Recommended to do list for IT manager/CIOs &CISOs

So you have started a new job in a new organisation… your keen to strut your stuff, to leave your imprint, but not sure where you should start or focus on… Over last 15 years I’ve provided virtual CISO services and guidance to many CISOs, CEOs, CIOs, IT Managers etc.?Of late I have been finding that a lot of companies are just throwing people into roles. All of a sudden a third line engineer, is now looking after security for the organisation, or a manager from another team is now made the CISO.?In my experience, it’s a bad practice to throw people into such an important role without A LOT of security experience.?However, if you’re in that role, or plan on appointing someone into such a role, here is my checklist for what you/they need to be doing to be successful, and ensuring your business is successful from a security front, not to mention ensuring your organisation doesn’t get hacked.

Understand the landscape and the people

• Find out everything there is to know about the company from online resources (and internal resources too), this includes:

- Goals

- Vision

- Strategy

- Initiatives

- Products & services etc

• Meet with your team & or IT to gain a better understanding of their pain points.?
• Tee up meetings with key people and stakeholders in other areas of the business, get an understanding of:

- How the business works

- The people and their roles/responsibilities

- What teams make up its operations

- What team does what, and who oversees each team

- How do the other teams work and interact from a tech and non-tech perspective

- What dependencies tech wise do they have

- What pain points do they have

- What are their future plans/requirements from a tech and non-tech perspective.

- SLA’s

• Get an understanding of HOW the business works, are they now all Hybrid Working, office based, all remote, do they rely on teams/resources in other countries or continents, what are those challenges..

Identify policies & procedures

• Review Pentests or security assessments completed in the past
• What security policies and processes does the organisation have?
• Does the business have any auditing or compliance requirements?

- What do they have

- What are the requirements

- When are audits undertaken, such as schedules

- Who is involved?

- What Governance requirements does the organisation have and the details

• Does the organisation have any partnerships with other organisations and get an understanding of their services.

- Any outsourcing in place

- Any planned acquisitions (with acquisitions comes potentially inherited security and tech risks)

Tech controls & Benchmarks

• Do they use any CIS benchmarks or frameworks, or standards! (e.g. NIST, E8, ISO, SOC, ISM, AESCSF, COBIT, CCM, PSPF, GDPR etc)
• What Infrastructure tech they have
• What security tech do they have (this bit will be massive), EDR/XDR, App whitelisting, firewalls, IPS, Cloud security controls, local security controls, network & web filtering, network security etc.
• Reviewing doco & architecture diagrams (will also be really large), I’d recommend sitting with your IT guys so they can help explain it if you are not super technical
• Speaking to MSP(s) if they manage or provide support for the environment (or both)
• Do they have a SIEM (Security Information & Event Management)
• What Detection and alerting systems they have
• What Vulnerability Identification & Analysis practices they have & Hygiene practices, like patching, cleaning up accounts etc
• What’s missing in the environment, perform a GAP Analysis
• What would IT love to have
• Third party vendors and access requirements
• Do they have an assets and inventory register

People – Training & Phishing, building organisational awareness of cyber risks

This area is arguably the most important.?We know 90-95% of organisations are breached via Layer 8 (The human Layer).?Determine:

• Do the staff undertake regular phishing?

- If so what was the latest results?

• Do they undertake regular awareness training?

- How often, results, is the training effective?

• What comms do they have internally to keep people educated on the latest risks and threats? Teams channels, newsletters etc.
• What is the organisational mindset when it comes to security overall.?Some organisations may be very security conscious due to regulatory requirements as an example, the board may have a different opinion of the end-users or IT as another example, its good to get a gauge.

Monitoring & Response

• Are there any monitoring & Response systems in place, such as a SIEM (Security Information & Event Management) solution?
• What processes are in place for the above.?If an alert goes off what happens, is it even seen? What are the time frames and SLA’s around that.
• Perform a GAP Analysis & identify potential process improvements
• Does the organisation have an Incident Response Plan/Policy in place for cyber events??
• When is it tested?
• Who makes up the Incident Response Team(s)
• Does the organisation have its NDB (Notifiable Data breach Legislation) requirements covered in their IR Plan.
• Are any third party organisations involved such as a SOC provider and the details such as SLAs, reporting, metrics, observations, cost effectiveness etc.
• What is the organisation doing about threat intelligence??
• Typical security events seen across the organisation? have they been hit before??If so, did they learn from it or is this a continual issue.
• Does the organisation conduct incident simulations? if so the frequency, who is involved, blue teams, IT, external parties etc

Cyber Insurance Coverage

• Do they have it
• What’s the amount

- Most companies think their 1M ML cover is enough, usually in a breach its not

• What’s covered or not covered
• Who are the external parties involved if an incident happens

Risk Analysis

At each stage above you should be performing some base risk analysis to:

• Identify potential risks and weak spots
• Define and benchmark the risks
• Perform a risk analysis, such as likelihood, severity, controls in place to mitigate etc.

Put it all together

At this stage you should have a complete picture of the organisation.

• Where the risks are.?
• Have prioritized risk mitigation and remediation actions.?Define the top 3 as your priority, then plan and set time frames on tackling the next 3 most severe.
• What your capabilities are
• What’s missing (all mapped out against your business goals)
• Focus areas
• Roles & Responsibilities & future planning, like cloud adoption, new systems etc
• How you are going to build and continue building on organisational awareness and culture when it comes to cyber risk and increasing buy in with departments
• Build your plan and identify metrics for success.??This will include:

- People

- Resources

- New tools

- Systems

- Processes

- Cross-departmental resourcing

• Present it to the business and stakeholders
• Implement

I hope this article has given you some insight as to areas of focus and how to be successful in your role.?If you would like any further information or guidance, please reach out!

#ciso #cybersecurity #nexon #danweis #threats #risk #riskmitigation #vciso #infosec