Risky Business (With Less Resources), Or: Know the CISO Job Search – BSW #208

Steps to reduce security risk in 2021: A summary of the tactical and strategic moves CISOs can make to reduce security risk: 1. Look to reduce your “haystack” of threat avenues through smart policy enforcement. Consider DNS as a vector – for both attack and detection 2. Ensure that your cloud adoption strategy is coupled with sound cloud security policy and design 3. Educate your leadership team. “We aren’t a target” is equivalent to sticking your head in the sand.

How do you think about attacking the problem of reducing risk? Short answer: use an enterprise, holistic, Risk-Based Security Strategy (RBSS). Risk is a combination of threat, vulnerability, likelihood and impact/consequences, along with asset values. The main activities needed in what really matters are: 1. Cyber Education and Awareness Training Program: educate users with periodic training courses, email notes on security topics, posters, frequent phishing exercises, etc. 2. Tightly manage access controls: use multi-factor authentication (MFA) everywhere, strictly control privileged account management (PAM), monitor access changes (active directory, etc.). 3. Excel at TVM and cyberhygiene overal: go beyond just patching (yet that must be a top priority!), assess your status in the CIS items 1-6, then fix the gaps. 4. Data protection approach: endeavor to encrypt everywhere (it’s easiest in the long run), control data and classify it, and use a tailored identity access management. Combine with privacy elements as you can. Get cyberinsurance. 5. Third-party/vendor risk management: go beyond the paper drill (NDAs, Ts&Cs, SLAs, etc.) and actually have a risk assessment — lack of this causes over half of all data breaches — and start with a detailed questionnaire, then ask what certs they have. 6. Partner with a managed detection and response (MDR) provider: 24/7 coverage, gain extensive threat intel reach back, enhance your threat hunting, and reduce the alert fatigue of the security folks.

Organizations frequently end up building complex security stacks thinking that more solutions equate to better security. Unfortunately, while the average CISO can point to anywhere between 35 to 65 different security technologies in their environment, complexity does not mean safety. Instead, overly complicated security stacks can increase vulnerability by hiding critical security weaknesses while simultaneously draining vital organizational resources. Simple can be better: 1. Overly Complicated Security Stacks Incur a High Cost 2. A Simplified Approach to Cybersecurity Makes Business Sense 3. Leveraging OS Native Controls Should Be a Cornerstone of Your Security Posture

In both public and private organizations, chief information security officers have shorter tenures than CIOs. Why do cybersecurity heads so quickly leave jobs — or get forced out? Here a few reasons that CISOs are moving on: 1. Change in top company or government leadership. 2. Differences in technology security philosophy, including resources allocated for cybersecurity. 3. Personality conflicts.

Sometimes a CISO isn't really a CISO, or the role does not have the authority or resources it needs. Here's how those seeking CISO roles can avoid the wrong employer: 1. Does the role lack C-level status? 2. A poorly-defined CISO job description 3. Why are they hiring a CISO? 4. Who’s on the security team? 5. What are they paying?

The state is the second in the nation to enact a consumer data protection law along the lines of the EU's GDPR. Here's what businesses need to know about Virginia's CDPA: 1. CDPA mandates how larger companies control or process data 2. CDPA combines CCPA, CPRA and GDPR 3. Other states may quickly adopt data protection laws