How You Can Improve Your Cybersecurity Posture: Insights from Leading CISOs
The importance of maintaining a robust cybersecurity posture is imperative. As cyber threats continue to evolve and become more sophisticated, organizations must adapt their cybersecurity organization strategy. Organizations need to ensure that their cyber posture remains resilient, and that it aligns seamlessly with their broader business objectives. The following discussion occurred at Secure Iowa Conference 2023. It featured leading CISOs from various industries that shed light on the intricacies and nuances of cybersecurity strategy, its alignment with business goals, and the challenges faced in today's dynamic threat landscape.
MODERATOR
Ben Hall - Senior Information Security Consultant - Heartland Business Systems
Ben is a Certified Information Systems Auditor (CISA) and a Certified Data Privacy Solutions Engineer (CDPSE) with over 15 years of Governance, Risk, Compliance, Information Security and Information Technology experience in the Banking, Financial, Insurance and Healthcare sectors.
Prior to joining HBS, he held positions as Information Security Officer, Risk Manager, Lead IT Security and GRC Analyst, IT Operations Supervisor, and Systems Administrator. As a Senior Information Security Consultant for HBS, he works with clients to support their information security, risk management and compliance efforts.
Ben has expertise in third-party risk management, change management, access control, security operations, business continuity and disaster recovery, security and risk management, and security awareness. Additionally, he has experience in IT governance, risk and compliance across numerous regulatory frameworks and has worked in IT operations, giving him a holistic view of how security impacts IT operations.
Ben served as the VP of the Information Systems Security Association (ISSA) board for the Des Moines, Iowa Chapter from July of 2019 to May 2022 and is active in the local ISACA and InfraGard chapters. Ben is also a part of the West Des Moines Leadership Academy Class of '22 - '23. In his free time, Ben enjoys spending time with family and friends, coaching his kids' sporting activities, and spending time outside in any capacity.
PANELIST
Christina Stevens - Director of Technology Governance - GreatAmerica Corporation
Christina graduated from William Penn University with a Bachelors in Accounting and Business Management. This was followed with completion of her Masters of Business Administration and another Bachelors in Information Technology and Security. She holds a CIA, CISA, CISM, CPA, CFE and CRMA certification. She has several years experience in public accounting, internal audit, IT security and governance and risk management. Currently, Christina works as a Director over Technology Governance at GreatAmerica. She lives in West Des Moines with her two daughters (aged 30 and 13) and two dogs.
PANELIST
Carol Quillen - Director of Technology Risk Governance - Wellmark Blue Cross and Blue Shield
Dr. Quillen graduated from William Penn with a bachelor's degree in information management. Later she earned a master's degree in information assurance and a doctorate in information technology. She holds CISSP, CISA and CBCP certifications. She has more than twenty years of experience in IT, information security and risk management. In her current role as Director of TRG, she leads the Technology Risk Governance and Third-party security functions for Wellmark.
PANELIST
Jake Gibson - CISO - F&G Annuities and Life
Jake is a seasoned technology leader with in-depth experience in information technology, information security, risk management, and regulatory compliance.
Panel discussion has been edited for length and clarity.
Vision and Strategy: How Do CISOs Craft Their Cybersecurity Roadmap?
Ben: How do you determine the overall security strategy and vision for your organization? What are some things that inspire you to develop that strategy and vision?
Jake: The easy answer is really looking at your risks, your adversaries, your threats, your vulnerabilities. Going further, it is more about business alignment and making sure that I understand what the business trajectory is, what their goals are, revenue generation, lines of business, what kind of expansion and diversification they have and are planning. Those things interest me because it helps me understand where the business is going next and how to better protect them. Ultimately, it’s also about the relationships you build. I do not think there is anybody in the management committee or executive group that I cannot reach out to. If there is something that I need to understand about their line of business to help inform my direction, I can reach out to them anytime.
Carol: I like to get a lay of the land before even beginning to formulate any kind of strategy, and that includes having conversations with the business, because if you don't understand how the business operates and what's important to them it's a little bit more difficult to understand how to help be a part of that strategy.
Security is often seen as a roadblock rather than an enabler; so, one of the toughest jobs I think that we have is enabling the business and helping them to see us as partners. Many times we are tasked with trying to explain to the decision-makers how IT strategy aligns with the overall strategy of the organization.
