Author: Joan Ross, Managing Principal, Cybersecurity
One of the hardest realities for chief information security officers (CISOs) to confront is what concrete protections can be achieved with the annual resources available to them. Theirs is a vital function, albeit typically with a smaller staff and budget than other divisions. One must constantly evaluate and protect against the ongoing concern that someone with malicious intent will breach or disrupt the organization’s operations, and obtain sensitive customer information and secret business intellectual property. Being a CISO is not for the faint of heart.
Prioritizing relevant risk to their organization and determining appropriate treatment with their executive team is an ongoing process. When necessary security funding is not allocated, or resources are few, the CISO is in a difficult position. Ultimately, they bear the responsibility of a breach, even should it occur through a business supplier on systems outside of their control. There may be limited people and mitigating controls to provide quality information security assurance.
2016 is the year more CISOs are making an honest evaluation of their team’s core security competencies and annual funding. While difficult to relinquish control, the realization is they have no control or insight if the security functions are not being fulfilled. This is when the tough decision is made to move the most time-consuming and burdensome security activities to a quality managed security services provider (MSSP).
In hindsight, CISOs relay moving to a MSSP has been one of the best decisions for the organization, given they select a strong MSSP. They’re able to obtain more actionable security intelligence by experts at recognizing patterns and events, and if frees up their limited resources to devote their efforts to the evolving business security strategy and improvements.
Expanding access capabilities, burgeoning security devices, and the continual monitoring of threats and vulnerabilities takes a toll, both professionally and financially. MSSPs are an acceptable option provided the CISO conducts the appropriate due diligence on the third-party provider. This is where experience, skill, certifications, reputation and investment in ongoing personnel training of the MSS provider matters, the selection criteria must be greater than any cost efficiencies.
At a minimum, today’s CISO needs a rapid response retainer in place. Established organizations are moving to contractually require these contracts with their critical business partners. The reason for this is simple: preventing, detecting, containing and managing information security requires trained professionals, reliable processes, chain of custody expertise, and forensics experts available at a moment’s notice. With a retainer in place, organizations can report suspicious activity and have it qualified, or have response on course of action within minutes. In seventy-percent of the targeted breaches we analyzed, the incident spread to the secondary victim(s) in twenty-four hours once the attack was successful – a risk no CISO takes lightly in consideration of their organization, customers, and business partners.