“The data indicates that there is a disconnect between decision-makers and cybersecurity teams. There needs to be consistent communication, whereas, at the moment, over 40% of cybersecurity leaders only report to the board when a breach has happened. At that point, it is too late,” says Andrew Hollister, Deputy CSO and VP, LogRhythm, in an exclusive interview with ITSecurityWire.
ITSW Bureau: Should security awareness or initiatives start from the top and percolate? Or do you think awareness at lower levels is more effective in meeting security objectives?
Andrew Hollister: Cybersecurity must start with the C-suite and percolate throughout the entire company. Without that clear executive-level sponsorship, cybersecurity initiatives are unlikely to gain traction in effecting real change.
Cybersecurity is not just an IT risk but a business risk. It is critical that the entire organization, especially decision-makers, understand threats and what needs to be done to combat them.
ITSW Bureau: Is there a disconnect between decision-makers and the IT security teams? Would it help if the CISO reported directly to the CEO?
Andrew Hollister: LogRhythm’s survey found that only 7% of cybersecurity leaders report directly to the CEO. As a result, the CEO is either in the dark about the risks or is getting second-hand information. That’s a dangerous scenario and reveals the lack of authority some cybersecurity leaders have.
Where the CISO doesn’t have a direct reporting relationship with the CEO, it is difficult to judge whether C-Suite leaders have a complete understanding of security risks – beyond when a data breach occurs. Cybersecurity leaders are not as influential as they should be and the need for security awareness and initiative to run through enterprises is essential in the current environment.
The data indicates that there is a disconnect between decision-makers and cybersecurity teams. There needs to be consistent communication, whereas, at the moment, over 40% of cybersecurity leaders only report to the board when a breach has happened. At that point, it is too late.
Reporting to the CEO would give CISOs the authority they need to spread awareness of potential security risks throughout the organization. If more enterprises took the time to effectively leverage the expertise of their CISOs and wider security team, the understanding of security budgets, security risks, and areas for improvement would increase dramatically.
ITSW Bureau: Will an agile system of identifying typical attackers, and tracking them, help to decrease attacks?
Andrew Hollister: At a high level, identifying the types of attackers that might be interested in the organization is useful in identifying the types of threats that the organization is facing. Measures may then be put in place to gain visibility into those areas of the business that are most at risk based on that evaluation.
Many organizations use recognized frameworks such as the Cyber Kill Chain, or NIST. These frameworks enable organizations to think in a structured way about threat actors, their tactics, and where they are exposed to risk. This in turn helps organizations to prepare themselves for detection and response.
ITSW Bureau: In your opinion, what strategies should CSOs and CISOs leverage to establish a complete understanding of security risks within the organization?
Andrew Hollister: CISOs should seek to engender a “Security First” approach across the entire organization and ensure each employee understands their role in preserving a secure working environment. It requires education for all staff on cybersecurity and best practice for mitigating threats. This can be as simple as password management and recognizing high-risk emails.
Within the C-Suite, it’s about learning and understanding the risks and threats facing the organization and ensuring lines of communications are open between CISOs and decision-makers. There needs to be an active dialogue that happens continually rather than just when there is a data breach or cyber-attack.
ITSW Bureau: What technological tools and solutions would you recommend to fill the gap between business goals and security goals?
Andrew Hollister: There needs to be an emphasis on reporting and proving the business case for investing in cybersecurity tools, staffing, and resources. Cybersecurity leaders must establish a clear set of metrics that are business relevant and can demonstrate improvements in detection and response rates.
To improve the security posture, the company needs to understand that security operation centers strengths and weaknesses. Being able to monitor, measure, and communicate the state of your security capabilities is powerful. Measuring metrics such as Time to Detect and Time to Respond plays a pivotal role in the maturing security operation.
Reporting a team’s detection and response trendlines, enables them to demonstrate the value they are delivering to the organization, and enables managers to implement improvements over time. These reports can also be used as a basis to brief the C-Suite and the Board. With this level of communication, the board will have visibility into real improvements from investments in cybersecurity and have the confidence to invest further when required.
ITSW Bureau: Do you think the fear of losing their job keeps remote teams from reporting security mistakes? What can be done about this?
Andrew Hollister: Like so many aspects of cybersecurity, this is business culture and human challenge. Sixty-four percent of IT leaders claim that securing a remote workforce is the biggest security challenge. Fifty-four percent said improving corporate culture was their biggest organizational challenge.
If an employee makes a mistake, the person should be transparent with IT teams and explain the situation without the fear of losing the job. It comes down to leadership, and the better the C-Suite understands cybersecurity, the healthier the work culture will be around cybersecurity and remote working.
Leadership teams that support remote workers when they admit a mistake will have a safer and more secure working environment. They’ll also have happier and more productive remote workers.
Andrew Hollister is Vice President of LogRhythm Labs and Deputy Chief Security Officer (CSO) for EMEA, IMETA, and APJ. Hollister is responsible for overseeing LogRhythm Labs’ research in Threat, Compliance, and Operational Risk. Over the last nine years, Hollister has proven himself as an invaluable member of the business and leadership team in Customer Care, Sales, Labs, and the OCSO organization.