by Cristina Lago

CISO Tips: How CISOs can reduce risk

Apr 24, 2019
IT LeadershipSecurity

Here we offer CISOs five essential tips to ensure a secure business environment from a leading cybersecurity expert in the ASEAN region

cybersecurity eye with binary face recognition abstract eye
Credit: Getty Images

Cyber threats are increasing in volume and complexity. To be ahead of the game, CISOs need to continuously review their cybersecurity processes and practices to ensure that adequate and effective systems are in place.

Faisal Yahya, CISO and CIO with more than 20 years of experience in cybersecurity, gives CIO ASEAN five tips for fellow CISOs on how to create a safer business environment.   

1. Invest in threat intelligence programmes

Threat intelligence is information that organisations gather to understand existing or potential hazards targeting business assets or valuable resources. This intelligence is used to identify, prevent and respond to these threats through informed decisions.

In the IT context, cyber threat intelligence (CTI)  is a collection of information that is gathered from sources that can be human, digital, internal and external to an organisation. This information is typically processed through some type of evaluation to verify its validity and is used to provide context about the conditions necessary for a threat to exploit a vulnerability, and if the threat is being used by threat actors.

Although mainly focused on the IT aspects of an organisation, CTI also extends into other applications which aren’t necessarily IT assets but still impact an organisation, such as intellectual property or brand reputation.

A threat intelligence programme gathers information to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources in a firm.

“Having a threat intelligence programme can save CISOs a lot of time by proactively identifying and continuously monitoring the risk before it becomes an attack,” says Faisal Yahya. “If necessary, increase your investment in improving cyber threat intelligence and analytics. This will help your organisation aligning the cybersecurity investment as close as possible with the current threat faced by your business.”

When implemented correctly, a threat intelligence programme can help CISOs stay up to date with security threats, including methods, targets and vulnerabilities. It can also assist security executives in being more proactive about future threats – and to keep leaders, stakeholders and users informed about the impact they could have on the business.

2. Integrate IT security and business risk management

Cybersecurity is not an isolated aspect of an organisation. Its impact goes beyond IT and can have serious legal and public relations implications. IT security, then, should not be detached from the wider business risk management strategy.

“IT security no longer works effectively in silos, it needs to be part of the organisation’s risk-based approach,” advises Yahya. “Every organisation that is willing to grow, streamline and innovate must integrate its current IT security into leadership and business decisions to keep pace with the continuous evolution of attack vectors.”

The potential damage of a data breach is a risk that not only concerns IT security but that also affects other business areas, including brand reputation and customer loyalty.

Data is a valuable enterprise asset that requires organisations to abide by data privacy legislation, resulting in an increased risk management. CISOs and CIOs need to promote IT governance, including data security, as a way to guarantee that the IT strategy aligns and supports the business’ overall goals.

In 2017, ISACA, a global association for information and technology audit, risk, governance and security professionals, surveyed more than 732 leaders from around the world and found that the governance of technology is now a board-level priority. Nearly all of the survey respondents agreed that strong IT governance is essential to strong business performance.

The same study found that 92% of respondents believe that better IT governance results in better economic outcomes while 89% believe it leads to more business agility.

3. Ensure fluid C-suite communication

A 2018 report by Accenture found that a lack of collaboration at the C-suite level is jeopardising cybersecurity in the enterprise.

Only 40% of the CISOs surveyed said that they always confer with business-unit managers to understand the business before proposing a security approach, pointing at a shortage of ongoing communication and lack of trust.

“A better engagement between CEOs, board members, and CISOs or CIOs will result in a fine-tuned and effective cyber risk mitigation strategy,” Yahya tells CIO ASEAN. “This engagement is the key to moving from directly risk identification and fixes into defining business impacts, governance methods, risks escalation steps and entire organisation response (impact on reputation, company culture, and profitability) – a holistic cybersecurity strategy at its best.”

CISOs and CIOs need to work with their C-suite colleagues and board directors to bring governance practices into the digital age. Now that boards are accepting that cyber risk management and regulations require their oversight as much as any other business risk, the time couldn’t be more favourable to strengthen communication at the senior levels.

4. Manage third-party risks

It’s not rare to see organisations today outsourcing many of their core business functions to third parties and other vendors. These third parties and vendors often have access to sensitive data and internal systems – an inherent risk that CISOs should take into account when partnering with external providers.

Once access is given to third parties, threat factors also have an additional route to access your network. That’s why it’s vital to ensure that your contractors and third parties take cybersecurity seriously, and that there’s coordination with risk management in the case of an attack.

A survey by Soha Systems showed that third-party access is not a priority for IT and security C-level executives, yet it is a major source of data breaches.

While third parties cause or are implicated in 63% of all data breaches, a disproportionately small 2% percent of respondents consider third-party access their top priority in terms of IT initiatives and budget allocation.

“IT vendors and third-party partners can introduce security flaws into organisations,” says Yahya. “Business and cybersecurity leaders must manage these risks to use the same standard as being implemented within the organisation.”

Firms should take a risk-based approach to managing third parties. The first step to manage these risks is creating a risk assessment, which takes us back to the step of an integrated IT and business risk management strategy. CISOs and CIOs should only use third parties that they feel comfortable working with and have the evidence to prove that they share similarly robust cybersecurity standards.

5. Gamify cybersecurity training 

Yahya’s last tip for ensuring a cyber-secure work space is gamification.

Gamification is the process of introducing games, including competition and reward mechanisms, into a non-game context to boost engagement and foster communication. Businesses are using it today to improve work practices, including in cybersecurity and data privacy training.

“[Through gamification] all stakeholders are taking part in the way of securing organisation cybersecurity in the long run,” says Yahya. “This will also ease the business to plan and monitor any potential attacks against company cybersecurity systems.”

Some of the benefits of gamification include the ability to engage users and retain talent. Using elements of game-playing, CISOs can educate staff to be more cyber-aware.  Some games are complex, with levels to pass and points to earn. But it can also be as simple as sending out “test” phishing emails and rewarding staff for not opening them.

In short, gamification is making cybersecurity training as easy and accessible as possible to workers. Through interactive and engaging games, CISOs can ensure that colleagues keep up with ongoing cyber threats without having to share long, technical presentations which otherwise would probably fall on deaf ears.