CISOs are the cornerstone for managing the high-level risks of data security, which means they’ve got a lot on their plates. Detecting, responding, and protecting against threats requires them to maintain compliance standards and select a strategic mix of technologies to manage a strong security team and empower the company’s broader workforce to act effectively. (No pressure, right?)
The good news for CISOs is they’re not alone; there are tools that can help. Here are five questions CISOs should ask themselves to make sure they have the right tools and systems in place to better protect their company’s data people and reputation.
How much of our cyber approach is dedicated to proactive threat hunting vs. ongoing response?
As any C-level executive working in 2019 can tell you, the days of simply waiting for incidents to bubble up no longer holds water. Organizations are realizing that proactive threat hunting is the key to stronger protection and better understanding vulnerabilities. But for many, dedicating headcount to threat hunting versus incident response is not always possible. Putting out the biggest fires will always be necessary, but when these fires consume the majority of a team’s time, there are limited resources left to proactively look for potential weaknesses in the organization.
“More than a quarter of security practitioners interviewed by Intel Security report continuing to operate in reactive mode with a mostly ad hoc approach to security operations, threat hunting and incident response.”
Having a security platform that consolidates and contextualizes all endpoint and server events can enable smaller teams to tackle both threat hunting and quick incident response.
How often does alert fatigue impact our team’s ability to fully investigate events?
Alarm fatigue is real. We see it in our personal lives, healthcare, and just about all modes of transportation, and the consequences can be dire. Cybersecurity is not immune. As sophistication grows in UBA, DLP, and EDR technologies, the number of alerts, false positives, and notifications will continue to overwhelm security teams (nine out of 10 security practitioners report an inability to triage all potential threats). In an IT security survey by the Ponemon Institute, more than 37 percent reported facing more than 10,000 daily alerts; more than half of those alerts were false positives. What happens when there’s not enough time in the day to address every alert and an actual attack is overlooked?
Have we asked vendors the hard questions about their machine learning and AI?
If you’re playing buzzword Bingo while reviewing your vendors, it won’t take long to hit a winner. But differentiating between who’s slapping machine learning onto their platform vs. who’s building tools that allow machine learning to continually improve efficiencies are two very different things.
“Demand a demonstration, not a presentation.” – Gartner
Ask your vendors the hard questions. Please explain your algorithms in detail. What are the specific trends and patterns targeted? Does the tool capture its own data? If not, how do you determine the reliability of the data? How do your algorithms react to data imperfections? And, can you show me how it really works? Dig deeper and it will quickly become clear when machine learning is going to offer true value and when it’s simply marketing speak.
Have I checked all of the boxes for GDPR compliance?
The last year has been the most compliance-focused in the industry’s short (albeit intense) history. As such, security teams have had to shift time and resources to keep pace with new regulations. No longer do fellow executives ask their CISO ‘Are we secure?’ They’re now asking ‘How much will we be fined if we’re breached?’ GDPR has brought an additional set of regulations, expectations, and opinions to the industry.
“Quietly working out a plan will no longer be an option.” – Jacek Materna, on GDPR
In the case of a breach, Article 30 states that you need to have adequate data records for real-time auditing by a supervisory authority. And the 72-hour rule adds to the urgency of identifying the who and the what in a short amount of time. This means two things: you need to collect a lot of data on your users and you need to be able to find it quickly. Can your team do both today?
When (not if) a breach occurs, how quickly could we respond and control damage?
Managing day-to-day threat response across numerous platforms is a headache. When a breach occurs, that headache becomes a migraine.
“There are only two types of companies; those that have been hacked and those that will be.” – Robert Mueller, former director of the FBI
If you’re one of the companies suffering from the growing security talent shortage, allocating additional resources to respond to a breach is not always an option. Consolidated endpoint and server visibility is crucial in minimizing the time to resolution and containing the impact of the breach. But above all else, technologies must enable you to get the most out of the resources you have available today to ensure the fastest recovery.
The opinions expressed within this article are the personal opinions of the author. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.