Creating a unified approach to IT security in the workplace: top tips for CISOs
OPINION by Chris Hodson
CISOs must take several important steps to build a comprehensive IT security strategy to protect critical assets, monitor impact, and recover from any unexpected attacks or disruption.
We often hear that ‘cybersecurity is everyone’s responsibility’, not just the CISO’s, and that’s because this is true. Well-intentioned discussions become meaningful actions when team members, as individuals, understand their role in the security of an organisation and its impact on business-wide outcomes.
The CISO of an organisation has a big role to play in reinforcing this, including the explaining of the ‘why,’ not just the ‘what’. For example, the CISO must ensure all employees understand the consequences and impact of attacks and vulnerabilities, as well as what individuals should look out for. To enable such a model, CISOs need to first foster a culture of openness and collaboration within their businesses. Creating advocates out of employees can be a force multiplier when it comes to preventing threats.
To ensure that an organisation can implement a robust cyber-security strategy, CISOs must make sure that all employees within an organisation are fully educated on their cyber-security responsibilities. By various estimates, more than 80 percent of ransomware attacks originate when an employee clicks on a malicious link, opens an infected attachment, or visits a compromised website. Investing in ongoing training for employees to protect against phishing attacks should be the first line of defence.
But importantly, you can’t have employee advocacy without a comprehensive IT security plan in place. CISOs must ensure that they are taking several important steps to build a comprehensive IT security strategy so that they can protect critical assets, monitor impact, and recover from any unexpected attacks or disruption.
This includes:
1. Assessing organisational obstacles: Are security and IT operations teams working in tandem or in confusion about which department is responsible for ensuring resilience against disruption and cyber-threats? The IT operations and security teams should be working together to protect the IT environment, company and customer data — without this, they can’t achieve true visibility of their environment and endpoints, which leaves them vulnerable to attack. Employee advocacy becomes easier when it’s clear the whole of the IT organisation is a unified front.
2. Knowing your environment: Understanding what is in an IT environment is a crucial step. If a CISO stops by the IT team and asks how many unpatched devices are on a network, can this be answered accurately? As organisations look to build a strong security culture, it is essential that IT operations and security teams unite around a common set of actionable data for true visibility and control over all of their computing devices. This will enable them to prevent, adapt and rapidly respond in real time to any technical disruption or cyber-threat.
3. Decluttering the infrastructure: One of the most cited issues throughout WannaCry and other major security incidents is the challenge of updating operating systems in an environment laden with legacy apps. If a business is running a critical application that requires keeping an outdated operating system on life support, it’s time to rethink its value. Generating awareness of risks around old infrastructure can also help employees better understand vulnerabilities themselves, including how easy it is for opportunistic attackers to exploit outdated tools.
4. Eliminating fragmentation: Most IT security and operations teams operate using a messy combination of point products-cumbersome to manage, impossible to fully integrate. It is crucial for teams to have clear visibility of what is across their environment, and this means eradicating silos and siloed ways of working and investing in a unified endpoint management and security platform instead of collections of point tools.
In summary, to have an effective cyber-security strategy in place, an organisation must have two lines of defence; employee advocacy and comprehensive IT security structure. It is imperative that CISOs have a comprehensive IT security plan to help them have full oversight and control to their IT environment. Crucial to combatting any type of threat — whether a sophisticated attack, employee clicking on a malicious link or one that exploits an out-of-date piece of software — is clear visibility of all of the endpoints across the network and the ability to stop disruption almost instantly.
Originally published at http://cybersecuritymattersdotblog.wordpress.com on March 2, 2021.
