What Does Your Security Program Look Like?
Many of us are either building or maturing our security programs. Although there are many aspects to it, my focus is on the person and the people-skills.
What are the technical foundations you need to be a great cybersecurity professional? The answer is simple - you need to be really good at everything. Technology has so many components - hardware, software, OS, applications, networking, controls to protect...
So we need to understand TCP/IP - layer 7 controls - physical controls - how encryption works - network architecture... we need to be a master of all aspects of IT.
Beyond that, we need to understand the governance layer. What policies do we need? What processes drive those policies? How do we track exceptions to those policies? IT sometimes needs to take a left-turn and, while necessary to run the business, need to be formally documented and tracked.
We also have to understand the WHY. Why do we need to encrypt that database or use SFTP between us and that vendor? Why do we need to filter emails with sensitive data?
And the most important part, for those security leaders out there - how do we build those relationships that are critical in making sure our security programs are successful. How do we show/measure success or improvement? How do we justify the spend around cybersecurity?
Our jobs are not easy. Our first mission is to prevent breaches. But we must approach our task, and communicate clearly, Once we reach a leadership level, we MUST have the soft skills, and be able to use business language - finance, operations, etc. We must be able to demonstrate how a cybersecurity incident will negatively impact business operations. This might include our website going down - our inability to take x-rays and need to divert patients. We must understand and translate how the IT/Cyber aspect impacts the business - and then THAT is what we discuss with business leaders.
Business leaders don't want to know about TCP/IP. They want to know that we're ok from a cybersecurity perspective. Show them where we're at today, and what we need going forward to increase the likelihood that we can prevent these attacks.
And finally, tell them that it isn't IF but WHEN an attack will happen. Let's reduce the likelihood that a breach becomes a data breach. Let's get the best tools, processes and highly-trained operators to deal with a breach. Let's prepare for the right-of-bang - let's be like the Navy SEALS in being prepared for that actual encounter. Instead of focusing 100% on prevention, let's understand that no matter what we do, a breach will happen, and be prepared to fight that battle and win.
You must demonstrate that you're able to be trusted with the most sensitive data the organization has - you can protect it against all these cyber-threats. And you must communicate that we WILL be breached - we need the support from the organization to be able to build that security program in a way that will prevent most attacks, but can totally deal with the most sophisticated attacks, even if they are successful.
We must be able to put our leadership at ease that, with their support, we can prevent most attacks, and can expertly deal with attacks that are successful. We should NEVER lead them to a point of comfort. They need to understand that we will have breaches. Our job, then, is to contain breaches and ensure they do not become data breaches.
Executive Vice President, Healthcare & Life Sciences | Cyber Security
5 年Best line - "They need to understand that we will have breaches. Our job, then, is to contain breaches and ensure they do not become data breaches."
CISO | ISSA Hall of Fame | CTA CISO of the Year | Sheepdog
5 年I would further submit that, at a leadership level, this is no longer a technical skill but an art.? We build those critical relationships and ensure we're branding ourselves.? That is SO critical to success.? Brand yourself in a way that the organization knows that you're the right person for the job - they will give you what you need.? Don't sell FUD.? That's a loser every time.? IF you have to use FUD, you're not great at your job.