Skip to main content
Category

Cyber Crime

Cybersecurity Leadership (CISO): A Modern Approach to Cybersecurity

By CISO-as-a-Service, CISO/Management, Cyber Crime, Cyber Security, Defensive Tactics, Risk Management No Comments

Businesses have a corporate responsibility to secure their own and the information they have been entrusted with. Many companies believe that this is expensive, not their responsibility, etc. They also assume (usually incorrectly) that the IT department is handling cybersecurity. Most companies lack the talent necessary to build a security  program that is cost-effective, enables the business for success, and has the necessary depth. When the Cyber Self-Defense team speaks with companies, they tell us they do not know where to begin. Our answer to this issue is always the same; start by hiring the right talent to make you successful. CISO-as-a-Service® might be your answer!

Talent

At Cyber Self Defense, we often hear that cybersecurity talent is becoming harder and harder to come by. With the increasing level and complexity of cyber attacks, companies are looking for cybersecurity teams to help them to build their programs, yet job requisitions remain unfilled.

Trends

This is what we know;

  • Cybersecurity professionals are demanding more money.
  • Companies are creating positions that are vague, all-encompassing, and that fail to help them to build a comprehensive cybersecurity program.
  • Companies are electing to hire junior professionals who are unqualified to lead the program; with no strategic or leadership experience.
  • Companies are compromising on experience, qualifications, and other critical knowledge factors, just to get someone in the role.
  • Companies are over-spending on technology because they do not have the strategic outlook and risk-based approach which is so critical to any cybersecurity program.
  • Audit Pleasing- many companies build their cybersecurity programs to please auditors; they fail to see the need for true security. They also fail to see that a properly built program can be done at about the same cost of program meant only to “check the box”.
  • Companies add technologies that are just sitting in the racks.; we have seen situations where systems are installed with less than 10% of the features configured and used. Please see my article on “Blinky Light Syndrome”.
Common fears of hiring a CISO-as-a-Service®

1. Is the CISO-as-a-Service® a group of professional consultants who have no real-world experience?

  • The one thing we hear from our customers, when wanting to hire a CISO-as-a-Service® is that they tend to get “professional consultants”. It is important to hire companies who hire individuals with real leadership level experience building cyber security programs, while an employee of the company.
  • Professional consultants are great, but unless they have the practical experience of managing a program for an organization, they will struggle finding the correct balance between security and operations. They will also struggle with the political aspects of building a program.
  •  Any leader can tell you that there is a huge gap between the professional consultant and someone with full-time experience.
  • You should interview YOUR CISO and determine if he/she has the requisite knowledge and skills to make you successful. We enjoy having people interview us, as they would an internal employee. We would be glad to provide you with a resume of your CISO to show their qualifications.

2. Is there a conflict of interest, when a company comes in as a CISO and then sells us their other products and other non-related services?

  • It can be a conflict of interest if your CISO-as-a-Service® professional is a part of a large firm that sells products and other services; occasionally, they tend to push you to purchase their products, meaning the CISO might have not have your best interest at heart. Instead of being fully vested to ensure a purpose fit program for the company, he/she might be forced to push product and services.

3. How can a part time company build a program faster and cheaper than our internal employee?

  • A CISO-as-a-Service® professional hits the ground running with the tools, tricks of the trade, and other pieces of information that can make a huge difference in the overall successful delivery.
  • We have discovered that being a third party, your professional opinions are more likely to be considered. Many times, an internal person must deal with too many internal politics.
  • With a professional company, you do get the collective knowledge of the team. This benefit is critical to your success.

4. I am the acting CISO or want that job; I am the CIO and do not want to look bad; or I have other fears that this company will displace me, my team, or others and or damage my reputation.

  • As a consultant with experience performing in this capacity, it is our job to make you successful, based on your definition of success. Your CISO should ensure that your company is highly successful in all aspects of the process.
  • It is also our responsibility, as it would be in a full-time CISO, to ensure that we mentor staff and prepare them to take over for us.
  • We should be a core part of the TEAM that is designed to enable the company to succeed.

5. Is a CISO-as-a-Service® just going to come in, drop templates on my desk and have me implement them?

  • No unless they don’t want to succeed! This person should be YOUR CISO and perform is the SAME capacity, just on a part time basis.
  • Any templates or other tools that are brought in should be used as a starting point, above ground level, to allow a faster (controlled) implementation; No template is a one size fits all, it must be molded to your company. It must have an implementation strategy. It must be your company’s established program that is implemented through a formal process that follows your company’s normal flows.
Conclusion

A responsible company knows that to run their company correctly, they must have the correct leadership! Most companies would never ask corporate attorney to lead the IT department. At the same time, most companies would never place a paralegal into the corporate counsel position.

We believe that the same is true for companies who make the Chief Information Officer (CIO) in direct charge of cybersecurity. Most Chief Information Officers (CIOs) will tell you that they are not comfortable managing cyber security and IT at the same time; these can be conflicting. We’ve also found that companies who place a Security Analyst into the position of strategically building a cybersecurity program will fail to recognize a comprehensive, risk-based, and cost-effective solution that truly enables the business to succeed. Hire the right person for the job and you will reap the rewards of your decision.