Christina: My perspective is similar—that you align with the business. My background is in audit, and I enjoy audit greatly because I see all the different business units and how they fit together in their processes. And being able to take that knowledge over to the security side, understanding where the business is going, what the processes look like, and how security can augment those processes or assist that process instead of being the roadblock. I spend a lot of time walking around the building and just getting to know people and talking to them. I have also used regulatory compliance as a driving factor.
Compliance and Regulations: How are CISOs Staying Ahead of the Curve?
Ben: As you continue to educate yourself and you hear of new regulations or new legislation that comes out, how do you stay up to date with everything? Also, how do you ensure that those new regulations are incorporated within your security and governance program?
Christina: In my previous roles, I was blessed to have a partner in the legal and compliance area that helped us stay on top of those things. We researched it as much as we could, but they were there as a stopgap to help inform and drive those policies.
Carol: I would say that throughout my career I have had different levels of involvement with that — whether it was reviewing contract language and ensuring that the contract language was even doable versus promising something that you could not undertake. I think my current employer does a really good job of staying ahead of legislation and my role at my current employer is a piece of that. Making sure that we fully understand the implications of legislation that is being proposed, whether it is in Iowa or South Dakota, etc. Beyond that, it is not optional to stay current with regulations, because you just never know what is going to impact your organizations — better to be proactive than to react after something has been written into law.
Jake: I have a compliance team that I am fortunate to have. They keep a watch out for these things for me. What is even more challenging is really layering them together and understanding or interpreting the “how” behind what those regulations are asking. So many of them are similar and they are very nuanced, and at the end of the day, if you have a good cyber program, you are probably meeting about 95% of those regulations anyway.
Carol: Compliance is a byproduct of a good security program. If you are doing security well, you are probably going to be able to meet those regulations.
Balancing Act: Legacy Systems vs. Emerging Threats – What's the Strategy?
Ben: There are new and emerging threats, and then there is the technology debt that most organizations still have. How do you balance that threshold between the legacy technology debt and those new emerging threats?
Carol: That is really difficult to do, especially with how quickly the pace of the business moves. I go back to the citizen engineering aspect of things as well. It's not just about keeping up with legacy systems, but now you have people who are not traditionally trained in IT that are not used to going through a change management process or any of the other standards and controls that you have in place, and now they can do some really powerful things that they may not even fully understand. I am thinking of the Jurassic Park scene where it is suggested that “Just because you can do something doesn't mean you should.” We need to be helping the business to think through those decisions before they actually build something that accidentally exfiltrates information to somewhere it shouldn't go.
Jake: This is going to sound really boring, but the basics really matter in all of these different principles. If you really have a good, solid control base and you have got good coverage, if you just lean into those, they are really applicable no matter what the scenario is. Start with the basics first and get those to 99% and then get fancy after that.
Security Awareness: Engaging Tactics That CISOs Employ for Better Cybersecurity Posture
Ben: What are some strategies you have found work best as it relates to an overall security awareness program and making sure people are kept up to date with stuff?
Jake: Reward. Reward often. Reward when people bring things up to you. I had a gentleman who is an application owner in one of our lines of business call me a couple of weeks ago and he said, “Hey, I got this thing. I don't think I'm really comfortable with it. I would like to do something about it. Here is my plan, and here is what I want to get done. I read your security policy …” and I just stopped him and said, “Thank you!”
If your company has a reward mechanism of any kind, use it. Send them a little note, send a note to their manager, give them a financial incentive, anything to praise them for that behavior.
Carol: I would say that it is important to definitely recognize good behavior, but also, you do not want people to be afraid to bring something bad to you. If someone sees something, or someone makes a mistake, you want them to tell you before you find out another way.
There is a fine line between punishment and reward. One idea is to go around and put a candy bar on their desk if their computer is unlocked. Those kinds of things can be helpful reminders. Making it a safe place for them to say that they made a mistake is definitely a culture thing as well. You have to build it into the culture.
One of the things I think that works really well is tying it to goals. Security is everybody's responsibility, so therefore it should be tied to everybody's goals, right?
Christina: It comes back to those relationships, and building those relationships throughout the company with the business so that when something happens, they do feel comfortable calling or reporting it and knowing that we are going to work with them to resolve it.
