FINAL WORD
Your report highlighted that there is still a lack of support from boardroom . What advice would you offer to regional security leaders in obtaining buy in from the C-suite ?
Your research revealed that a majority of CISOs still consider human error to be their organisation ’ s biggest cyber vulnerability . What are the risks and how can these be mitigated ?
CISOs are under a lot of pressure generally . Our research found that 67 % of CISOs in the Middle East felt that role expectations were excessive , compared to 57 % globally .
It ’ s a worrying situation and we ’ ve discussed things like CISO burnout and the number of people only staying in roles for up to 24 months before moving on .
Overall , across the globe , 25 % of CISOs said they felt strongly supported by the board and in the Middle East 31 % felt that the board really had their back .
That ’ s better than global average but still not ideal as you really want the board and the CISO to be working in synergy , understanding the risks , prioritising and being able to move forward together . To address this , there are several things that CISOs should look to do :
So often when reading about people-centric security , you ’ ll see references to people being ‘ a first line of defence ’ or ‘ a last line of defence ’ or a ‘ weakest link ’. And I think all of those are a little unfair .
We need to consider people instead as our ‘ primary attack surface ’. Staff are under constant attack and data from the recent Verizon Data Breach Study highlighted that 85 % of successful attacks had a human element , so the human aspect is vital .
The Middle East understands this – 70 % of CISOs believe that users are one of the primary risks to cybersecurity within their organisation . And they ’ re worried about things like unidentified devices , unidentified tools and the security around data that people are working with . That compares to around 60 % globally .
• Make personal time . Don ’ t allow anybody else to deliver your security message to the board , make sure you own the message . Look for ways to speak to those board members outside of the boardroom to try and build personal relationships with them , because if you can show how your cybersecurity strategy is necessary to enable their personal projects and priorities , they will support you in every step .
• Create metrics and stories that link back to the business . It ’ s much more impactful if you can really make security seem intrinsic to the business success – make sure you link cybersecurity messages and stories to strategic business imperatives , industry trends and local objectives . so the board can see that this is not just an IT problem , it ’ s a business one too .
• Be pragmatic . As a CISO , you have to convey the risk to the board and ensure they understand the different choices , but respect that they have wider considerations . You must give them the information and your recommendations but let them make the best business choice – then it ’ s your job to implement it , whatever they decided .
I think most CISOs could actually bankrupt their organisation by trying to make it as secure as possible , but that ’ s not practical – we have to embrace some level of risk and we have to trust business leaders to make the right decisions based on the information that we provide them with .
The most successful attack vector right now is phishing , followed by credential theft and then human error .
These top three successful attack vectors are all entirely focused on the human , so it ’ s quite clear that we really should be focusing security around that human to try and make them as strong as possible , because the repercussions of their failure can be quite catastrophic .
The first thing to do is to realise that the firehose of threats that reaches your organisation comes via email , so making sure that you ’ ve got great email hygiene in place because if you can cut it out , you ’ re reducing a huge amount of the risk to your enterprise .
The next logical step is to provide security training to staff to make sure the threats that do get through that gateway can be recognised and dealt with appropriately .
The final piece is to think about insider threats , identifying accounts that have been ‘ stolen ’ and are being used in a suspicious way , and then locking them down before they deliver ransomware or other attacks . Credential
So often when reading about peoplecentric security , you ’ ll see references to people being ‘ a first line of defence ’ or ‘ a last line of defence ’ or a ‘ weakest link ’.
www . intelligentcio . com INTELLIGENTCIO MIDDLE EAST 83