Cynet Paper On CISO Strategies

Cynet announced a new guide titled “10 CISOs with Small Security Teams Share their Must Dos and Don’ts” which details how to effectively manage small and medium enterprise (SME) security with five or fewer cybersecurity team members. As the challenges of smaller security teams are certainly different than with larger teams, these IT professionals must be more creative and pragmatic than their large enterprise counterparts.

In the past several years they have seen a rise in cybersecurity attacks on businesses of every size. Business email has been compromised, endpoints are under constant threat, and ransomware attacks have multiplied to name a few.

Unlike large enterprises with extensive cybersecurity teams, SMEs are plagued with a lack of dedicated resources, device mis-administration, lack of training and a reduced level of IT management framework. Despite this, SME CISOs with these reduced teams have adapted and overcome and in a recent survey, provided ten recommendations for maintaining the highest level of protection possible.

Ten recommendations

• Invest in communicating upstream:

Develop and present a strategy/plan to address cybersecurity attacks. This should be done annually and be presented in board meetings. Avoid tech-speak and present the statistics, trends and overview of new threats. Discuss the business risk these threats pose and the company’s ability to defend against such attacks. Set the budget and expectations in the plan and communicate what can and cannot be done, along with the associated risks.

• Leverage compliance to increase security budget:

Compared to cybersecurity budget concerns, the compliance budget “is what it is.” It is an inflexible requirement that requires compliance for business operation. Leverage the compliance budget to augment the security environment for adherence. Verify with a control vs. regulation matrix and check for gaps on each regulation. This is a forward-looking approach that will help to easily comply and understand what gaps remain when the next regulation arises.

• Consider the end-to-end costs of purchased products:

From initial deployment to post-installation analytics, alerts and maintenance, the costs of new security solutions cover multiple areas. When investing in a new cybersecurity product, make sure to understand the associated investment beyond the actual product cost and the security coverage, the upgrade frequency and requirements, dashboard/SIEM monitoring for alerts, false positive rates and more. Ask the vendor for a trial period in order to better understand and assess these parameters.

• Consolidate security platforms:

There can be many layers of security with each increasing the level of overall IT complexity. Look for that single product that consolidates multiple technologies by design.

• The most well-known and/or expensive brand is not necessarily the best:

Check comparison sites, read blogs and speak with colleagues to gain from their experience with various solutions. See how solutions rank in terms of third-party evaluations and security effectiveness.

• Avoid the security alert wild goose chase:

Security teams, by definition, operate on alerts. Since smaller teams do not have the resources to follow up on each alert, set polices that define when a particular alert needs to be addressed. Make sure to follow-up on alerts that have been automatically remediated since that initial threat could be a part of a larger campaign.

• Consider security solutions that do not block operations:

Employees will nearly always try to subvert a security policy if it slows down their operations. Instead of creating a uniform policy for all entities at the company, opt for multiple policies per role and how to overcome challenges.

• Automate as much as possible:

If there are multiple manual tasks, there is most likely a way to automate these to reduce the time investment….