12 Critical Requirements for Security LeadershipAugust 16th, 2017
As the cyber security industry has witnessed an unprecedented onslaught of data breaches and headline risks in recent years, it has precipitated a fundamental transformation of the industry from the top down. Information security has rapidly evolved from a technology support function to a critical business need underpinning core business models and supporting day-to-day operations. As this change has manifested, it has ushered in a new era of cyber security leadership and changed the landscape in significant and material ways. For instance, security leadership is no longer relegated to technical wunderkind analyzing bits and bytes in a perpetual game of ‘spy vs. spy’ to thwart potential attackers. Today’s cyber security executive must possess strong business acumen, relationship management skills, technology expertise as well as a mastery of strategic and interpersonal communications.
They must be able to readily adapt to a constantly changing business environment as well as manage a menagerie of organizational and technical elements in order to sow the seeds for program success. Furthermore, they must hone a multi-modal repertoire predicated on multi-stakeholder engagement and security evangelization within, as well as outside, the organization at large. In order to effectively manage and lead cyber security risk management programs, it is essential to identify the key components and leverage known strategies and best practices for enterprise defense. Ergo, the twelve critical requirements listed below provide a comprehensive framework for program development and execution:
- Cyber Resilience: Operational framework for detecting, responding to and recovering from cyber security events and incidents.
- Enterprise Risk Management: Effective cyber security operations must be able to detect, identify, assess, mitigate/remediate and report risk effectively.
- Integrated Security Operations: In light of the cyber threat, organizations should develop an integrated Security Operations Center (SOC) or fusion center to provide enterprise oversight and support for cyber related issues.
- Risk Identification & Stratification: In order to conduct effective protection operations, it’s imperative to understand and codify risk within the information environment. Once identified and prioritized, controls and protections can be instituted to safeguard ‘crown jewels’ and other sensitive, proprietary or protected information.
- Security Training & Awareness: Everyone has a role to play in securing the enterprise and the enterprise training and awareness program is key to underpinning this notion. Everyone within the organization should have a fundamental notion of what cyber security is and their role in protecting company assets (e.g., not clicking on suspicious phishing emails).
- Business Enablement & Program Alignment: Integration and collaboration across the business are key for security program success. Developing and cultivating a strong working relationship with key internal stakeholders to support the business, strengthen partnerships and embolden champions for the cause is essential.
- Extended Enterprise Defense-in-Depth: Data/Device Ubiquity, Cloud Security BYOD, etc.: A layered approach to security is a beneficial approach for any organization, as no one should rely on compliance or other discrete methods to stave off compromise. Leveraging multiple layers of defense (e.g., security operations, risk management, compliance, etc.) in an effective fashion can be a sound strategy for protecting the enterprise from multiple angles and perspectives. Conventional security measures and controls must be extended into third party networks and virtual systems in order to address several key trends: Cloud, BYOD, third-party systems/networks, decentralization of data, etc.
- Benchmarking & Assessment: Continually assessing your security program efficacy from a capabilities and controls perspective will help ensure that you are leveraging industry best practices and securing the enterprise in an effective manner. Developing and implementing an operational reporting platform with key performance indicators (KPIs) and efficiency metrics can provide the requisite data and insight needed on a regular basis.
- Breach Acceptance: Acknowledging the fact that a cyber security breach is often inevitable requires that processes and procedures must be honed in order to respond appropriately. The stigma and disgust associated with breaches should be refocused on how to better prepare and respond to the inevitable.
- Industry Collaboration & Outreach: Develop and cultivate relationships with key organizations, industry groups, external associations and internal groups to advance partnerships and bolster collective capabilities.
- Strategic Communications: Develop high fidelity executive and operational reporting for general distribution. Elevate security within the company and enterprise.
- Program Governance, Risk & Compliance: Leveraging program frameworks (e.g., NIST, ISO, etc.), control frameworks (e.g., NIST, CSC, etc.) and accepted industry best practices to support program objectives/capabilities as meet legal, audit and regulatory requirements.
The strategies outlined above are essential for driving positive change for any security program; sowing the seeds for risk qualification and underpinning effective risk management at an enterprise level. As the paradigm continues to shift from a technical operations-centric focus to an organization wide risk management model, it’s essential to implement complementary components supportive of the overarching program goals. In order to effectively gauge, measure and articulate risk within the organization it’s important to implement mechanisms to systematically identify, codify and inventory risk internally as the strategies suggest. Furthermore, it’s important to define how this approach fits into a broader risk management framework, enabling the business to assess, address and mitigate risk at a fundamental level. This can generally be achieved by leveraging a combination of technical measures, policy mechanisms, procedural reviews and formal risk acceptance/transference procedures.
These strategies provide an operational and risk-centric framework for building and optimizing risk management within your organization. Although adoption of these strategies, collectively or independently, may not guarantee program success, it will ensure that you’re leading strategically and espousing industry best practices to ensure the betterment your group and organization at large.
Cory is the Executive Director – Global Cybersecurity Operations, for the Las Vegas Sands Group. He is an experienced cybersecurity executive and leader who has experience in multiple different industries and backgrounds. Cory participated in the 2017 iteration of BESP.