CISO challenges and priorities for 2018

« Back to Previous Page
29
0

I’ve interviewed many CISO/CSOs the last 3 months to understand key priorities and challenges. Through all of the conversations, there...

Please to read the entire article.

Marked as spam
Posted by Chuck Pledger (Discussions: 1, Comments: 5)
Replied on May 30, 2018 12:00 am
15 views
0
Private comment
How many viewed protection of sensitive data as a key driver for spending on information security?
Marked as spam
Posted by Christopher Nicholson (Discussions: 0, Comments: 1)
Replied on May 29, 2018 8:00 pm
0
Private comment
Christopher - I didn't ask questions with respect to spend. Protection of sensitive data came up in a number of topics related to IP, privacy, identify, but most often with GDPR. It was an underlying theme of all the points I made above.
Marked as spam
Posted by Chuck Pledger (Discussions: 1, Comments: 5)
Replied on May 29, 2018 8:00 pm
0
Private comment
Some of the items here may reflect the challenges organizations face in adopting the CIS Top 20 Controls.

My short answer here would be dealing with Cybersecurity Change Management. Without the items you mentioned it is hard for organizations to address the constant demand to adjust the control landscape to compensate for the dynamic cyber threat surface. This problem is compounded by other changes (e.g., organizational changes etc.) These core capabilities echo into the challenge of explaining the mission and focus of security to corporate stakeholders. At times this may impact funding requests and a deep understanding of risk management. I recognize my response may be at a higher level than previously posted specific answers.

Best regards
Pete Escobar
Protecting - Enabling - Positioning
Cybersecurity and Technology
Marked as spam
Posted by Peter Escobar (Discussions: 0, Comments: 1)
Replied on May 31, 2018 8:00 pm
0
Private comment
Another item I'd add to priorities:

- Spend time on your incident response plan. It's not enough to just have a plan. You must keep it updated to reflect key personnel changes, changes to the environment/tooling, and updated policies/regulations. You also have to test it. I advocate testing different scenarios on a quarterly basis with your technical response team and on an annual basis with the core/executive team.

As to the challenge of building a culture around cyber awareness: yes, it can be challenging but also presents great areas of opportunity. Creating engaging information security awareness training, conducting regular lunch and learns on topics relevant and meaningful to employees both in their work and personal lives, sending regular corporate communications on risk reduction activities/wins, providing personalized training to specific departments, and socializing who your teams are and what they do for your organization are all great ways to move the culture forward.
Marked as spam
Posted by Christopher Zell, CISSP (Discussions: 0, Comments: 1)
Replied on May 31, 2018 8:00 pm
0
Private comment
Additionally, we find consistent gaps in the following areas - in terms of ownership, evidence, accuracy and completeness:
- Data classification
- Third party/vendor security management
- Cyber Risk Management
- IT Compliance
- Cyber Governance
Marked as spam
Posted by Richard Marti (Discussions: 0, Comments: 2)
Replied on May 31, 2018 8:00 pm
0
Private comment
Peter Escobar - Thank you for your feedback. You are the first to put this in terms of change management related to cyber security which is an interesting perspective. I'm working on a much more detailed report which will highlight some of your other points. Communication, budgets, and justification of spend to stakeholders werre definitely in the top 10.
Marked as spam
Posted by Chuck Pledger (Discussions: 1, Comments: 5)
Replied on May 31, 2018 8:00 pm
0
Private comment
Christopher Zell, CISSP - Surprisingly, you are the first person who has mentioned the IR plan. I'm not sure if that indicates it's not a top priority or just that it is a given within their operations plan. Great suggestions around building awareness and changing culture.
Marked as spam
Posted by Chuck Pledger (Discussions: 1, Comments: 5)
Replied on May 31, 2018 8:00 pm
0
Private comment
Richard Marti - Third party/vendor management was definitely another top 10 topic as was compliance to the various regulations. Risk management was the driving force behind asset identification and patch hygiene. Data classification was not mentioned at all as a gap or a priority but I suspect that your observation is accurate.
Marked as spam
Posted by Chuck Pledger (Discussions: 1, Comments: 5)
Replied on May 31, 2018 8:00 pm
0
Private comment
Data classification is shared responsibility and there are many stakeholders/owners( few mentioned below); hence lack of clear priority:
1. Legal
2. HR
3. Compliance
4. Risk
5. Privacy
5. Cyber/IT team for technical controls
Marked as spam
Posted by Richard Marti (Discussions: 0, Comments: 2)
Replied on May 31, 2018 8:00 pm
0
Private comment
I think data protection is another. In addition to asset inventory you need to know where is your sensitive data, crown jewels, so you can prioritize protection — access control, monitoring, loss prevention, etc.
Marked as spam
Posted by Joseph Burkard (Discussions: 0, Comments: 1)
Replied on May 31, 2018 8:00 pm
0
Private comment
Hi Chuck. Relative to #1 I have been wondering how this is viewed as well. Hardware and software asset management are number one and two in the critical security controls but they don't seem to get an equal level of attention. I would be interested in gaining a better understanding of why/why not? I could speculate but would sure like to hear from others.
Marked as spam
Posted by Dr. Loren Wagner, DIA, CISSP, CSSBB (Discussions: 0, Comments: 1)
Replied on May 31, 2018 8:00 pm
0
Private comment
Good list, thank you! At least three of those are in the top-5 critical security controls, right?
Totally agree about incident response planning and testing being important. Very hard to get senior leadership to agree to spend the time.
One other item, directly related to GDPR is data governance and oversight. We can only protect what we know about and data sprawl and duplication by other business functions is a massive undocumented risk.
Marked as spam
Posted by Michael Rock (Discussions: 0, Comments: 1)
Replied on May 31, 2018 8:00 pm
0
Private comment
Dr. Loren Wagner, DIA, CISSP, CSSBB - I totally agree. Most people I spoke with seemed to feel they had 75-85% visibility of their assets. One company (F500) made an interesting point. In the past, they were able to track assets because of the accounting records. Physical assets were depreciated so they could be identified. That's no longer the case with most assets because they are now either virtual or owned by the employee.
Marked as spam
Posted by Chuck Pledger (Discussions: 1, Comments: 5)
Replied on May 31, 2018 8:00 pm
0
Private comment
Great write on the top challenges and priorities, and I definitely agree that #1 is a challenge. Time and again I hear organizations say that getting a handle on their hardware and software inventory is a challenge. Especially in large enterprises. On one interview I had last year I learned the CISO needed help with account management and the problem there was managing their user account permission baselines which had grown very complicated. Building strong processes in configuration management is key to protecting systems, and yet so many organizations still struggle with this problem.
Marked as spam
Posted by Matthew Reyes, CISSP (Discussions: 0, Comments: 3)
Replied on May 31, 2018 8:00 pm
0
Private comment
Agreed. Lot's of opportunities to help CISO's out. The forgotten stepchildren of most organizations is asset management and patch management. SIEM fail for a variety of reasons, but can be turned around quickly with the right team, tools and processes. Awareness is an ever evolving effort and no comment on GDPR... dust off the old data inventory, data classification and data protection policies/programs and update them...
Marked as spam
Posted by Mark Butler (Discussions: 0, Comments: 1)
Replied on May 31, 2018 8:00 pm
« Back to Previous Page