Trusted (Cyber) Security Advisor (vCISO) – All hands on deck
The ever-increasing and constantly evolving cyber-attacks have become the new norm for almost everyone working within the cybersecurity space, and the consequences can affect everyone even at a personal level (e.g. job loss, financial loss, etc.).?
At the same time, the high demand for the adaptation of exponentially complex technologies (including OT/ICS), the expectation for interconnectivity, the utilisation of dynamically generated Cloud-based services, and the near real-time security monitoring, calls for a far more switched-on approach when it comes to enhancing an entity’s cyber resiliency posture.
The realities are different. No one solution fits all organisational needs, and the myth of “one-man-band” has proven to be only a fairy-tale. These truths place organisations in a difficult spot. They find themselves in the position where they need to take a plethora of executive decisions across the spectrum of cybersecurity to meet several high-pace obligations, including regulatory requirements.
In other words,?defending and adequately protecting digital ecosystems from ever-evolving cyber threats is a complicated task?that comes with the expectation towards the cybersecurity practice to act as the?enabler?for operating and scaling up in a secure manner.
For all the reasons above, organisations today see the need of using?Trusted Advisors?more often, usually operating in the capacity of?Advisory CISO?or?vCISO. The following table provides a brief top-five key differentiators across the spectrum of responsibilities when it comes to trusted advisors, especially between the two roles mentioned above, in order to enable organisations to make informed decisions.
This article is trying to?clear the confusion when it comes to the how and in what way the roles of Trusted Advisors can be extremely useful to an organisation, and most importantly, extremely cost effective.
With that in mind, this article is an attempt to discuss and take the reader through actionable advice an organisation’s executive leadership should consider today, enabling them to be able to self-assess and select the correct type of trusted advisor. It is imperative and highly beneficial to know that?trusted advisor services?can be offered either as?white-labelled?or?fully-invested?owning the appointed role during the duration of the engagement (and responsibilities).
Setting the Scene
There has been a lot of debate regarding the set of attributes of a seasoned Chief Information Security Officer (CISO). The truth is that the role (and its responsibilities) is evolving faster than most would admit. It has been constantly proven that it needs to balance?business acumen,?leadership skills,?communication skills, and?technical understanding.
One of the main reasons this quadrant of attributes is true and necessary is that it is paramount for a cybersecurity executive to be in the position to make?informed decisions based on valid inputs. These decisions in their entirety are responsible for ensuring that a whole organisation is operating securely, fully aligned to the organisation's strategy, vision, and current/future needs.
Figure 1 - Trusted Advisor attributes contributing to the cybersecurity leadership quadrant.
There have been many examples, especially those deriving from high-profile data breaches, where it became evident that the responsibility for securing an organisation was often misinterpreted as being a constant tick-box exercise to meet minimum compliance requirements.
Before diving into the specifics, allow the opportunity to emphasise the fact that the purpose of this article is to help organisations?self-assess?how they:
Even for organisations with a CISO (or those looking for a CISO), numerous emerging challenges require multi-discipline expertise. This is where the role of the Trusted Advisor (as outlined earlier on) comes into play to act either?complementary?to the existing practice or shape an approach as necessary until the right team is appointed to it. Sometimes during a transition process, or during the phase where an organisation is looking to hire a full-time CISO, and there is a need for someone to act in that capacity until the hiring process is complete.
Trusted advisor roles allow decision-makers and thought-leaders to examine, evaluate and future-proof their cybersecurity initiatives, implementation, and execution, by bringing in specialised expertise to save the organisation time and be cost-effective.
领英推荐
Cyber Security Executive Roles & Responsibilities structured in in three phases
For that reason, the role and responsibilities of the cybersecurity executive lead (e.g. CISO) are divided below into three phases (Understand, Analyse, Plan & Execute), allowing in that way?boardroom decision-makers?to compare and contrast their existing cybersecurity initiatives and set expectations.
From day one, the industry/sector the organisation is operating within should be taken under consideration. The cybersecurity lead (e.g. CISO) is expected to be all-hands-on-deck in understanding the existing threat surface. They are?expected to bring guidance?on?what,?where, and?how?the organisation needs to be protected, especially regarding any industry/sector-specific cyber threats that can be devastating to the organisation.
There will be a ton of work for sure, and the effort needs to be more structured rather than ad-hoc (usually referred to as fire-fighting). Despite what the theory in an ideal scenario says, there are many cases where starting with a security assessment might not be very effective without understanding the actual environment (digital ecosystem) that they are supposed to protect. (see also: UAE IA Standards: Measuring Cyber Security Maturity) There is no silver bullet when it comes to cybersecurity. Those are the heterogeneous initiatives a vCISO with a whole team of experts can contribute in a fraction of the time, compared to how long it would take otherwise.
{Phase 1} Understand
The first phase is to understand the overall environment of the organisation using a?twelve-step approach?and build upon each step as necessary. A CISO should meet with key stakeholders, request certain inputs, review documents and participate in governance meetings to be up to speed on how security is integrated with the organisation. Some of the critical areas that the existing CISO (or acting trusted advisor) should engage in understanding are:
When certain essential elements are missing based on the above exercise, e.g. specific information security policy(ies), make a note of it to be included in your to do list.
{Phase 2} Analyse
Once a fundamental understanding exists of the overall environment, the current state of the information security within the organisation and the possible gaps with enterprise strategic plans need to be analysed. This analysis would require a review of prior assessment reports, inputs from key stakeholders and outputs coming from the participation of the various governance committees. This phase comprises a?seven-step approach?to break down the workload and assign responsibilities to get the right (and up-to-date) inputs:
{Phase 3} Plan & Execute
After analysing the current security posture and identifying any possible security gaps, the final phase would be to formulate and execute a?seven-step approach?to address these gaps and reach the target state in alignment with the enterprise strategy. Ensure that your plan considers and aligns with the information security budget or communicates clearly to the board what adjustment is needed to the budget, ensuring that any budget increase can be justified.
Take-Away Thoughts
Every cybersecurity executive bearing the responsibility of driving, leading and executing a cybersecurity programme, is expected to be actively involved in various day to day operational activities. Some of these activities require specialised skillset that might not be available within the existing capabilities of the Information Security Department or Cyber Security function of the organisation. Benchmarking against industry peers is a good indicator of where the organisation is currently standing and where it should aim to reach (and of course within what timeframe). Hence, this is where specialised trusted advisory roles, like the vCISO, can immensely contribute to avoid time-consuming execution, misdirected initiatives, costly mistakes, tedious tasks that add no value, uncoordinated security operations.
This is from a blog-post we worked on with Santhosh Kumar and it was originally posted here.