​CISO 101: Securing the expanding attack surface and demonstrating ROI

Matt Brigham, ANZ Regional Sales Manager, Tenable

The increasing digitisation of business coupled with recent high-profile cyber attacks has propelled IT security professionals from the back room to the boardroom.

Many organisations are appointing chief information security officers (CISOs) to implement strategies that will protect operations while at the same time support business growth.

With this elevated stature comes a range of challenges. As organisations continue to adopt new technologies such as cloud, BYOD, containers and web applications, their IT environments and available attack surfaces greatly increase. The CISO is often left with just two choices: either be a roadblock for innovation or an enabler without security compromise.

Unfortunately, choosing which approach to take is not easy. The rising complexity and decentralisation of enterprise IT are making it harder for security teams to see everything on their networks and accurately assess cyber risks.

On top of that, they must grapple with an increasing number of sophisticated threats and attacks. According to the Tenable 2017 Global Cybersecurity Assurance Report Card, security professionals named an overwhelming cyber threat environment as their biggest security challenge.

While there is no silver bullet technology when it comes to security, there are a range of dos and don’ts that CISOs should consider. Unfortunately, there are also three key rules that security professionals often forget to follow. Those rules are:

  • Know what’s on your network:
    True security starts with visibility. Today’s increasingly complex and dynamic modern IT environment has moved security beyond the confines of well-defined perimeter networks, thanks to trends such as cloud, mobile and BYOD. Security pros must fundamentally change how they think about cyber risk and how they do security if they want to become a world-class cyber organisation.

    Periodic scanning is not enough — organisations need active, passive and log/event correlation to achieve true continuous and pervasive monitoring. This helps detect threats faster and with greater accuracy by continuously uncovering and tracking users, applications, cloud environments and mobile devices. It also allows organisations to perform continuous vulnerability assessments across all network assets.

  • Create a seamless and intelligent security ecosystem
    Security vendors have been slow to adapt to the changing threat landscape. The days of buying and managing dozens of 'best-of-breed' layered security products from various vendors are over. Organisations need a balanced approach to security investment with solutions that — even if from different vendors — are still part of an integrated security ecosystem where everything works together to deliver comprehensive protection.
  • Win your board and come armed with metrics:
    Security teams are now expected to contribute meaningfully to board-level decision making. Understanding their security posture and risk profile is a good start, but today’s security teams must also be able to convey that up the chain.

    Board-level commitment has always been a concern for security teams. Executive-level reporting on organisational risk levels enables the kind of informed decision making now required of senior business leaders. Having the right metrics is crucial to convincing senior executives that cybersecurity should be taken as a high-level business concern. It is equally important to ensure that these metrics are readily available and easily digestible for people without in-depth security expertise.

Security can only be effective if it is strategic. Start by knowing everything in your IT environment, identifying all of the vulnerabilities, actively searching for malware, intruders and signs of compromise, and then prioritising actions that can immediately reduce risk across the entire organisation. And make sure security objectives map to the business. Doing that kind of detailed work can be expensive and time consuming, but it’s one of the best ways to help organisations ensure they are well-prepared for the security challenges of today and tomorrow.