CISO Panels

“The show must go on” is not just a famous Queen song or a mantra in showbiz. Whether your network suffers a failed software update, a big storm cuts off your supply chain, or you have a major breach, you must do everything you can to keep the business running. In other words, your organization must be resilient. One aspect of cyber resilience is establishing a business continuity and disaster recovery plan. Perhaps the most important aspect of resiliency, however, is the resiliency of your team. It’s important to keep in mind the impact a major incident can have on your employees, especially in a post-pandemic world.

As the Scout motto states: Be prepared. Whether you’re camping in the woods, training for the Olympics, or practicing for a cyber incident, preparation is essential. With data security in general and incident response in particular, CISOs must ensure all members of the organization participate in monthly or quarterly table-top exercises. The traditional model – requiring employees to watch a training video once a year – is insufficient. Table-tops and incident training scenarios, while time consuming, are more than a best practice. They are essential for proper incident response preparedness.

Too often organizations play roulette with their legacy systems, which is fine until it’s not. If organizations can’t kick their legacy software habit, they better be prepared to protect it. CISOs will inevitably need more budget to maintain the software and protect the data within it, which may ultimately cost more than the more current version. Given the higher risks and costs, CISOs should just say “no” to legacy software.

Once employees began working remotely, the insider threat moved outside of the network and into homes. Most insider attacks are unintentional, however, CISOs must prepare for and respond quickly to sabotage. CISOs should aspire to have full visibility and control of who in the organization handles sensitive data like financial information and customer records. By doing so, insider risk is somewhat mitigated. CISOs must also ensure the entire workforce is cyber resilient. It’s not enough for employees to know phishing attacks are threat; they must also know how to defend against them.

Supply chain cyberattacks have increased dramatically since the start of the pandemic. To mitigate this risk, CISOs need a vendor risk management strategy that includes knowing which vendors have their data, what type of data they have, and where they store it. A defined patch management strategy also helps CISOs mitigate supply chain risk. If you receive a patch notification from a vendor, you should trust that it’s a good patch. You should, however, test that patch within a secure environment before releasing it into the network. In other words, adopt a trust but verify approach.

New challenges are coming to light as employees return to the office. One near term challenge CISOs must be aware of is balancing a workforce in which some employees work in the office while others remain at home. Some employees fear their careers will stall if they continue to work from home, compared to their in-office coworkers who get daily face time with upper management. Will the fear of not being promoted outweigh the fear of returning to the office? Only time will tell.

Cyber-crime complaints increased 69% from 2019, according to the FBI’s 2020 Internet Crime Report. It’s no surprise therefore that industries are now setting higher standards and requirements, especially in the government sector where a breach could have catastrophic consequences. The Cybersecurity Maturity Model Certification, or CMMC, is a unified standard designed to enhance the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC measures an organization’s ability to protect FCI and CUI and applies to over 300,000 DoD contractors. Requiring CMMC certification is a good first step for setting a security standard, but there is still a lot more organizations can do to protect classified information.

As more working adults receive vaccinations, it’s time for CISOs to create their post-pandemic plans. These plans must address employee concerns about returning to the office, protocols for employees who wish to continue to work remotely, and whether or not the organization will employ out-of-state talent. CISOs must consider these and other important questions as business leaders start to look ahead.

Being an effective leader is difficult during ordinary times, let alone during a global pandemic. Covid completely changed our lives, including the way we work. The best leaders adjusted quickly. CISOs, no strangers to adaption, led this change in many companies. The pandemic’s effects will be felt long after the last person is vaccinated. Business and security leaders therefore must continue to evolve in how they lead and defend their organizations against cyberattacks. Secure remote technologies, beef up security education and awareness for employees, and even mix up daily board briefs. These and other examples keep businesses nimble and responsive. They also keep employees alert and engaged.