7 tough IT security discussions every IT leader must have
4. Are we truly up to date on emerging threats assessment?
Cybercriminals never sleep; they’re always conniving and corrupting.
4. Are we truly up to date on emerging threats assessment?
Cybercriminals never sleep; they’re always conniving and corrupting. “When it comes to IT security strategy, a very direct conversation must be held about the new nature of cyber threats,” suggests Griffin Ashkin, a senior manager at business management advisory firm MorganFranklin Consulting.
Recent experience has demonstrated that cybercriminals are now moving beyond ransomware and into cyberextortion, Ashkin warns. “They’re threatening the release of personally identifiable information (PII) of organization employees to the outside world, putting employees at significant risk for identity theft.”
Ashkin believes that security leaders should strive to relocate as many on-premises infrastructure resources as possible, thereby shifting cyberprotection responsibilities to cloud providers. Additionally, regularly scheduled management conversations should lead to key decisions, such as potential investments in augmented security tools, updated security awareness training materials, additional communication with end users to raise awareness about the latest security threats, and any other relevant steps needed to address and mitigate employee risk.
5. Do we have a truly effective incident response plan in place?
Every enterprise needs to hold a conversation focusing on incident response, recommends Zachary Folk, director of solutions engineering at cybersecurity firm Camelot Secure.
Planning is critical, Folk says. Discussions should include the enterprise’s executive staff, including the CIO, CISO, CTO, the incidence-response team coordinator, and all department heads. The meetings and conversations should lead to the development or update of an incident response plan, he suggests. The discussions should also review mission-critical assets and priorities, assess an attack’s likely impact, and identify the most probable attack threats.
By changing the enterprise’s risk management approach from matrix-based measurement (high, medium, or low) to quantitative risk reduction, you’re basing actual potential impact on as many variables as needed, Folk says. “By using simple Monte Carlo simulations and data gathered from your enterprise you can give senior staff members an actual probability of loss, potential occurrence, and impact.”
6. Are we achieving maximum ROI on our security investments?
It’s time to stop running away from security ROI conversations, states Brian Contos, CSO at IT asset visibility and cybersecurity company Sevco. Enterprises have invested heavily in CMDB, SIEM, SOAR, EDR, vulnerability management, and related solutions, he notes.
“To achieve value for these solutions, enterprises need to ensure that the information flowing into them, such as asset intelligence, is timely, accurate, and deduplicated,” he says. Strong asset intelligence within enterprise-class security solutions won’t just help you better mitigate risk; it will improve the ROI on those investments.
The ROI conversation should result in security, IT operations, and GRC (governance, risk, and compliance) teams gaining better visibility into their environment, Contos says. It should focus on everything that’s good and bad while identifying the areas requiring the most rapid improvement. Prioritized actions can then be assigned to the appropriate teams to address topics such as licensing, process improvement, vulnerability hunting, security control visibility, and regulatory mandates.
“Ultimately, mitigating risk and maximizing ROI should combine when asset intelligence is utilized to enrich the effectiveness of existing tools focused on security, IT operations, and GRC,” he advises.
7. What is the true extent of our financial exposure?
Perhaps the most critical IT security strategy conversation focuses on answering a single question: “What financial loss would our customers face if our IT systems went down?”
The goal of these discussions should be establishing a secure, robust, and resilient IT environment, one that customers can be sure will remain up and running, allowing products and services to be delivered without interruption, says Rob Fitzgerald, field CISO at managed services and IT strategy firm Blue Mantis.
This conversation should occur no less than annually, and ideally before budget season so the CIO and CISO can plan accordingly, Fitzgerald advises. If any major business-impacting events occur, a conversation needs to happen during those times as well, he says. “For example, if an organization is going to sell off a division or acquire another organization, the CIO and CFO have a fiduciary obligation to re-evaluate the fiscal loss customers would face should the organizations’ IT systems become unavailable.”
About Author
