By Julian Waits
CISOs must consider reputation, resiliency, and regulatory impact to establish their organization’s guidelines around what data matters most.
Today’s CIOs are the stewards of company data, responsible for its health and performance as well as maintenance of the availability, speed, and resiliency their stakeholders expect. CISOs, however, sometimes serve as emergency room doctors for their company’s data. Their role is to think about worst-case scenarios, diagnose the severity of incidents, and jump in when incidents happen or are likely. Their first priority is to keep patients alive, but keeping them healthy is worth bonus points.
Like ER doctors, CISOs need rapid prioritization tied to the health of the business to effectively triage incidents. To establish each organization’s guidelines around what data matters most every CISO must consider reputation, resiliency, and regulatory impact.
Defining and Solving the Data Problem
A CISO must consider focus on business protection, cybersecurity breaches, and the role of data in their organization:
● Reputation: Which data loss would hurt the business’ reputation and negatively impact a customer or investor’s confidence in the business?
● Resiliency: What data outage could cause business disruption, and could the business come back from the outage?
● Regulatory impact: What is the financial or legal liability?
With these themes in mind, the CISO’s data problem is twofold: which data most needs to be protected, and what data is needed to monitor and diagnose an incident when protection fails?
The first step is for the CISO to get their arms around all the data that matters. These days, data ownership is often federated, so CISOs must team up with peers to get access and manage the overlapping ownerships. For example, the security team may have access to one body of data, whereas application teams have another. Lines-of-business leads would own their business data in SAP, for example, while the CIO would manage the infrastructure’s operational data and maintain the health, performance, and security protection of SAP and the data it contains. Underscoring this business dynamic is the critical role that CISOs play: They need to ensure their peers have visibility into all business-critical data, and they need to ensure they have full access to this data and its supporting systems.
With the data in hand, the next step to solving their data problem is to examine tool sets and ensure they have maximum visibility. Today, environmental complexity is such that you may not know what it contains, making visibility difficult to achieve. Organizations have on-premises environments, workloads in multiple clouds, numerous purpose-built applications, Internet of Things devices, and more. When combined with organizational silos, shadow IT, rogue DevOps teams and business units driving “digital transformation” that put speed-to-market ahead of architectural elegance, efficiency, and application security, it becomes even clearer that the job of the CISO is getting harder every day.
Business Impact Analysis Best Practices
Forward-thinking CISOs lead their teams with the goal of protecting what matters most while maturing their security capabilities and posture. This begins with a business impact analysis that explores which applications and systems are most critical to provide the environmental visibility needed to enable effective data protection. In any organization, this task is daunting and time consuming; however, the larger the organization, the higher the risk and the reward. Both the CIO and CISO have much to gain by looking strategically at their organizations, aligning efforts, and improving the efficiency and effectiveness of their teams and technology.
With business impact in mind, CISOs can better drive security maturity and improve their cyber hygiene. This can start with simple but necessary activities like vulnerability identification and management, endpoint protection, or malware detection; even these activities can be prioritized by business impact and informed by a view of reputation, resiliency, and regulatory requirements.
Once CISOs have grasped the business impact of their data according to the three pillars — defined data boundaries, access, and tool sets in use across the organization — then it’s time to review tools’ effectiveness and return on investment. Most CISOs know not all their tools are effective or delivering as promised; what’s important is determining which tools are truly useful or necessary, and understanding the financial impact. This is also an opportunity for CIOs and CISOs to work together — there’s limited technology budget to go around. If CIOs and CISOs can leverage system synergies on top of common data sets, and then further align systems with critical business units, then there is a huge opportunity to optimize spending, operations, and protection.
Emergencies Are Preventable with Primary Care
The constant specter of a serious data breach keeps many CISOs up at night. CISOs know how to handle emergencies, but like their ER counterparts, they’d prefer they never happened in the first place. The modern CISO needs to start with primary care — understand business impact, the effect of security incidents on reputation, resiliency, and regulation, and then address these needs with a robust security program aimed at mature cyber hygiene.