do “offensive” tactics mean from a corporate perspective of cybersecurity?
The webinar description mentions using “offensive” security tactics, such as proactive threat hunting and attack simulations, to uncover vulnerabilities before adversaries do.
Joe Diver, for instance, explains how they use phishing pen-testing to identify areas where they need to invest more resources. The metrics are then presented to the board for funding to patch up vulnerable systems.
“One of the metrics we look at certainly is the results of [pen] testing. Those results go all the way up to the CEO, and we try to structure education around that…What could potentially be seen or used as an attack on our network, and how are we blocking those? How well are we doing testing? How well are we blocking threats and things of that nature?”
How do you benchmark cybersecurity program costs? Should it be a percentage of the overall IT budget, or is there another methodology?
Pinpointing a cybersecurity budget is a growing concern for CISOs. How much do you need to keep your business protected and operational? Is it a percentage of the IT budget? What does it look like based on risk exposure, industry standards, or compliance requirements?
Joe Diver explains organizations must ask, “What is acceptable for the organizational risk management strategy?” to assess what they’re willing to invest. You also must understand that “if you’re not prepared with a disaster recovery plan and redundancy, then you could lose a lot of data…if you lose trust from customers, you’re out of business too at the end of the day.”
Regarding the budget percentage allocated, Joe states that his industry [healthcare] is at “a 2% margin most of the time,” but it ranges industry by industry.
What are your thoughts on DSPM?
Data Security Posture Management (DSPM) is an excellent tool for continuously assessing risk to identify and respond to threats. Jared Thompson explains his experience and value with DSPM:
“One of the aspects we’re really doubling down on here [with DSPM]… is the identification of it [threats], but then the response to remediation afterward…So, digging deeper and understanding how to isolate the problem has become a focus [of DSPM].
What key indicators should prompt me to explore new cybersecurity solutions?
Like other business functions, diminishing performance tells you it’s time for a change. As Joe Diver explains:
“We have specific metrics we look at on a quarterly basis. The types of hits we’re getting [from external threats], how much is being blocked [from the network], phishing compliance rates, who are clicking the links, etc. If those success metrics are being met, then we continue. But if they’re not being met based upon the benchmarks we mutually established, then we begin to have those types of conversations.”
He also dives into how a change in an organization or solution usage should be considered.
“At times you may have a [vendor] relationship in which, uh, is mutual understanding… but there could be a change in leadership along the way where the organizations using the tool might be using it in, in a way that is pivoting to, to the left or the right…but if the client is going off course in how they’re using the technology, maybe, maybe it’s not a good partnership.”
He then closes on the value of constant engagement with a cybersecurity solution provider in determining if they’re getting value:
“Too many folks have that conversation on an annual basis… that’s a little bit too late, in my opinion.”
The CISO Role Isn’t Easy, But It’s Vital to Business Success
A balanced, proactive cybersecurity approach is essential for staying ahead of emerging threats. Educate your board on the business ramifications of an incident and invest in the basics to help avoid the cost of a breach in the long run. CISOs should also regularly evaluate KPIs to change their vendor, strategy, and other solutions as needed.