[ad_1]
“A lot of the fundamentals for a security program aren’t seen as security, but they’re vital to being able to do good security.”
Lindsey O’Donnell-Welch: How do you even start to do that? I imagine there’s a lot that goes into trying to understand the business process and talking to different people and listening to what they need.
Wendy Nather: A lot of it is just as you said, talking to people, finding out what they need, finding out where the “go” and “no go” areas are. “Can I try this?” “Oh, no, that would be terrible, nobody would go for that.” Or “we tried this once. But it didn’t work. And this is why it didn’t work. So try it a different way.” So you have to learn the business really, really well. You have to build good relationships with people. Everybody who needs to implement things on your behalf, or who simply are using them, understanding them, can have some sort of feedback to give you, especially if it’s a user who is non technical, who has their own experience with what you’re trying to implement, and has something to say about it. That’s really important. So you spend a lot of time building relationships, looking at the technology, looking at the operational processes and going, “do we even know what we have?” Because a lot of times, the answer is no. Or, “we have 15 of this database. Why?” And trying to figure out whether that’s something that you can fix, because the security drive is always to simplify, consolidate and mitigate. So you just keep working on all of those things, and try to lay out a battle plan of what can I start implementing that’s going to create the least friction? What’s cheapest? What’s easiest? What helps to mitigate our risk the most? And there can be different answers to all of those. So you sort of have to lay things out and go, “Okay, here’s what I can do.”
Lindsey O’Donnell-Welch: When you talk about connecting to different people in the organization, are there specific relationships that are important to tap into for a CISO?
Wendy Nather: Usually, both top down and bottom up are good approaches, in and of themselves, for different reasons. And so you really need to do both. You need to have the buy in, above you, and at your peer level for what you’re trying to do. But at the same time, it really helps to go and get to know people in different departments who have different experiences, operating or implementing security, or simply being affected by it. And it’s really good to find out who is influential in each department, and sort of get those linchpins on your side, because they will help affect and influence the other people in their departments. So if you can get champions for your cause at every level, first of all, they’re going to give you different feedback because there are different levels and they will have different experiences and that’s all valuable, but also, the influence that they’re going to have on their coworkers is invaluable too.
Lindsey O’Donnell-Welch: When you’re looking at building an effective cybersecurity program, what are the most critical first steps for organizations?
Wendy Nather: There’s a pyramid that I’ve drawn in the past that shows the most basic stuff that you need to do, and going up to the top of the pyramid, which is where your security controls are, and you really need the fundamentals in place before you can make good use of security products. And the first one is really to understand and identify what you have. And it sounds really simple, but it’s not, it’s one of the hardest things that organizations have to do, particularly since half of the infrastructure we have right now is outside of our control. We’re working and sharing data and applications and networks with partners. We have customers or third parties that are using our resources and affecting them. And so finding out what we have, and defining whether it’s ours or not is much harder than you’d think. Which is why we’ve seen startups like Bit Discovery that popped up to try to address this problem.
The next thing is once you know what you have, to be able to control changes to it, either to stop people from making changes when you don’t want them to – and that’s also part of keeping attackers from making changes to it – but also, you need to be able to make changes swiftly and efficiently when you do need to. And so those are two sides of the same coin. Either we need to turn this on, or we need to turn this off, we need to move this, we need to replace it. Being able to make those changes, and control them, is the next level. Then the next level up is understanding the risks that you have. So going through threat intelligence, finding out from your peers what they’re seeing, determining what your most important assets are, and not just what they’re worth to you, but what they might be worth to an attacker, because sometimes they’re very different. So understanding your threat landscape and your risk is the next level. And finally, once you understand all that, then you can start getting security products in and actually using them. Because if you’re using a scanner, for example, and finding vulnerabilities, but you can’t fix anything, because you can’t influence changes, then that vulnerability scanner is not going to help you a lot. So a lot of the fundamentals for a security program aren’t seen as security, but they’re vital to being able to do good security.
[ad_2]
Source link