By focusing on preparation over prevention, CISOs and their teams can optimize their organizations’ resilience in the face of new, unpredictable cyber–security threats.
If there’s one thing every CISO knows to be true, it’s that cyber–security is unpredictable. Identifying ways to prevent the next significant cyber-attack is any security executives most frequently encounter problems. Unfortunately, this is the wrong question because it is hard to predict precisely how threats and threat actors will change.
The preferable approach is to lessen the impact of inescapable, significant attacks. Cyber–security executives must strengthen their organization’s resilience as unforeseen and disruptive threats affect organizations regularly since breaches will occur while in charge. This calls for more than just funding preventative measures.
CISOs need to concentrate on three key areas:
Strengthen the resilience of the security strategy
After a cyber-attack, recovering IT infrastructure, apps, and data typically takes more time than the company can afford. With the help of a carefully thought-out resilience program, the firm may recover from an assault swiftly and with the least amount of business interruption.
A resilience program must also include a disaster communications plan. Organizations cannot frequently manage security incident communications, leading to inconsistent messages, delays in processing, and role confusion.
This may cause stakeholders to draw incorrect assumptions regarding a security event’s origin, gravity, and effects. The company needs downtime measures and conventional cyber-security incident response (IR) strategies to continue operating and corresponding with clients and other stakeholders. Downtime procedures include, for instance:
- Documentation that is saved offline after each day or shift, such as blueprints, operating guides, and diagrams
- IT support, such as having unchangeable vaults for downloading application data
- Operational alternatives, like using spreadsheets to schedule the workforce and putting protocols in place for data reconciliation when a cyber-attack is resolved
Create a crisis management team and process that considers factors such as loss of reputation, expense, effects on human safety and life, and corporate operations. Establish a consistent messaging approach and routinely test the processes.
Enhance security designs with flexibility
Many businesses make security improvements following “newsworthy incidents.” It is common for an organization to make a poor choice in the wake of an occurrence. Then a sensational news report urges a course of action that might have helped the incident’s victim but may not be beneficial the next time around.
Constant planning is essential, and flexible security architecture can increase resilience when addressing unanticipated threats. Organizations require a strategy to concentrate first on the most critical exposures. A more organized approach known as an exposure management program aids in creating prioritized lists of remedies and treatments that lessen the company’s attack surface.
An exposure-management program’s long-term goal is to produce consistent and implementable security posture optimization plans that corporate executives can comprehend and approve, facilitating the necessary cross-team collaboration.
Engage executives with the business value of cyber-security readiness
Applying a threat-centric methodology to security provider selection is another way for CISOs to design security for resilience.
Evaluations of security products are frequently restricted to a predetermined market niche, such as “access control” or “endpoint detection and response.” However, this form of product evaluation loses effectiveness as vendors continue to mix their offers and as consumers seek to assemble their vendor portfolio.
The security team should assess technologies from more than one security control category and, maybe, more than one defined market using a threat-centric procurement strategy.
Before participating in an RFP or proof of concept process, establish a set of pertinent metrics for a specific type of assault. Then, list the categories of security goods and services that can help to strengthen the defenses against these threats. For instance, comparing the effectiveness of email security, endpoint, and user awareness controls is necessary to enhance the organization’s security posture against phishing.
For more such updates follow us on Google News ITsecuritywire News