We also have report programs as well. On our phishing test, we set up a competition amongst our C-suite. Whoever has the lowest click rate, we give them a lovely trophy with a little fishing lure on it. Oddly enough, that has been strangely effective because there is a lot of competition at that level.
We also have a schedule of different communication mechanisms that we use just to keep it in their mind constantly throughout the year. We communicate that we are going to educate on this topic this month and we have a whole plan that's set out for the year just to make sure that it's regularly front of mind.
I have campaigned repeatedly for a wall of shame. We have monitors throughout the building with announcements, and I would love to use those so that if someone clicks more than three times on a phishing message, their picture should be shown on a monitor someplace. But unfortunately, I never got full support for that. I lean a little bit more stick than carrot, but there is a place for both of those.
Reporting to the Board: What Metrics Matter for Cybersecurity Strategy?
Ben: When you are developing board reports, senior management reports, KPIs and metrics, what are some critical things you focus on to not only tell the cybersecurity story at your organization, but also to request additional resources?
Jake: Keep it simple. Keep it to two or three things that you need so that you can tell the story. Some of these numbers and facts and details are not easy for other people outside of our practice to understand. So, keep it at a high level, use the basics, I think that is where you get a lot of value.
Christina: If you are explaining, you are losing. If it is not simple enough that you have to then spend time explaining it to the board, then they are not going to listen to anything you have to say. They are just going to shut down or be dissatisfied with your performance.
Carol: Early in my career, as a security analyst, I was asked to bring metrics and KRIs to our operational risk committee. I was excited that somebody finally cared about the work that I was doing. I went with something like 76 metrics — that did not go over very well. I quickly learned that you have two seconds to keep their focus and to keep it simple. Make sure that you are giving them the metrics that they care about. A hint would be that if they ask you about a certain thing every single time, maybe include that as a metric in your report.
That being said, you also will need to be open to them not caring about your metric, take that as a learning opportunity to know what you need to be prepared to present the next time. Be flexible.
Numbers Game: Are We Outnumbered in the Cybersecurity Landscape?
Ben: Will bad adversaries outnumber cybersecurity professionals? In my mind, they already do because there are criminals and then there are well-intended insiders that may leak information and put an organization in a compromising position.
Christina: They probably already do; we just do not know about it. And I think we routinely underestimate the non-malicious insider, the person who does not realize that their actions are creating risk, they are not even aware that that is what they are doing. If you include those in the bad actor category, they absolutely outnumber cybersecurity professionals.
Change, Collaboration, and Community: Critical Components of Cybersecurity Posture
Ben: What is one thing you want folks to start thinking about that they might not have considered before?
Jake: I am worried about our rate of change. That keeps me up at night. I do not think we as humans can keep up with machines anymore. We cannot be that broad anymore. And so just the rate of change, that keeps me up at night.
Community is very important. Events like Secure Iowa are very important. Vendors that help make this possible are very important. We cannot do this alone, it is a group effort.
Carol: For every tool that we get in place to help prevent something bad from happening, the bad actors are also using those tools. Thinking about AI — you do not have to be smart to write an exploit, you can just now have an AI tool write one.
Everybody has so much access to knowledge now, it is kind of crazy. So, everybody thinks that they are now an expert on everything, and that leads them to do some really stupid stuff.
Christina: One, internal auditors are not bad, they are valuable after they leave the audit profession, because they have a different mindset. And secondly, governance is important.
CISO Priorities: Crafting a Superior Cybersecurity Posture
It is evident that a strong cybersecurity posture is more than just a box to check — it is a business imperative. Whether you are a seasoned professional or new to the industry, there is no better time than now to reassess and bolster your cybersecurity organization strategy.
To stay ahead of threats and ensure a robust cyber posture, we must collaborate, share insights, and continuously evolve. Join the conversation, engage with your peers, and be an active participant in fortifying our collective defenses against cyber adversaries. Your organization's future might just depend on it.
If you are grappling with cybersecurity challenges or looking for tailored solutions, you do not have to navigate these waters alone. Reach out to HBS for guidance on everything security-related, including HBS’s vCISO offering — your executive-level cybersecurity expertise, on demand.