Trusted (Cyber) Security Advisor (vCISO) – All hands on deck

The ever-increasing and constantly evolving cyber-attacks have become the new norm for almost everyone working within the cybersecurity space, and the consequences can affect everyone even at a personal level (e.g. job loss, financial loss, etc.).?

At the same time, the high demand for the adaptation of exponentially complex technologies (including OT/ICS), the expectation for interconnectivity, the utilisation of dynamically generated Cloud-based services, and the near real-time security monitoring, calls for a far more switched-on approach when it comes to enhancing an entity’s cyber resiliency posture.

The realities are different. No one solution fits all organisational needs, and the myth of “one-man-band” has proven to be only a fairy-tale. These truths place organisations in a difficult spot. They find themselves in the position where they need to take a plethora of executive decisions across the spectrum of cybersecurity to meet several high-pace obligations, including regulatory requirements.

In other words,?defending and adequately protecting digital ecosystems from ever-evolving cyber threats is a complicated task?that comes with the expectation towards the cybersecurity practice to act as the?enabler?for operating and scaling up in a secure manner.

For all the reasons above, organisations today see the need of using?Trusted Advisors?more often, usually operating in the capacity of?Advisory CISO?or?vCISO. The following table provides a brief top-five key differentiators across the spectrum of responsibilities when it comes to trusted advisors, especially between the two roles mentioned above, in order to enable organisations to make informed decisions.

This article is trying to?clear the confusion when it comes to the how and in what way the roles of Trusted Advisors can be extremely useful to an organisation, and most importantly, extremely cost effective.

With that in mind, this article is an attempt to discuss and take the reader through actionable advice an organisation’s executive leadership should consider today, enabling them to be able to self-assess and select the correct type of trusted advisor. It is imperative and highly beneficial to know that?trusted advisor services?can be offered either as?white-labelled?or?fully-invested?owning the appointed role during the duration of the engagement (and responsibilities).

Setting the Scene

There has been a lot of debate regarding the set of attributes of a seasoned Chief Information Security Officer (CISO). The truth is that the role (and its responsibilities) is evolving faster than most would admit. It has been constantly proven that it needs to balance?business acumen,?leadership skills,?communication skills, and?technical understanding.

One of the main reasons this quadrant of attributes is true and necessary is that it is paramount for a cybersecurity executive to be in the position to make?informed decisions based on valid inputs. These decisions in their entirety are responsible for ensuring that a whole organisation is operating securely, fully aligned to the organisation's strategy, vision, and current/future needs.

Figure 1 - Trusted Advisor attributes contributing to the cybersecurity leadership quadrant.

There have been many examples, especially those deriving from high-profile data breaches, where it became evident that the responsibility for securing an organisation was often misinterpreted as being a constant tick-box exercise to meet minimum compliance requirements.

Before diving into the specifics, allow the opportunity to emphasise the fact that the purpose of this article is to help organisations?self-assess?how they:

• Drive?their cybersecurity programme
• Identify?what kind of help they need in order to enhance their existing capabilities
• Develop?further existing capabilities
• Enhance?the programme and capabilities with industry-focused risk-prioritisation
• Minimise the risk?of having unknown risks
• Measure and quantify?cyber maturity

Even for organisations with a CISO (or those looking for a CISO), numerous emerging challenges require multi-discipline expertise. This is where the role of the Trusted Advisor (as outlined earlier on) comes into play to act either?complementary?to the existing practice or shape an approach as necessary until the right team is appointed to it. Sometimes during a transition process, or during the phase where an organisation is looking to hire a full-time CISO, and there is a need for someone to act in that capacity until the hiring process is complete.

Trusted advisor roles allow decision-makers and thought-leaders to examine, evaluate and future-proof their cybersecurity initiatives, implementation, and execution, by bringing in specialised expertise to save the organisation time and be cost-effective.

Cyber Security Executive Roles & Responsibilities structured in in three phases

For that reason, the role and responsibilities of the cybersecurity executive lead (e.g. CISO) are divided below into three phases (Understand, Analyse, Plan & Execute), allowing in that way?boardroom decision-makers?to compare and contrast their existing cybersecurity initiatives and set expectations.

