For many years, the role of a CISO was a pretty lonely one. Since cybersecurity was seen as an arcane, obtuse subject, other executives were largely content to leave responsibility for it up to a dedicated member of the executive team. Now, this approach is changing.
There are a number of good reasons for this. Though most CISOs have built sophisticated systems to respond to security threats, the changing threat landscape means that threats are now appearing at almost every endpoint across an organization. This means that teams previously regarded as fairly well protected against attacks – think marketing and customer service teams – are becoming a popular and lucrative target for hackers.
In this new environment, CISOs need to foreground collaboration. It’s only by working with colleagues throughout your organization that you can hope to respond to these multivalent threats. This was a point that LoginRadius’ CEO, Deepak Gupta, recently made in an article for Forbes.
In this article, we’ll go a little further, and turn his recommendations into actionable steps.
First, a word about the value of collaboration, and its limitations. It’s now well established that intelligent collaboration within an organization can help to improve cyber security. Even a process as simple as offering training to staff outside the IT department can dramatically improve cyber resilience, for instance, as can sharing risk identification systems across departments.
However, the structure of many organizations makes it easy for this collaboration to backfire. Specifically, it is possible for teams to share so many systems, and so much information, critical systems are left exposed. This can happen not just within an organization, but also with its B2B partners, whose systems are now typically integrated with those of suppliers and customers.
In other words, collaboration can be a powerful defensive technique, but only if it is used carefully, and within a structured framework. Here’s how to do that.
One crucial consideration when looking to integrate the role of a CISO into your broader organization is when to start the collaborative process. It’s not practical to appraise every executive of every upcoming IT initiative, but too often these initiatives are not mentioned to leaders until it is too late to mitigate their business risks.
This is why Federal Reserve CISO Devon Bryan told the Management Information Systems Training Institute (MISTI) that today’s security leaders need to “prioritize partnerships with business units” immediately. By doing so, CISOs can start to build a cooperative environment in the boardroom and make sure that business leaders understand how new technologies will affect their areas of expertise.
The basis of effective collaboration is communication, and the basis of effective communication is making sure that everyone is working with the same definitions. This can be approached in a formal way – building a shared taxonomy using definitions from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).
Alternatively, it can be approached in a more ad-hoc fashion, in which a CISO takes care to explain cybersecurity terms to their colleagues, and in turn, makes sure they understand the nomenclature of business operations.
If done correctly, this process is also an important part of building a cybersecurity culture within your organization. If everyone knows how to refer to cybersecurity risks, they are better able to communicate about them.
To take collaboration one step further, CISOs can even consider building a shared set of metrics that can be used across an organization. These metrics should be developed in consultation with other executives so that their relevance to broader business priorities is clear. In fact, if done carefully, this process can be a powerful tool that allows CISOs to explain the relevance and monetary value of their work to the other members of the C suite.
That said, CISOs should also take care not to burden themselves with complex KPIs. The metrics used to measure cybersecurity at an executive level do not need to be the same as those that are used internally within the cybersecurity team. Care should be taken to ensure that they are relatively easy to measure, understand, and track.
Effective CISOs are those that encourage their team to share their skills with the broader organization. Sharing skills can either be done in an informal way – by making sure there is a member of the security team on teams charged with developing new products, for example. But skill sharing can also be formalized, through designing a training process for staff outside your team to get up to speed on how to protect their own teams from security threats.
Finally, make sure you are using the technology available to you in order to share information and insight across all the teams in your organization. A comprehensive security incident and event management (SIEM) can greatly improve network visibility, but also allow you to share real-time, actionable insights with teams that may be opening themselves up to attack.
And, over time, it’s possible to leverage the power of big data to pull the insights drawn from your SIEM into a holistic picture of cybersecurity across your organization. By tracking the types of threats that you are exposed to, and their relative success, you can begin to plan a cybersecurity strategy that reduces your future vulnerability.
Ultimately, collaboration is a necessary part of the contemporary business environment. The days when CISOs worked within a hermetically sealed team are long gone – today, CISOs must be as engaged with business processes and risks as any other member of the C suite.
Building collaborative ways of working is not a quick process, but it can be done. And just as we’ve seen the evolutionary development of cyber security over the past few years, now we are witnessing the evolution of the business environment itself.