Tony Asher discusses how a virtual CISO can enhance cybersecurity posture by first assessing the current state using “risk visibility,” which involves understanding the sensitivity and movement of data. He emphasizes the importance of protecting data confidentiality, integrity, and availability across various environments, including internal networks, cloud applications, and third-party vendors. Asher introduces a risk formula to measure and prioritize risks, which helps in creating a risk register and managing risks consistently. He highlights the need for clear communication and alignment with business goals to define an appropriate risk appetite and set cybersecurity milestones.
Action Items
- [ ] Assess the organization’s current cybersecurity posture and risk visibility.
- [ ] Gain understanding of the sensitive data the organization handles and where it is stored, accessed, transmitted, and deleted.
- [ ] Define the organization’s risk appetite and desired cybersecurity posture through stakeholder alignment.
- [ ] Apply a risk formula to consistently measure and prioritize risks, and track them over time.
- [ ] Regularly report on cybersecurity risks and progress to stakeholders using consistency.
How can a virtual CISO improve your cyber security posture?
My name is Tony Asher and I’ve been a vCISO for over five years. I will attempt to answer this question. What we’re talking about today is your cyber security posture. How can any virtual CISO help you with this?
Assess
First, before we talk about acquiring a certain posture, the first thing we need to do is assess your current posture. So just as if you were going to go to a chiropractor and you wanted to be in alignment, what they first do is do some kind of assessment to see how you’re doing now. Because sometimes we come in wearing our security hats, our tin foil hats, and we project a sense that we need to get to a certain destination. If we do that on our own, without engaging and aligning with the business, we get out of track, and we set priorities and milestones that are not aligned. And I call that the cyber snare. You can look that up if you’re interested in learning more about that once we assess through what I call risk visibility. Risk visibility is about 80 to 90% of a good cybersecurity program. It’s really getting in and understanding what is at risk.
Data / Crown Jewels
Data is currency, so our goal is to protect the confidentiality, the integrity and the availability of that data. To do that, we need to get visibility over what elements of all the data that we work with are sensitive or restricted. Once we have visibility over data classification, we can take that a step further, and we can start to gain visibility over where does that data live?
- How is it born into our control?
- Where is it stored throughout the environment
- Who has access to that data?
- How does that data transfer or communicate from one asset to another, whether it’s internal or external.
- And finally, where does that data go to die?
- Do we ever destroy that data?
- Do we destroy it appropriately?
Risk Visibility
Once we have that clear data visibility, a virtual CISO can start to permeate that and share that information with the proper stakeholders at the company. And this is where that alignment starts to happen. And it happens we, as we start to discuss, we start to get a feeling of what we call risk appetite, or risk culture, and we can start to define where we want to go with that risk program. What is our final destination? How do we define done now, when we think about, you know, improving your cybersecurity, posture and data being currency. In the old days, it used to just sit on a server, maybe a workstation, and today it keeps getting wider and wider. When we’re talking about posture, we have to look at the distinct environments that that data lives, breathes, moves, and we’re talking about number one, the internal network. So maybe you have an office with workstations, laptops, printers, servers, routers, switches, firewalls, Wi Fi. Another environment might be the cloud environment. Maybe you’re using some cloud apps like Microsoft, o365 or Box or Salesforce. The next thing we need to look at is applications. Have you developed applications? Are you hosting applications? They are their own environment that we need to be concerned about risk posture around and then finally, third party vendor environments. Are we sharing that data? That’s currency. Are we letting it leave our environment to go to a third-party vendor, or are we becoming stewards of other vendors data? So that’s another posture we need to be concerned about. Once we have, we’ve assessed, we’ve gained visibility, and we understand these different environments about risk posture.
Risk Formula
We need to articulate all this together and bring it together, and we do that through risk formula. And a risk formula allows us to measure risk consistently. Risk formula for me, the risk formula that I propose and I use is data or that crown jewel times threat times vulnerability, minus your existing security controls. When we have that formula, the output is risk. Now we can rank and. Prioritize those risks and add them to what we call a risk register, to manage those on an ongoing basis and track them to resolution and what we call risk treatment, we can also start tagging those risks. When we’re thinking about risk posture, you know, we have different things that come at us based on our posture. How does this relate to cybersecurity? Well, there’s different types of risks. There could be a risk that could affect the company’s reputation. Now, those risks are sometimes really hard to measure on a financial basis. We just have this fear or this feeling that, hey, if we were to get hacked, and it were to go in the news, it would affect our reputation. How big of a difference would that make in your company? What would a public breach mean, as far as a reputational impact to you? And there’s other types of risks too. A risk could affect our operation of the company. It could affect the availability of critical applications or resources and platforms that we use. It could affect regulatory maybe we have compliance or regulatory standards that affect us, and if those are not held up, there could be a fine or a consequence. And then finally, there’s confidentiality risks. Maybe we’re letting records go that we could lose the integrity or confidentiality of.
Risk Reporting
So those are different types of risks that we would want to tag to ensure that we fully understand and help improve the risk posture of a company. What’s really important as we articulate all this is reporting and communicating and in a consistent manner. Consistency is really important because we only have so many opportunities to talk about cybersecurity risks with the executive staff, Audit Committee, cybersecurity governance board. When we present, we want to give an update on what did we presented before.
- How is that changed?
- What have we done about it since last time we met?
- What how are we How is our posture today?
- And what do we propose or recommend that we do?
- What are our next steps moving forward that we can talk about the next time we meet?
As we go through this process of consistently reporting and having these conversations, the stakeholders contribute to that conversation, and we start to align our risk appetite that’s appropriate for the company today, and through that, we can identify proper cybersecurity milestones to reach a security posture that’s appropriate. I hope that helps you understand how a virtual CISO can help improve your cybersecurity posture.
Keywords
posture, risk, data, visibility, cybersecurity, environment, today, affect, ciso, align, company, call, workstation, understand, third party vendor, milestones, assess, formula, reputational
Recent Comments