From day one, the industry/sector the organisation is operating within should be taken under consideration. The cybersecurity lead (e.g. CISO) is expected to be all-hands-on-deck in understanding the existing threat surface. They are?expected to bring guidance?on?what,?where, and?how?the organisation needs to be protected, especially regarding any industry/sector-specific cyber threats that can be devastating to the organisation.

There will be a ton of work for sure, and the effort needs to be more structured rather than ad-hoc (usually referred to as fire-fighting). Despite what the theory in an ideal scenario says, there are many cases where starting with a security assessment might not be very effective without understanding the actual environment (digital ecosystem) that they are supposed to protect. (see also: UAE IA Standards: Measuring Cyber Security Maturity) There is no silver bullet when it comes to cybersecurity. Those are the heterogeneous initiatives a vCISO with a whole team of experts can contribute in a fraction of the time, compared to how long it would take otherwise.

{Phase 1} Understand

The first phase is to understand the overall environment of the organisation using a?twelve-step approach?and build upon each step as necessary. A CISO should meet with key stakeholders, request certain inputs, review documents and participate in governance meetings to be up to speed on how security is integrated with the organisation. Some of the critical areas that the existing CISO (or acting trusted advisor) should engage in understanding are:

1. Business Context:?Understand the kind of business that the organisation is engaged in, its cores services, key customers, market position, regulatory environment, industry/sector where it operates, critical assets (crown jewels), high-value targets, etc. In addition, align with what is the organisation’s vision, and develop the appropriate cybersecurity strategy to act as the enabler.
2. Governance Structure:?Understand the various governance constructs within the organisation, i.e., to get a big picture of how the information security department (ISD) interfaces with the rest of the organisation. A CISO should understand the reporting structure of ISD, applicable governance committees, internal ISD structure, cross-functional teams etc. As quickly as possible, CISO needs to start participating in these meetings (security committee) to familiarise themselves with the latest updates.
3. Review Enterprise Strategic Plans:?Review existing strategic plans at the enterprise level, organisational vision and mission statements and ensure that all IS efforts are aligned with these strategic plans. Identify bottlenecks and conflicts of interest.
4. Review Corporate Policies:?Review relevant policies, standards and procedures to understand the enterprise-level requirements around technology and security. Refine, review and develop new policies if necessary, according to the security industry’s standards, taking under consideration the industry/sector they are operating within.
5. Understand Regulatory Requirements:?Understand the regulatory and compliance requirements of the organisation from an information security perspective. Review any existing control framework to support these obligations and the results of any prior audits/assessments performed on these frameworks.
6. Understand the Information Security Department:?Understand the existing information security teams along with their capabilities and skillsets. Try to understand the implementation of network security, identity & access management, risk management?(see also:?Quantitative Vs Qualitative Cyber Risk Management Approach),?application and infrastructure security, threat, vulnerability and patch management and security operations centre within the organisation. Ensure that there is a clear understanding between the responsibilities of the IS and IT departments, and what are the role’s boundaries of the IT Security function.
7. Study the Information Security Budget: Obtain historical and current IS budgets and understand the operational expenses, the allocation for new initiatives etc. Ensure the budget requirements are in alignment with the overall strategy and can produce measurable results for future budgetary needs.
8. Meet Key Stakeholders: Ensure to meet relevant decision-makers from all business units, verticals, and technology teams to understand their latest initiatives and operational upkeep of security within their units, including capturing a clear picture of the cybersecurity culture.
9. Asset Visibility: Understand the spectrum of organisational assets (including those existing behind organisational silos) and the current level of visibility. Enquire around the identification of crown jewels, data classification status, risk profiling etc.
10. Review Enterprise Systems Architecture:?Review the systems architecture and understand how the various technology elements interact with one another (including on-premise and any Cloud-based utilised services). Also, understand how the vendors are integrated within the architecture.
11. Review Business Continuity Plan (BCP)/Disaster Recovery (DR):?Identify and understand critical assets from the business impact analysis and associated metrics like Recovery Point Objective (RPO), Recovery Time Objective (RTO), and Mean Tolerable Downtime (MTD) etc.
12. Current state of Cyber Security Culture:?Dive into the human aspect of security, which goes beyond processes and technology. Answer the difficult questions which involve human-behaviour and aspects that utilise non-conventional methods to target the organisation in its entirety, including but not limited to third-party trusted relationships.

When certain essential elements are missing based on the above exercise, e.g. specific information security policy(ies), make a note of it to be included in your to do list.

