5 common steps a CISO might take

Here are the typical steps a CISO would take when starting at a company: 

1. Assess the current technology landscape and find out where the cybersecurity holes (vulnerabilities and risks) are.  
2. Get to know the Business and the User Community to determine the company risk tolerance and appetite for changes. 
3. Put together a comprehensive cybersecurity plan that may include cybersecurity policies, procedures, and various implementation activities. Important areas such as end-user training, incident detection, vulnerability assessment, networking traffic, backup management, encryption, password management, breach management, and audit management.  
4. Present to plan to the Executive team or the Board of Directors to ask for approval and funding. 
5. Begin to implement the plan with help from external vendors/consultants/tools while trying to build an internal cybersecurity team using available engineering resources and new talents

3 blind spots all CISOs need to recognize

These steps also applied to established CISOs with existing budget and human capitals. Here are the three blind spots that all CISOs need to recognize and fix right away. 

First, end-user training is not a check box. Many CISOs will use KnowBe4 as an end-user training platform. Anti-phishing is one of the most important topics. Other training topics may be password protection, file sharing, user behavior, and cybersecurity DR/BCP process.  

The training usually starts with great fanfare and excitement. Overtime, the cybersecurity team will turnover the training responsibilities over to the corporate training department or make the training sessions into online classes. With this action, come the interest detachment. Cybersecurity training is on the same level as other Human Resources training.  

The blind spot is the perceived lack of urgency from the cybersecurity team. Employees will come and go. The new employees may not recognize the seriousness of the cybersecurity training or won’t pay attention to it since it is one of many training classes that are on their plate. This will increase the opportunities for employee-caused cyberattacks.  

Secondly, the IT Operations team should not own the cybersecurity tool implementation. Due to the lack of cybersecurity engineering resources, many CISOs have to ask the IT Ops Network or System Engineers to deploy various cybersecurity tools. This is doable and mostly done successfully by good engineers. The blind spot is in the ownership of the tools regarding upgrade, monitoring, and data gathering. There has to be a clear partition of responsibilities. The IT Ops team cannot manage the network and the cybersecurity tools watching the network. This is a conflict of interest.  

Thirdly, a table-top exercise is a useless exercise. CISOs will spend a great amount of time and effort to build the cybersecurity plan, the Disaster Recovery Plan, and other system-recovery plans. Every so often, the team will get together to conduct a table-top exercise to ensure everything is in good shape.  

The problem is these table-top exercises are often of a very high level, incomplete, and do not realistically allow the team to experience a real crisis. It is impossible to experience a cybersecurity breach that has just brought down your entire network and create an enterprise-wide outage by sitting comfortably in a conference room with no real pressure.

How to overcome blind spots

Here are some recommendations to overcome these blind spots: 

1. A cybersecurity (or at least an IT professional) must be actively involved in all cybersecurity training. This person can be in the classroom to answer questions or be the presenter.  
2. Conduct monthly cybersecurity webinar to update the user community on the latest threat. Always re-iterate basic cybersecurity training components.  
3. Make the IT Help Desk a knowledgeable cybersecurity Help Desk. Implement proper tools to allow the end-user community to communicate with the cybersecurity team (i.e., the KnowBe4 Hook icon on the Outlook menu bar.) 
4. If feasible, always have a network/system engineer as a full-time member of the cybersecurity team. This person may not need to install the tools, but should be in charge of the monitoring, data collection, and interface with the IT Ops team.  
5. Leverage the cybersecurity Tool OEMs to assist with the installation and monitoring process, independently of the internal IT Ops team.  
6. Hire an external company to conduct regular penetration tests.  
7. Consider using the same company for a White Hat network takeover exercise (simulate a cybersecurity attack without actually taking down the network.) 
8. Conduct a realistic DR exercise. Pull a network wire and see if the network can really fail over.