Cybersecurity Strategy for Executives

The Big Picture

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: Cybersecurity for Executives

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In my last blog post I responded to a question — what do executives need to know about cybersecurity. Here are some strategies for executives to deal with cybersecurity more effectively. This post is part of my Cybersecurity for Executives series.

Learn the basics

It’s not as hard as you think to learn top security threats your organization faces, depending on who’s teaching it! The first step is to invest in training to learn the basics of information security. From an executive point of view, security is not about understanding network packets, bits, bytes, and assembly language to reverse engineer malware (though I have some certifications in that area and it’s very fun!) A large part of cybersecurity is understanding the macro issues that cause the most breaches and having a way to measure if you are susceptible to a similar fate — and then do something about it.

Ask better questions

Once you understand what causes the majority of data breaches, you will be able to ask better questions. These questions will help you quantify the cybersecurity risk level more accurately in your organization. The answers to the questions will help you make more informed cybersecurity decisions. I posted some cybersecurity questions you may want to ask your security team in another blog post.

Cybersecurity reports

The next step is to ask your technical teams for reports that answer your questions accurately. As I wrote in an article for Infosecurity, People Do What You Inspect, Not What You Expect. Reports will help you inspect what is actually happening based on metrics, instead of someone telling you everything is OK.

Over time I learned that one of the most important questions to ask before designing a complex financial system is, “What reports do you want the system to generate? Please provide a sample, with data.” Building systems that create reports that answer the right questions generally results in solutions that more accurately solve business problems. This assertion presumes the business is asking the right questions and the system is built to create reliable and accurate data that can drive better business decisions.

Benefits of cybersecurity risk reports

Creating cybersecurity reports will have the following benefits for executives:

1. Requiring risk reports will drive the implementation of systems and processes that mitigate top risks instead of buying for buzzwords.

2. Cybersecurity reporting can help executives more accurately assess risks that exist in the organization and prioritize work to fix the problems.

3. If reports indicate work assigned to fix a security problem is not carried out, liability shifts from the executive to the person that did not do their job.

4. Finding people who are bypassing security controls repeatedly and might indicate an insider threat — which otherwise can be challenging to spot.

5. Accurate, well-designed reports can help you align cybersecurity spending with risks and increase return on your cybersecurity investments.

Security automation

To get accurate reports, you’ll need data. Manually collecting the data is going to be inaccurate in the best case or not even possible in the worst case. How do you solve this? Gather this data from automated processes. Remove humans from the process of generating reports to prevent mistakes and tampering. Eventually, you may even consider automatically fixing security problems identified in reports.

Security automation has shown to reduce the expenses incurred as a result of a data breach. Per the Poneman Institute report in my last post on cybersecurity for executives, without automation, the average cost of a breach goes up to $4.43 million. Perhaps the mega breaches costing $350 million would not have been so high if those organizations had automated security. Security automation is not a quick fix, it is an investment and an on-going process, and it still requires well-trained individuals for best results. In my opinion, when it comes to security automation, it’s pay now, or pay later.

I’ve been a proponent of and writing about security automation for many years, especially as it pertains to cloud security. I immediately saw the value of the cloud, because I saw the potential to reduce human error and create transparency around actions that lead to security problems. Cloud providers need to be vetted, of course, but that is a topic for another blog post. You don’t need the cloud to automate security, but it makes things easier —and some automation features are free. Check automation capabilities and costs for each vendor before purchasing products and services.

Align Objectives

Do you have this problem: Every time I teach a cloud security class I say “In some organizations, the development teams got to the cloud first and now security is trying to catch up after the fact and implement controls. Sometimes developers don’t like this so much.” Smiles appear on faces. Heads nod…The misalignment increases cybersecurity risk.

Security automation is not just writing software or turning on cloud provider security controls. It requires a deep understanding of networking, security, and software engineering. Experienced security professionals understand security threats and risks at a deeper level than most developers. Network security architects know how to design networks that minimize attack surfaces and make it easier to spot malicious traffic. Software engineers understand how to automate and build resilient software systems. QA engineers know how to test applications and infrastructure(!) thoroughly. You need all these skills to design the most effective security automation.

I have a background that includes security, networking, and software, so I understand what people on all sides are trying to achieve. I believe training and communication would resolve conflict due to misaligned objectives. That’s why I designed my cloud security class for technical executives, security professionals, IT, DevOps, developers, and QA team members — together. Instead of sending everyone to separate security classes or showing them a video, get everyone together not just to learn cloud security but to discuss and design solutions at the same time.

Create a Security Culture

One last point — everyone complains about a shortage of cybersecurity staff. I would argue that most organizations are not leveraging their existing people effectively. Developers are smart. They can learn security. They can help security teams implement automated security solutions that make security teams more efficient. The more you can automate away basic security problems the more your security team can avoid burnout and focus on the more complex security issues. I recently had a Fortune 100 company send their sales staff to my class. They will now be able to drive more secure solutions back to product managers and help customers be more secure. Create a security culture.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2019

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab