The CISO (Chief Information Security Officer) position is complex and demanding. With an ever-expanding threat landscape, the CISO navigates a complex web of responsibilities that run the gamut from staying ahead of cyberattacks, managing security teams, and analyzing and communicating potential risks to protect a company’s valuable electronic assets.
With such responsibility comes much difficulty. A CISO requires the support of their surrounding IT team to improve the protection of their informational assets, but this support can often be hard to come by. Communication and education can go a long way to bridging the gap between the CISOs and IT teams.
Patching: A Cross to Bear
IT teams don’t always love patching. Every week, new patches are released to close security holes in operating systems and software, which means time and effort from IT where other work isn’t being done. And yet vulnerabilities are being exploited at increasing rates.
Educating IT teams on the cost of a breach can help, and is likely part of a company’s compliance training already. Making IT teams personally responsible via performance goals for hitting patching metrics can incentivize IT to ensure that the systems up to date on patches.
Balance Between 100% Patching and Reality
One hundred percent compliance for patching is impossible. Many times it just so happens that a system is patched in the morning and has a new vulnerability announced that afternoon, and therefore already out of compliance. CISOs and their teams are responsible for determining the risk of each vulnerability and a tolerable delta between patch release and patch deployment.
Occasionally, the downtime required to patch a server can cost the business money, client satisfaction or retention. Legacy systems can have little to no redundancy, and failover procedures in legacy systems are usually manual. This requires an IT team that’s already spread thin to spend an inordinate amount of time on patching and remediation.
The Budget Crisis
Depending on the company’s organizational structure, CISOs and IT teams may be fighting for the same budget resources year after year. It doesn’t have to be that way. Consider those legacy systems that require manual tasks to patch. It’s in a CISO’s interest to have the systems patched, and it’s also in their – and IT’s – best interest to keep the clients happy.
Using the budget to invest in some load-balancing solutions or automation software is a great way to reduce the load on IT patching systems. Eliminating these manual processes also means that the patching process could be performed quicker, which equates to more systems in compliance. This is a win-win for both the CISO and IT.
CISO and IT Teams Keeping Current
Another way the CISOs and IT teams can get a big bang for the shared IT budget’s buck is to ensure that technology is kept current. Old hardware, servers, and desktops with operating systems or software where vendors are no longer issuing patches can create unsustainable technical debt in the form of unpatched security holes in your infrastructure. Replacing old systems before they reach end-of-life can benefit both sides.
CISOs need to prevent, and where not prevented, detect, a potential compromise. The IT team needs to detect unauthorized changes to the IT landscape with certainty. Rogue devices, reboots outside a maintenance window, or unusual network activity can all be signs of a compromised system which an IT team will need to react to.
Tools like Ipswitch’s WhatsUp Gold can quickly detect new devices with the Automated Discovery feature. Using tools that can quickly identify and remediate these threats can go a long way to protecting a company’s assets.
Defining Security Metrics
It can be tricky to measure “security”, which is in direct correlation with a difficulty to measure a CISO’s value. Organizations need to prove they are doing enough to keep its assets safe. Lack of effective metrics is a major issue, but there are some that can be useful.
CSO Online suggests a few good metrics for information security. Defense coverage, patch compliance/latency, and outside testing metrics, are some examples of metrics that can be used to determine the strength of your security program, but the measurement and data gathering for these metrics will also likely require the cooperation of your IT team.
Robust Security Controls and Architecture
Since data protection is the priority of a CISO, it will also be critical to have security controls in place for that data. Knowing where your data sits and where it is at a moments notice will help a CISO and the IT team if and when an audit takes place. A robust secure file transfer tool, such as MOVEit Transfer, can not only track your data at rest and in motion, but will also encrypt that data, maintainign compliance even when that data is moved.
Investing in security is like buying life insurance – you hope that when you need it, you’ve done enough. CISOs and IT teams must share in the silent successes of an effective security strategy, because they also will share in the wrath and subsequent cleanup of a breach if they do not.