COVER STORY
for ensuring that the security team has
the resources and strategic freedom
necessary to defend the organisation.
“One of the most important factors for
success with the board is keeping the
reporting business focused and taking
a risk-based approach. The technical
specifics of any security issues are
largely irrelevant – instead you need to
concentrate on the business impact of
a potential attack, whether that might
be financial, operational or reputational.
I have found it most helpful to explain
cybersecurity to senior leadership in
terms of maturity of the programme –
how mature is the programme, where
are the gaps, what must we be doing to
close the gaps and improve maturity.
“Whenever possible, it’s also good to
be armed with metrics that can put a
potential figure on the costs involved,
as this makes it easier to think about
cyber-risks in terms of ROI. I’ve
found success in using a three-tiered
approach, split into everyday operational
metrics, a tactical layer for the functional
leadership, and a strategic layer for the
senior leadership and the board.”
Building a strong cyber culture
“Alongside securing buy-in from the
top, a CISO also plays an important
role in shaping their organisation’s
cybersecurity culture. Cybercriminals
see the human element as the chink
in the armour and common strategies
such as deceptive emails are designed
to exploit this perceived weakness.
Even one employee falling for a phishing
email can facilitate a major breach, so
the entire workforce needs to be aware
about the importance of good cyber
behaviours,” said Ferguson.
“While it is both unfair and unwise
to place the burden of spotting
phishing emails and other threats on
the shoulders of employees, fostering
a high level of awareness can make all
the difference. All staff should be aware
of common signs of malicious emails
and other suspicious activity and have
a clear idea of how to report concerns
to their management or IT and
security teams.
“I have had tremendous success in
using an ambassador programme to
help provide this awareness and develop
a strong security culture. Employees
who have the right interest and aptitude
in security were brought on board
and trained to teach the benefits on
our behalf. I have found that people
generally respond better to security
advice when it comes from a peer or
fellow employee in their department,
rather than being handed down by the
corporate security team.”
The need for a unified approach
Ferguson said: “Being a CISO is
a high-pressure role that requires
providing leadership for a wide variety
of areas around risk and cybersecurity,
technology in general, as well as other
concerns including legal, privacy
and product issues. While this hectic
schedule often leaves little time for
looking outside of the company walls,
I believe it is increasingly important
for CISOs to take the opportunity to
communicate with their counterparts
at other organisations and begin to
work together.
“Cybercriminals have become
increasingly well organised, with even
a lone-wolf opportunist being able to
easily purchase tools and information
from others on the Dark Web.
“We have also seen a greater threat
from organised groups that function in a
similar manner to a legitimate business.
When our staff
come to work, they
need to be able to
trust, open and click
everything they see
in their mailbox,
so keeping email
secure is essential.
Using the same kinds of tools as real
marketing and sales teams, they can
collate data for thousands of potential
targets and send out huge automated
phishing attacks.
“In most cases, these attacks are
completely industry agnostic, or else will
be targeting many companies within the
same sector.
“Meeting other security leaders
and sharing information about these
attacks, as well as other cyberthreats
such as new malware tools, can
provide extremely useful intelligence
that may make the difference in
thwarting an attack.
“Attending security events, open
forums or closed-door ones, has
been one of the most useful approaches
I have encountered for forging these
connections and sharing intelligence.
Many industries such as aviation
and banking have their own sectorspecific
events which can be useful for
discussing more targeted threats
such as security issues around
connected products.
“At the same time, invaluable intelligence
can be gleaned from CISOs from other
industries. As discussed, some of the
most pressing threats we face transcend
sector and meeting other security leaders
can be a real eye-opener. The annual
Agari Trust conference is one example
of an effective sector agnostic meetup I
attend annually with representatives from
a huge variety of businesses.
“Events that provide the opportunity
for security leaders to meet behind
closed doors are particularly valuable.
While speeches and demonstrations are
extremely useful, CISOs will be able to
discuss their security challenges more
freely in private.
“By building a strong network
of connections and regularly
communicating with security leaders in
other sectors and geographical locations,
CISOs can further improve their ability
to create security strategies that will
stand up to increasingly organised and
sophisticated cyberthreats.” u
www.intelligentciso.com | Issue 24
53