Threat Detection and Response

How to Succeed as a CISO in 2021

Author
Gerald Mancini
COO
SHARE:

Throughout my career, I’ve worked with CISOs from government agencies and enterprises ranging from small to large Fortune 100 companies. In my tenure at Fidelis Cybersecurity and at previous companies, I have worked on the product development side to create cybersecurity solutions to solve the problems made apparent through my interaction with those CISOs.

I recently participated in a panel discussion with other security leaders on How to Succeed as a CISO in 2021. The past year has brought unexpected realities and digital transformation, as well as evolving responsibilities for CISOs. The ability to face and overcome these insurmountable challenges is a must for any security leader, as well as knowing the skills and tools needed to understand the business risks associated with cyber-attacks and to secure your organization from sophisticated threat actors.

Breaking into the CISO Role

In my experience with the CISOs I have worked with, the most successful ones are those that have worked at all levels. They are the ones who know the problems and how to react to them. They are the ones who have triaged alerts, but also the ones who have evaluated security solutions and been the decision maker for their enterprise’s cyber architecture. A successful CISO can do every job in the security realm but also understand the goals of the business and the desired outcomes from security investments. With experience also comes education: certifications, degrees, and career growth. Once you’ve broken into the CISO role though, you must be able to adapt. Attackers are more sophisticated with every passing day and the ability to evolve and stay in-the-know of relevant threats is a must.

In our discussion, Patricia Titus, CISO for Markel Corporation, mentioned keeping up to date with security news. She referenced listening to the CISO Series podcasts or reading news sites on cybersecurity breaches, new technologies and more. Personally, I ask my team to research security news and bring it to our attention to discuss. Threat Intelligence reports are a great way to keep up with relevant threats, assessments, and recommendations to stay one step ahead of your attackers. Our Threat Research team compiles monthly reports here.

How the CISO Role Has Evolved

It used to be that CISOs fell into two camps – those focused on compliance and those focused on detecting advanced attacks. Today, compliance is just one tiny part of security. It must be done, but it doesn’t come close to covering the security gaps found in an organization. Security has evolved from implementing security compliance, to managing risk, to ensuring business management, and customer care. As we have seen with recent breaches, attacks can greatly impact your business – from stolen personally identifiable information (PII) and associated reporting requirements to ransomware attacks that can cost businesses millions of dollars. In our discussion, Jonathan Nguyen-Duy from Fortinet mentioned the need for today’s CISO to have a business acumen: how to talk to the board, how to convince them that strong cyber hygiene and supporting tools is a worthwhile investment, and more. CISOs are given responsibility and trust, for which they must have relationship-building skills, open communication, and problem-solving capabilities.

Over the years, many companies have hired Business Information Security Officers (BISOs). They interface with business managers to translate the security requirements into business controls. BISOs are the “security ambassadors” of a company and they communicate security strategies, controls and awareness throughout the organization.

Overall, both CISOs and BISOs must adapt their security tools, procedures and policies to keep up with advanced attackers. More importantly, they must work with all levels of an organization to get everybody on board with security best practices. Security is no longer an isolated business function, but needs to be embedded with all business units and practices. So how do you ensure that you’re successfully securing your enterprise?

Successfully Securing Your Enterprise

Security has become a critical function of organizations. As our moderator, Diana Kelley, mentioned in our discussion, it used to be that companies would turn to big name vendors like IBM for their tools. Now, however, many organizations are leaning on smaller and start-up-like companies such as Fidelis to provide their security products. One thing that I made clear in the webinar: it doesn’t matter if you choose a well-known vendor or a smaller one. As we’ve all seen, security breaches can happen to anyone. But there are measures you can take to ensure you have a well-protected system in place. Fidelis’ CISO, Chris Kubic, wrote a Global CISO Playbook for the New Normal detailing his insights and strategies to a proactive defense to successfully secure your enterprise.

Our most successful ventures have come out of strong relationships built between us and the customer. We aim to meet and adopt the security guidelines set by our customers to ensure that not only are they protected, but we are too. As I mentioned in the webinar, it’s also important to have a Sandbox environment to test and validate the implementation of your tools – including security tools but extended to all business-critical solutions in the enterprise. Software certifications are good indicators of the vendor’s desire to secure their solutions, but certifications alone are insufficient. You should also assess your implementation of tools that require privileged access. Similarly, assess the users who are granted access to such tools and protect that access thoroughly. Ultimately, understand your risk tolerance and constantly evaluate the current risk, as described in the CISO Playbook cited above.

Ultimately, you as the CISO want to feel comfortable that you are doing everything you can to keep your company secure. If you would like to know more about how Fidelis products and how we’ve secured and are trusted by government agencies and Global 1000s commercial institutions, contact us.

We will have a follow-up podcast with me and our CISO, Chris Kubic, to answer any more questions you might have. Subscribe here to receive it when it’s live!

Browse our blog