Rangel Rodrigues, Information Security Advisor, highlights in his article the main characteristics of CISO in times of pandemic and how to use the framework in hand, playing a leading role in the midst of chaos with the eyes of a visionary.
There is no change in an organization if it does not have reform with a holistic view from the information security perspective. Some companies and leaders think that hiring a CISO alone will solve the whole problem of the company unless the CISO well hand-on professional in a small, organized and structured organization, but the role of CISO is not as simple as it seems.
During this pandemic and quarantine the question we must ask is understanding what we need to protect and what vision and objective the organization expect, but unfortunately, many leaders still do not use and do not apply the best security practices as it should be. The number of frameworks, standards, and institutions that create security models that can solve the problems of companies is numerous, but the point is that the amount of information ends up confusing the mindset of these professionals who naturally act inoperative and unproductively in their goals.
For example, the Center for Internet Security Framework (CIS) provides several interesting documents for building a robust security architecture, and also offers checklists with comparisons with other key frameworks and key privacy laws that are in place. The amount of information, lack of resources, budget, and time has made infosec difficult to manage effectively. Frameworks such as ISO 27001 for information security management and NIST 800-30 for risk management are fundamental for a company that needs to comply with PCI, HIPPA, FISMA, FedRAMP, SSAE 18, SOC2, GDPR, CCPA, etc.
Besides, other frameworks such OCTAVE, FAIR e NIST CSF for the Cybersecurity program and OWASP for secure development, Microsoft Secure Development Lifecycle (SDL), among others, and security governance such as COBIT, and more recently the infographic "CISO Mind Map" released by SANS, that is indeed very interesting that can assist in these demands.
Of course, we have many options and the difficulty is how to choose and discern the most appropriate for our scenario, and how we can make the most with each framework in times of crisis for a state of productivity?
To perfume an environment, we need the support of C- level or the CISO will become powerless, but to prevent this, it is necessary a bold and articulate posture with the team that runs your organization that sets the priorities for business needs.
The book of the wise reports that virtue, knowledge, mastery, and perseverance on a particular subject makes us more effective and productive. The reason is if these qualities exist and are growing in our professional character, they will prevent us from being inoperative and unproductive.
However, if some professional does not have them, that hides the management he is doing, and as we weren't seeing the irregular concept that we sometimes see in us, because you only see what is close. In other words, every difficulty exists to train the leader to rule over something. So, the CISO and IT Risk Management Leader has the role of managing information security amid chaos, not with negative eyes, but looking at the storm of this crisis and finding opportunities as a visionary.
In short, every leader need:
- Understand in-depth the business of the organization, how the company makes money (modus operandi):
- Understand the governance structure, the organizational charts for the program, and whether there is support from senior leadership.
- Make sure that investment in security and cybersecurity is enough and appropriate for the program to be executed, tools such as benchmarks assists to understand and communicate the goals of the program to the senior management that is fundamental.
However, in these hard times, every leader and information security professional shall know how to reform an architecture with the framework at hand, at least apply and enjoy the best of each standard. Literally, experience, perseverance, and knowledge are fundamental qualities to reach a productive degree.
And the main: We need to be strong and, in some cases, start from scratch (0)!
This article was published at portal Security Report.
There is no change in an organization if it does not have reform with a holistic view from the information security perspective. Some companies and leaders think that hiring a CISO alone will solve the whole problem of the company unless the CISO well hand-on professional in a small, organized and structured organization, but the role of CISO is not as simple as it seems.
During this pandemic and quarantine the question we must ask is understanding what we need to protect and what vision and objective the organization expect, but unfortunately, many leaders still do not use and do not apply the best security practices as it should be. The number of frameworks, standards, and institutions that create security models that can solve the problems of companies is numerous, but the point is that the amount of information ends up confusing the mindset of these professionals who naturally act inoperative and unproductively in their goals.
For example, the Center for Internet Security Framework (CIS) provides several interesting documents for building a robust security architecture, and also offers checklists with comparisons with other key frameworks and key privacy laws that are in place. The amount of information, lack of resources, budget, and time has made infosec difficult to manage effectively. Frameworks such as ISO 27001 for information security management and NIST 800-30 for risk management are fundamental for a company that needs to comply with PCI, HIPPA, FISMA, FedRAMP, SSAE 18, SOC2, GDPR, CCPA, etc.
Besides, other frameworks such OCTAVE, FAIR e NIST CSF for the Cybersecurity program and OWASP for secure development, Microsoft Secure Development Lifecycle (SDL), among others, and security governance such as COBIT, and more recently the infographic "CISO Mind Map" released by SANS, that is indeed very interesting that can assist in these demands.
Of course, we have many options and the difficulty is how to choose and discern the most appropriate for our scenario, and how we can make the most with each framework in times of crisis for a state of productivity?
To perfume an environment, we need the support of C- level or the CISO will become powerless, but to prevent this, it is necessary a bold and articulate posture with the team that runs your organization that sets the priorities for business needs.
The book of the wise reports that virtue, knowledge, mastery, and perseverance on a particular subject makes us more effective and productive. The reason is if these qualities exist and are growing in our professional character, they will prevent us from being inoperative and unproductive.
However, if some professional does not have them, that hides the management he is doing, and as we weren't seeing the irregular concept that we sometimes see in us, because you only see what is close. In other words, every difficulty exists to train the leader to rule over something. So, the CISO and IT Risk Management Leader has the role of managing information security amid chaos, not with negative eyes, but looking at the storm of this crisis and finding opportunities as a visionary.
In short, every leader need:
- Understand in-depth the business of the organization, how the company makes money (modus operandi):
- Understand the governance structure, the organizational charts for the program, and whether there is support from senior leadership.
- Make sure that investment in security and cybersecurity is enough and appropriate for the program to be executed, tools such as benchmarks assists to understand and communicate the goals of the program to the senior management that is fundamental.
However, in these hard times, every leader and information security professional shall know how to reform an architecture with the framework at hand, at least apply and enjoy the best of each standard. Literally, experience, perseverance, and knowledge are fundamental qualities to reach a productive degree.
And the main: We need to be strong and, in some cases, start from scratch (0)!
This article was published at portal Security Report.
* Rangel Rodrigues is an advisor in information security, CISSP e post-graduated in Networking, Internet and Information Security by FIAP and IBTA; MBA in IT Management by FIA-USP and he is a cybersecurity professor at FIA Business School and Senior Information Security Engineer for a technology company in the US.
Comentários
Postar um comentário