Cybersecurity

How can CISOs best augment their cybersecurity approach?


According to Gartner, chief information security officers (CISOs) who elevate response and recovery to equal status with prevention are generating more value than those who adhere to outdated zero tolerance for failure mindsets.

“Each new cybersecurity disruption exposes the fact that CISOs manage more through adrenaline than intention, which is unsustainable,” said Dennis Xu, VP analyst at the technological research and consulting firm. “CISOs need to be resilient through intention, rather than adrenaline, if they want to survive.”

To help CISOs augment their cybersecurity approach and put response and recovery on equal footing as prevention, Gartner has advocated for a three-pronged approach. This involves building cyber fault tolerance in the business, streamlining to a minimum effective cyber toolset, and building a resilient cyber workforce.

1. Build Cyber Fault Tolerance In the Business
The research firm recommended CISOs work to build cyber fault tolerance into their businesses by focusing on two areas where preventative cybersecurity measures are visibly underperforming: generative AI (GenAI) and the use of third-parties.

For a rapidly evolving technology like GenAI, it is impossible to prevent all attacks at all times, Gartner said—so the ability to adapt to, respond, and recover from inevitable issues is critical for organisations to explore GenAI successfully. Effective CISOs are complementing their prevention-oriented guidance for GenAI with effective response and recovery playbooks, it noted.

Regarding third-party cybersecurity risk management, no matter the cybersecurity function’s best efforts, organisations will continue to work with risky third parties, explained Gartner. It added that cybersecurity’s real impact lies not in asking more due diligence questions but in ensuring the business has documented and tested third-party-specific business continuity plans in place.

“CISOs should be guiding the sponsors of third-party partners to create a formal third-party contingency plan, including things like an exit strategy, alternative suppliers list, and incident response playbooks,” advised Christopher Mixter, VP analyst at Gartner. “CISOs tabletop everything else. It’s time to bring tabletop exercises to third-party cyber risk management.”

2. Minimum Effective Toolset
One of the places that zero tolerance for failure mindset is most embedded is in cybersecurity’s approach to technology, the research firm noted.

“CISOs keep old gear past its sell-by date while also rushing to add new tools without fully understanding the added cost and management complexity they bring,” Xu added. “CISOs must break the cycle of gear acquisition syndrome that inhibits their ability to thrive by embracing an ethos of adopting the fewest number of tools required to observe, defend and respond to exploitations of the organization’s exposures.”

To achieve this, Gartner suggested CISOs should identify redundancies and gaps by mapping their toolset to their control framework; build technology proofs of concept around deployment risks, not just feature functionality; and aggressively pursue GenAI augmentations to existing tools.


Recommended reading


3. Establish a Resilient Cyber Workforce
“CISOs and their teams often have a heroism mindset,” noted Mixter. “They feel they must avoid bad outcomes at all costs, even at the expense of their health. They need innovation, experimentation, and engagement from their people more than ever, but the way they ask their people to operate often has the opposite effect.”

To create a resilient cyber workforce CISOs must treat resilience as a true competency, recommended Gartner, and build it in their people in the same way they build technical and other competencies.

The research firm advocated for doing this by making it easy for employees to get the support they need, including building self-care into employee workflows; sharing failure/learning stories, with CISOs setting an example by sharing stories themselves; and reengineering work to reduce burnout by understanding where employees experience friction in their work, reducing bottlenecks, and leveraging automation.





Source

Related Articles

Back to top button