‘CISO Says...’ is a monthly blog post series by Chris van den Hooven, Senior Security Consultant at Nixu. Each post will elaborate on a different issue within the cybersecurity space from the perspective of a Chief Information Security Officer, a role Chris has been in many times himself, in a career spanning more than 15 years. By combining knowledge of risk management, architecture, legislation and regulation, Chris helps organizations get in control of the security of their information and IT infrastructure.
The first blog post of the series – ‘CISO Says…YES’ raises the topic of security departments that are perceived as the ‘Department of NO.’ And how information security management services can be utilized to get a grip on an organization's current state of information security, transition it to the desired level and keep it there in this ever-changing environment. ‘CISO Says…YES’ contains real-life examples of CISO in action, coaching users, creating awareness and letting the organization take ownership of its information related risks.
“I will allow it, but what are your thoughts?”
The Chief Information Security Officer (CISO) is often seen as the spoilsport who always says that the music is turned up too loud. That is unfortunate, mostly because it’s not even up to the CISO to decide on the volume.
Security controls are one way of reducing risks. This notion is rarely if ever, negated. People understand the necessity of taking measures to reduce their risk and therefore look both ways before crossing the street. However, when it comes to information, there are often debates about identifying and defining risks. What I consider to be a risk, might not be considered a risk to someone else and vice versa. And unfortunately, taking precautions to mitigate someone else’s risks can be perceived as an annoyance. But that is precisely what successful CISOs do: they help individuals understand their own risk from a third party perspective.
First example: Shared network
One department of an organization may prioritize the security of the network while in another department - where changes must be quickly implemented - the priority may lie in keeping the network as flexible as possible. These are opposing interests because network changes can lead to a higher risk of critical mistakes being made and downtime occurring.
In this scenario, it isn’t the CISO deciding who must make concessions – it’s management. However, the CISO has a crucial role in facilitating the decision-making process by ensuring that everyone in the management understands the consequences and can make a sound fact-based decision.
Second example: Project details in the cloud
A group within the organization asks if project management can use a cloud application. The standard application that the organization uses typically is not appropriate for the current project because it cannot be shared with third parties. The CISO receives the question after the application has already been purchased, which results in a disagreement between the head of IT who opposes the use of “shadow IT”.
In this scenario, a choice will be made depending upon the project being carried out, which will need to be legally compliant (think of privacy) and appropriate in relation to other organizational departments.
Additionally, project management must be aware that they are responsible for keeping secure all the information that is placed in the cloud.
The CISO has once again a central role in providing advice and posing questions such as Who has access and who manages that access? What happens if the cloud provider faces financial liquidation? If there is a risk that all information can be lost, but the project management recognizes and accepts that risk, then the decision should not be contested by the CISO.
A third example: Can I take my laptop with me to China?
An employee travels to China on a business trip. Due to the threat of espionage and confidential company information being leaked, the company policy dictates that special laptops (without vulnerable information saved on them) must be used during international travel. But at the moment this employee needs to travel, there are no such laptops available for use. The employee wants to solve this impasse by using his personal laptop and asks the CISO for permission.
While again, this is not up to the CISO to decide - Project management, however, is responsible for protecting the data confidentiality of all employees and it is the CISO’s responsibility to ensure the decision makers can make informed decisions. The CISO will provide invaluable insight into security aspects by merely asking questions like What kind of data have you worked with on this laptop? How sensitive are they? The CISO will also explain the limits of the laptop security: the disk is encrypted, but if a national agency takes possession of the laptop, it will still be possible to extract information and even read erased files. From the CISO’s point of view, the organization must understand what the consequences are. In the end, this employee after consulting with the project management decided not to take the laptop with him.
Based on these three examples, the following conclusions can be made: 1) the CISO must know the organization well and therefore know what the most pressing risks are 2) a Security Organization capable of assessing the risks and making decisions must exist in all organizations. The Directors are responsible for ensuring that these conditions are met. The NEN-ISO 27001 ‘Information technology, security techniques, management system for information security Requirements' describes this in section 5.1b: Top management must ensure that the requirements of the information security management system are integrated into the processes of the organization.
Security is a matter for the directors, management, and everyone in between. In this regard, the CISO’s advising role is vital. “I will allow it, but what are your thoughts?”
Nixu launches ‘CISO Says…’ series
Threats to cybersecurity are increasing in every industry at a voracious rate. For this reason, many organizations enlist the expertise of a chief information security officer (CISO).
A CISO is responsible for establishing and maintaining a vision, strategy and program to ensure that information assets cannot be damaged or breached. The CISO directs staff in identifying, developing, implementing and maintaining the processes necessary to mitigate cybersecurity risks
This role requires them to prevent, detect and respond to incidents by establishing appropriate standards and controls; perhaps more importantly, the CISO directs the establishment and implementation of policies and procedures to prevent the incident from even happening.
Data breaches can be extremely costly for any organization, which is why cyber risk effects the core of business operations – therefore not merely a technology issue. A holistic approach is taken when considering the people, processes and IT security; this entails bridging the gap between technical detail and organizational impact. Therefore, typically, the CISO's influence reaches the entire organization.
Having a security team that is responsible for the management and oversight of information security is crucial and CISO is one of the most pivotal roles in an organization’s overall strategy in data protection.
For these reasons, Chris van den Hooven, Senior Security Consultant at Nixu, will publish a series of blog posts using practical scenarios to showcase a CISO’s role within an organizational structure.