We look forward to your feedback on our website; www.cyberselfdefense.org

CISO-as-a-Service®

Cyber Self-Defense was built as a result of a growing demand in the marketplace seeking out knowledge, expertise, and leadership in cybersecurity and risk management.  Our clients wanted us to bring in our templates, processes, experiences, and our collective knowledge and put it to work for them.  They wanted people who had built programs from the organically — from the ground-up. They wanted people who were known for enabling the business through cybersecurity efforts, not people who shut the business down with high costs and inappropriate rules. This is how we grew into a full-time business which has positively and directly contributed to the success of our clients.

Cyber Self-Defense has years of experience in reducing your cybersecurity risk and we would love to work with you on all your cyber risk needs. We make cybersecurity attainable for all organizations, without inhibiting your ability to work and make a profit. Cyber Self-Defense can be reached at: (866) CYBER-96 or on our website: www.cyberselfdefense.org

Life Imitating Art

By Cyber Crime, Cyber Security, Defensive Tactics No Comments

Years ago I remember Hollywood producing attempts at riveting yet profitable on-screen dramas which involved plot-centric cyber security elements resulting only in disappointment as they bore no resemblance to actual reality. Today as InfoSec becomes more mainstream there are now big and small screen serials involving a hacker protagonist or a cyber victim heroine. What I like about modern-day renditions is the themes and dialogue are no longer technically fictional. We live in the age of information and war is fought on the cyber battleground. Nothing is more relevant than the context of a personally identifiable subject. Still the Hollywood dramas, as realistic as they are, still leave a lot to roll your eyes at (or to cover your eyes at). Read More

Blinky Light Syndrome

By CISO/Management, Cyber Crime, Cyber Security, Defensive Tactics, Risk Management, Tutorials No Comments

Far too often, I meet companies who are excited when I arrive. They pull me into their data center and show me their new KYZ 5000 and go on to explain that it has ended all of their cyber security concerns. I review the device and find out that it is plugged in and has a flashing light somewhere in the front and that is the end of the story. Other times, I go to a site and find that the company has just purchased an ABC 1000; plugged it in, turned it on, and perhaps even configured it.

In both cases, I tend to ask what problem(s) the piece of equipment is solving. Most of the time, I hear a story like; “Mike, you don’t understand, Joe down the street just bought one and it has solved all of his problems!”

Unfortunately, I find that these are simply impulse buys or worse, auditor pleasers. When we actually take a look, they are not working the way the purchasing company believes they are working. I frequently ask the company’s representative how this purchase has helped to lower the company’s risk. They usually give me a blank stare and asked what I mean. I usually ask to see the company’s risk assessment. The person then goes into panic mode and begins a hunt for the risk assessment. After finding the risk assessment (and knocking a year’s worth of dust buildup off), I ask how the purchase has reduced the risks listed in the assessment.

Risk Assessment

It is usually at this point that I must explain that the risk assessment is designed to help organizations manage their security spend, the effects of security on the end user, and the true need for security. After reviewing the risk assessment together, we usually agree that had the organization used the assessment as it was intended, the same spend would have reduced risk a great deal more than the purchase of the equipment; perhaps the piece of equipment reduced the risk by .5% and spending the money wisely would have reduced risk by 30%.

Cybersecurity experts MUST be risk managers. They MUST ensure that the security program is being managed to enable the success of the business. When we do not use our risk assessment to perform our duties, we run the risk of over spending, over protecting, or simply wasting time, money, and resources. It is also crucial for us to understand that our roles require that we understand all methods of treating risk. Many, in our community, believe that we must throw technology at everything and that it will solve all. Even the vendors (at least the honest ones) will tell you that their technology is one part of an overall strategy.

Many would agree that their technology must be fully implemented from a technology configuration, policy, procedure, and corporate strategy standpoint; having the equipment plugged in, whether configured or not, is only one piece. On that same note, the technology MUST work in harmony with all other security strategies. I have yet to find a tool that will solve all Information security problems; as cybersecurity experts we must layer our approach to cybersecurity. Our approach MUST include training, risk management, policy procedure, company buy-in, and technology. Note that technology is last; without the first pieces, you have (BLS) Blinky Light Syndrome.

Blinky Light Syndrome (BLS) describes a device that is plugged in, turned on, but not doing what the owner thinks it is doing or what the owner wants it to do. It can be used to describe either of the scenarios I covered at the beginning of this article.

Conclusion

In conclusion, a risk assessment is not just used once a year, to show auditors that you have it. It is a tool that takes on a living role in your success as a cybersecurity expert. It grows with you, as you add new processes, technologies, or the business changes; the risk assessment grows. As your company divests, the risk assessment should be consulted and adjusted to reflect the changes. When you purchase new security tools, your risk assessment should aid you in determining exactly how the solution will need to be set up and configured. At Cyber Self-Defense, we make it our business to help your organization to steer clear of Blinky Light Syndrome and equip you to truly be secure!