{Phase 2} Analyse

Once a fundamental understanding exists of the overall environment, the current state of the information security within the organisation and the possible gaps with enterprise strategic plans need to be analysed. This analysis would require a review of prior assessment reports, inputs from key stakeholders and outputs coming from the participation of the various governance committees. This phase comprises a?seven-step approach?to break down the workload and assign responsibilities to get the right (and up-to-date) inputs:

1. Analyse Reports:?Review and analyse security assessment reports, internal and external audit results, compliance assessments, performance metrics of the information security department, ongoing security efforts etc. and capture existing gaps that need to be addressed. Capture the timeframes of remediation, effectiveness and validate the lessons-learnt process.
2. Security integration with Enterprise Systems Architecture:?Review and analyse the integration of security with the enterprise architecture and identify possible security gaps that need to be addressed. Involve key stakeholders throughout this process and obtain their inputs and perspectives.
3. Visit Physical Locations:?Ensure to visit key physical locations like data centres, Security Operation Centre (SOC), Network Operating Centre (NOC) etc. and analyse how physical security is implemented for these key locations.
4. Organisational Security Culture:?Analyse existing cybersecurity training mechanisms, day to day operational activities, systems used to protect information and identify the organisational security culture across people, process and technology. Note that this would not be a tangible value and cannot be explicitly used for any assessments. However, this is a key informal metric that the CISO can use for decision making.
5. Define Capability Matrix:?After understanding the existing skillset within the information security department, prepare the capability matrix to clearly define the existing skills, required skills and the training, education, recruitment mechanisms that would be utilised to address the gaps.
6. Identify Key Solutions required:?Ensure that you identify key security solutions like but not limited to network monitoring tool, identity & access management tool, that needs to be procured and implemented to improve the security posture. There are occasions where tools have been procured but not utilised or take a long time to identify these are misconfigured.
7. Perform Gap Assessments:?If there are no existing assessments, audit reports, actionable inputs from key stakeholders on possible gaps for any key security process or solution, perform gap assessments in alignment with your information security budget and enterprise strategic plans to identify these gaps.

{Phase 3} Plan & Execute

After analysing the current security posture and identifying any possible security gaps, the final phase would be to formulate and execute a?seven-step approach?to address these gaps and reach the target state in alignment with the enterprise strategy. Ensure that your plan considers and aligns with the information security budget or communicates clearly to the board what adjustment is needed to the budget, ensuring that any budget increase can be justified.

1. Define Current and Target State:?Structure all the existing information security processes to clearly define the current state of the organisation’s security posture. Similarly, define the target state of the security posture based on the enterprise strategic plans, information security budgets, organisational and sector-level requirements, industry best practices etc.
2. Formulate the Information Security Strategy Plan:?Create a plan to address all the existing gaps and define the next steps required to achieve the target state. This plan will be utilised as the cornerstone for all information security initiatives.
3. Socialise the plan:?Socialise this plan with key stakeholders, leadership teams, governance committees and obtain inputs and buy-in from all of them.
4. Refine the plan:?Incorporate relevant feedback from key stakeholders and refine the plan before executing any security initiatives.
5. Create the Implementation Roadmap:?Establish the implementation roadmap with detailed initiatives, action items, timelines, effort and cost estimates, project management and resource requirements to execute the plan.
6. Request Management Approval:?Request for management approval and allocation of budget to implement the information security strategy plan.
7. Build the Project Governance Constructs:?Ensure that all the initiatives and action items from the information security strategic plan and the roadmap are managed through well-defined governance programs that monitor, course-correct, and improve efficiencies and effectiveness.

Take-Away Thoughts

Every cybersecurity executive bearing the responsibility of driving, leading and executing a cybersecurity programme, is expected to be actively involved in various day to day operational activities. Some of these activities require specialised skillset that might not be available within the existing capabilities of the Information Security Department or Cyber Security function of the organisation. Benchmarking against industry peers is a good indicator of where the organisation is currently standing and where it should aim to reach (and of course within what timeframe). Hence, this is where specialised trusted advisory roles, like the vCISO, can immensely contribute to avoid time-consuming execution, misdirected initiatives, costly mistakes, tedious tasks that add no value, uncoordinated security operations.

This is from a blog-post we worked on with Santhosh Kumar and it was originally posted here.