A chief information security officer (CISO) is a senior-level executive who changes many hats in the kingdom of cybersecurity, but is mainly accountable for transforming complex business difficulties into effective information security controls. The responsibilities of a security leader like CISO are more complex today than ever before in the history of IT. There are truly more moving parts than an entire team can handle.
However, there are some question to which CISO are answerable and have been frequently asked by the top level management for the betterment of organization’s security infrastructure. To answer such questions, a CISO should be well aware of the security controls and prepared enough to answer those questions. Here are some questions that should be answered properly by the CISO:
Should we be worried about ransomware attacks? I get heard that our industry is affected or at least from what it is sighted in the news.
CISO: While considering the massive success that cyber criminals have had with ransomware, we should presume to see a higher volume of attacks coming to every industry from healthcare to critical infrastructure, and in future these attacks are likely grow in sophistication. We have a widespread backup strategy ready to respond such attacks that are typically presented in a business context and highly adapted to the recipient.
What about the security of IoT devices as these are connected to our corporate networks? What is our strategy IoT related attacks?
CISO: As IoT devices are rapidly growing and expected to grow around 21 billion by 2020. These devices are making their way into the office and corporate networks as well. So, we need to be more cautious about proactively addressing this key source of vulnerability before we open our corporate networks up to some real threats.
As you know, the human factor is constantly the weakest link in any cybersecurity plan, so we need to initiate setting parameters around what can connect to our corporate network and the data that is being retrieved by these devices. As we are enhancing security technology that is not only application and product aware, but can support in properly controlling these devices for them to work in the planned way. So, there are endless possibilities of breaches through IoT devices in future that are needed to be addressed with more concentration.
What about insider risk. It’s easy to get nightmares about this stuff. Are we prepared for this?
CISO: We have a robust and well established risk management program to recognize where this risk can have the most impact on the organization’s assets. We have the precise policies in place that detail the likely behaviors and link this with strong role-based access control that is leveraged to fragment user populations with data appropriate for their roles that ultimately eliminates the insider threat.
What about the identity and credential theft? There must be a solution to overcome this!
In corporate world, not all organizations have reliable authentication and validation controls, and people also frequently reuse their usernames and passwords across different websites over internet. This generates opportunities for enemies to distribute credential collection campaigns so they can gather large amounts of username and password combinations, or other information used for account setup to enter the corporate networks. We have addressed this problem by composing an ecosystem of strong programs and proficiencies, including employing multi-factor authentication (MFA) for exposed applications and mobile devices, as well as leveraging technology to apprehend when corporate credentials are at risk, such as disrupting credential replay on spoofed websites.
However, these are some general questions that are asked by top level management, who are unaware of the cyber threats and attack trends. So, a detailed description based answer is required to satisfy them properly and reporting them with the readiness of the organizational network integrity and security. A CISO is expected to answer such question properly in an understandable way that is easy to convince non-technical staff as well.