The job of a Chief Information Security Officer is blindingly complicated and strategically simple. The simple part is the job responsibility, “develop and implement a security program.” The complicated part is managing risk & compliance, designing policies & procedures, and developing a strategy for strong security posture with an ever-increasing market of products. That is hard enough to do as a CISO responsible for one business, regardless of how large it is. It is infinitely harder to do as an MSP managing tens if not hundreds of diverse businesses with different compliance requirements and varying attitudes towards the importance of their security posture. Whether you are a CISO or a virtual CISO for any number of companies, the CISO mindset, and consistent, repeatable processes are necessary components to not only develop effective security programs, but also to create customizable offerings to further secure businesses.
With the security product landscape more fragmented than ever and new niche solutions appearing almost daily, it’s easy to get lost in the weeds. Once the NIST cybersecurity functions (identify, protect, detect, respond, recover) and the people, process, and technology that support them are in place, along with regulatory and compliance requirements met, it’s time to take a step back.
Not an easy task, but a necessary one, and one that can greatly elevate the security delivered.
Step 1: Compliant Security
Many organizations and security groups are compliant security driven. Compliant security is the focus and practice of meeting requirements of a regulation, standard, or best practice. For example, here at Todyl our GRC module is based around the NIST Framework, focused on helping to create, implement, and manage a complete security program.
There are no short cuts here; compliant security should be the foundation of every security program. Covering all the bases, including any regulatory and compliance requirements a business may have, is a must. However, once that is in place, it’s time to switch mindsets.
Step 2: Effective Security (CISO Mindset)
Effective security is the idea that although compliant security covers many areas, every business is different and so are their needs. Both compliant and effective security are necessary ‒ and this is where the CISO Mindset comes in, with opportunities to differentiate following close behind.
CISO Mindset 1 - Take a step back
Remember the basics and ask yourself “What are we really trying to accomplish?”. Remembering the security triad is a great way to start (CIA):
· Confidentiality: Successfully limit access to data and systems.
· Integrity: Ensure that data and systems have not been modified or destroyed by an unauthorized entity.
· Availability: Ensure that the data and systems are up and running when needed.
CISO Mindset 2 - Threat model
Let’s jump into a mental framework that can be used to threat model. Threat modeling is an activity that can improve security by identifying objectives and vulnerabilities and developing countermeasures against them.
Threat modeling can get very complex, and there are numerous frameworks. However, the most valuable information is often found with the simplest of questions:
· What keeps you up at night?
· What do you fear happening?
A very simple approach is asking those two questions to both company leadership and individuals deep in the weeds of a specific business unit or area. In a small business, it might be a single individual, and chances are they know best.
Once you’ve created a confluence of perspectives (yourself included) to understand the greatest threats to the organization, it’s time for the next step.
CISO Mindset 3 - Manage risk with new countermeasure services
This is going to be a long-running blog series covering different countermeasures that are focused on the human element or processes that can be used to strengthen posture and improve the efficacy of the security program.
The first deeper dive focuses on one of the largest threats to SMBs today: phishing. Signup for our newsletter to receive an email when the next installment of this blog series is released, along with threat reports and other updates. In the meantime, if you want to learn more about Todyl, head over to www.todyl.com.