'Mind the Gap,' a CISOs calling

If you've ever traveled to London, the phrase, "Mind the Gap," is heard thousands of times a day if you are using the subway system. In the London Underground, a recorded voice and signs warn commuters to watch out for the space between the platform and train. The warning instructs people to "mind the gap" each time the train stops and the doors open. The idea behind this simple warning can be an analogy for both businesses and cybersecurity teams to use.

This expression of warning one to be safe and watch for hazards can be a tool used in organizations to implore employees and business team members to look for issues that need to be addressed or focus on critical initiatives to drive innovation.  However, in cybersecurity, I envision this simple communication, to be safe as one steps off the train, as a more powerful expression of how CISOs approach enterprise security and risk management.

Today we are continuously reminded that we operate in a world full of risk. Whether the threat to our organizations is physical or digital, it is incumbent upon the company’s security executive and their program to manage any risk exposure and understand their gaps in coverage. “Mind the Gap,” to me is the calling of today's CISO. It is not only understanding how to weave together an effective security program based on risk mitigation frameworks, security controls, and industry best practices. It is building teams of different personalities and skillsets and focusing them on a vision to provide cybersecurity and risk management as a service to protect and enable the business.

As a CISO, “Mind the Gap” to me is a call to arms. It is a constant reminder that we operate in a dynamic, turbulent business environment where the rate of change for both the threats we face and the technologies we use can be daunting at best. It is a warning to security teams and programs at large that cybersecurity is a continuous lifecycle of managing and understanding their organization's risk. That this liability is always present and that the hygiene of standardized assessment, scanning, remediation, and monitoring will help security programs implement a robust methodology for understanding their organization. This awareness is based on several factors such as insight into how the company uses technology to be innovative, gaps in currently deployed security controls and the impact to business operations on mitigating these critical issues.

“Mind the Gap,” is also a constant reminder to CISOs that their role has matured and they operate under a mandate. They are now responsible for business functions that five years ago would never have been in their job description. CISOs are now included as part of executive teams and in some organizations are advisors to the board or have a seat on the board. This type of responsibility is recognition by business that cybersecurity touches all corporate operations and that the enterprise management of risk by the CISO is strategic in value and when done correctly enables innovation and competitiveness. Of course, this recognition is only as good as the awareness the CISO has of current issues and the strategic plans in place to mitigate their risk. As I previously stated, “Mind the Gap” is our calling, it is why all of us do this job because we feel we are making a difference and in managing risk, we have a purpose.

To all of my peers this holiday season who are minding the gap for their organization, you are not alone. You have partners in our community who are here to help, who have ideas and experiences that can provide insight and help you solve issues. Here is hoping to a fantastic, collaborative 2018 full of opportunity and inspiration for all of you. I look forward to hearing from you about the problems you are working to resolve and the innovative ideas that solved them. Blessings to you and your families,

***One last note, in addition to having the privilege of serving as Vice President and Chief Information Security Officer for Webroot Inc., I am co-authoring with my partners Bill Bonney and Matt Stamper on Part 2 of the CISO Desk Reference Guide. For those of you that have asked about our first book, more information can be found at https://www.cisodrg.com. We expect to have Part 2 available January 2018.