How have you been able to Leapfrog your Security Program Forward was the topic of a recent CISO Executive Forum, led by Tim Howard, of Fortify Experts and attended by over 40 security leaders.

Here is a quick summary of the key points discussed broken down by People, Process, and Technologies which could also help you make a significant improvement in your security program.

People:

  • Implementing a Verification & Validation Team: After a paralyzing security incident, one firm birthed a Verification and Validation (V&V) team mirroring the resilience seen at Fortune 500 companies like General Electric. The V&V team’s objective was to conduct regimented effectiveness checks of controls, akin to the continuous improvement approaches seen in quality assurance practices across industries. This team, equipped with sharp analytical acumen, conducts regular checks to validate the effectiveness of our controls – a vital pulse-check that fosters trust among stakeholders.”

“A robust security landscape isn’t a static creation but a living ecosystem requiring constant care,” explains a CISO from the manufacturing sector.”

  • Hiring an Application Security Engineer: The game changer for a large auto reseller was adding an Application Security Engineer.  This position involves engaging with development teams early in the software development lifecycle, integrating security into every phase, and ensuring it’s a forethought, not an afterthought – encapsulating the philosophy that prevention is better than cure.

“It bridged the gap between development and security, fueling a ‘shift-left’ perspective that imbedded our engineering culture with security from the onset.”

  • Bringing Jr. People in to Ask Why: An investment firm CISO shared, “Injecting fresh perspectives through junior team members has been our secret sauce.” They ask ‘Why,’ urging veterans to articulate their logic, which sharpens the collective intellect and paves the way for innovative problem-solving.

“Much like Elon Musk encourages his engineers to challenge norms, our junior team members are our catalyst for keeping us on our toes and ensuring our practices aren’t just because ‘we’ve always done it that way.”

  • Hiring a Team Focused on Diversity of Thought: Building teams with the goal of creating Diversity of Thought leads to more profound and holistic problem-solving. Anecdotes from various CISOs endorsed the ideology that diversity drives innovation. “Fostering a team with mixed backgrounds is not just a box-ticking exercise; it stimulates an environment where every challenge is viewed through a multifaceted lens.”

“Diversity of thought is not just a nice-to-have; it’s a must-have in our war against cyber threats, allowing us to discover our blind spots and strengthen our defenses.”

  • Contracting with an Incident Response Firm: With an Incident Response firm on retainer, transitioning from reactive to proactive became a reality for a home loan company. “Through regular audits by our response partner, we convert potential disasters into actionable defense strategies,” a CISO commented on this forward-thinking initiative.

“Being proactive with our Incident Response preparation meant turning potential weaknesses into strategic insights, which ultimately resulted in organizational resilience.”

Processes:

  • NIST Assessment to Build a Roadmap: A story from a University CISO showcased how assessments could illuminate the path forward. “Our cybersecurity framework assessment was a wake-up call that drove a 10-fold increase in funding commitment and a tripling of staff, turning deficiencies into milestones.”
  • See how you can achieve a 3rd Party NIST CSF Assessment in Under 3 weeks for under $10K. Rapid & Affordable NIST Cyber Assessments (5 Min Video).

“The Cybersecurity Framework was our compass, guiding us from a D minus to aspirations of a B, one project at a time.”

  • Allowing non-cyber people to design tabletop exercises: Putting tabletop exercise design in different hands proved invaluable. A CISO from a large mortgage lender said, “We knew we needed a fresh perspective on our tabletop exercises. Inviting non-cyber team members opened a trove of unique scenarios we had overlooked.”

He added, “When you let those outside the security bubble simulate an attack, the depth and variety of the threats we prepare for expand exponentially.”

  • Creating Cyber Roundtables that involve the business units: Cyber roundtables proved vital in democratizing the cybersecurity conversation across departments and aligning technological initiatives with business objectives and risk appetites. An example of interdepartmental cohesion was presented by a capital management CISO.”Cybersecurity is not an IT silo. By conducting roundtable discussions across departments, we highlight security as a shared responsibility, influencing cultural change and empowering champions in every sector.”

“Our Cyber Roundtables are transforming the way our organization views security. Every team now sees themselves as a vital piece in the protection puzzle,” says a CISO from the media industry.

Technologies:

  • Using an automated Assessment tool based on NIST: In an age of digital transformation, leveraging automated assessment tools fuels our continuous improvement cycle, streamlining our resilience against evolving threats.Automated assessment tools have elevated the ability to maintain a continuous security posture.

“Automated solutions transform cumbersome compliance into digestible, actionable insights for every department, transcending the barriers to a strong security posture,”

  • Leveraging GenAI to accelerate policy development/code reviews: Leveraging GenAI to accelerate policy development/code reviews: “AI has been a game-changer – no longer is policy development or code review a bottleneck, but an efficient process marked by machine precision and human oversight.”The introduction of AI for policy development and code reviews has sped up traditionally time-intensive processes. See how you can cost-effectively and securely enable GenAI for your employees (5 min Video).

“Let’s face it, AI can crunch data and spot anomalies faster than any human, and this prowess is now supercharging our policy development cycles,” – CISO at a Capital Management firm.

  • Using Containerized Workspaces to isolate end users from the Enterprise: Containerized workspaces are a technological leap in endpoint security. They isolate end users from the enterprise through an immutable workspace.  One leader shared, “Containerization is security’s new frontier. Products like Kasm demonstrate how isolating enterprise functions from personal devices can mitigate risks from ransomware, significantly reducing threat vectors.”Since containerized workspaces require no end-point software or agent, it creates a terminal effect with any device, thereby, isolating the user and data completely. See how a municipality cut IT costs by 50% while radically securing all endpoints and giving unprecedented access to systems (5 Min Video).

As we reflect on the wealth of knowledge exchanged at the CISO Forum, it becomes evident that the confluence of innovative people strategies, robust processes, and cutting-edge technologies paves the way for a future-ready cybersecurity posture.

“The only thing more expensive than investing in cybersecurity is not investing in it.” – A Security Leader’s lasting thought at the forum.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to leap your security program forward. If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

Join us in March as we continue to dissect and discuss the evolving landscape of cybersecurity.

What: CISO Executive Round Table – Summarizing Enterprise-Wide Security Data for the Board.

When: Mar 21, 2024, 01:00 PM Central Time

Where: Zoom: https://us02web.zoom.us/meeting/register/tZAldeCopjkqHdwIufGrrfsqeubRClVSZZcv

Details: Special Guest Sai Iyer the CISO for #ZiffDavis, which owns over 30 software firms, will explain how they have developed a real-time reporting system that boils up security data across all assets to executive-level actionable intelligence.

About Tim Howard

Tim Howard is the founder of 5 technology firms including Fortify Experts which helps companies create higher-performing teams through People (Executive Search and vCISO/Advisory consulting), Process (NIST-based 3rd party security assessments and Leadership Coaching), and Technology (game-changing security solutions).

How I can help you:

  1. Join over 30,000 People Getting Free Security Leadership Improvement Advice ➡ Follow me on LinkedIn. www.linkedin.com/in/timhoward
  2. If you want to raise the expertise or performance level of your security team, Contact me.
  3. If you don’t have a Clear Picture of Your Cybersecurity Maturity Level or Need a Strategic Improvement Roadmap ➡ Contact me.
  4. Join our interactive Monthly CISO Forums.

Leave a comment