EXPERT OPINION
Using data to enhance your enterprise cyber hygiene
Maintaining control over data is vital for its protection and enterprises are becoming aware that they must step back and look at how they might enhance cyber hygiene processes . Managing data as efficiently as possible is important for business development , something of which Jim Doggett , US Vice President and CISO at Panaseer , is a strong advocate .
Jim Doggett , US VP and CISO , Panaseer n the good ‘ ol
I days of CISO , things were straightforward and it was pretty easy to do what it took to be successful . I would prepare a budget for the upcoming year from a list of essential and value-added projects , which my security and risk team supported .
Then we would sell the budget request through the normal approach : fear , uncertainty and doubt . Quite simply , if anyone questioned our request we would state that if we don ’ t do the project , we might get hacked and we would fear losing our jobs . With the budget in hand , we would set off and get a lot done over the course of the year . Then , at year end , we would produce a PowerPoint with all the great things we accomplished .
However , something then changed in my simple world . My board of directors and the C-suite began asking : “ What is the ROI on each security investment ,” and “ How does each project reduce the risk to our organisation ?” They then started asking for monthly updates on our progress to reduce those risks .
This was the beginning of how I , as a CISO and IT Risk Officer , began to think about security in a very different way . I was now being evaluated on how well I could reduce IT risk from security , measure that reduction and sustain it .
Before delving into how we might approach measuring and sustaining risk reduction , it might be useful to compare the past . If we go back , say 20 years , what were the key security risks / threats we were dealing with ? I suspect most of us would have answered : patching vulnerabilities , too much access and the like . In other words , doing the basics of security ( i . e . enterprise cyber hygiene ) well . And if we asked the same questions today or looked at the root cause of most breaches today , many of us would answer the same way .
This was my first revelation : I cannot only focus on the newest black belt , advanced threat that was out there . I needed to focus on the basics of security to enable my team to have enough time to get to the latest threats . So this article is not about the latest advanced threat , it ’ s about the basics .
I knew that to become a modern CISO and understand the constant risks in my organisation , I would need to be able to track and monitor my state at any given time . There were at least three things I thought I needed to do in order to fulfil www . intelligentciso . com | Issue 01
41