CISO Best Practices: Navigating Incident Response, Technology Integration, and Vendor Management
- Written by: Ryan Mosher
There’s little doubt that as the world has grown increasingly digital, those charged with guarding against digital threats face increasingly sophisticated and complex challenges. Recently at Secure Iowa 2023, a panel of CISOs from different industries provided some best practices that security information personnel can incorporate into their day-to-day work. Their conversation is a treasure trove for current and aspiring CISOs, offering a blend of effective CISO practices and strategies to navigate the complex cybersecurity landscape successfully.
Incident Response Program Development
Ben: As you set up an incident response program and try and establish organizational resilience, what key factors are you looking to introduce?
Christina: Some of the things we ask are: Who needs to be involved, and at what level? What actions can you take without getting that prior approval? If something is hitting really quickly, are you allowed to take certain actions before you kick off that whole communication program? Who needs to be involved in that communication program?
I know from my previous experience that we had a breach coach who had to be involved very early on in the process before we could hire anybody or take specific actions. It is important to understand that, get it in writing, plan it out, and walk through it during your tabletop exercises.
We have started pulling in other parties outside of the immediate security group on our tabletop exercises to get them better informed about the process. We have talked about expanding that into management roles so that they also become aware of what this will look like should something happen. We want them included in the process if it ever does happen, even if they may not be comfortable with it.
The appetite so far has been limited to tabletop exercises. We are finding enough value in doing the tabletop exercises that we have yet to expand its scope fully. We have a governance group that we formed out of management across the board that sits one level below the C-suite that helps drive our IT strategy, and helps validate many of our actions. They are significantly involved in what that incident response plan looks like, how we test it, and who we include in those tabletop exercises. They are very informed as to what types of risks we are managing and which ones we prioritize over others.
Jake: Practice. We all go through some skit exercises when we're kids. It is awkward, not fun, and clumsy, but the more you practice, the easier it gets. When the rubber meets the road, and you are in a situation where you have to engage your crisis management team, it is essential that they understand their roles and responsibilities, and they need to know what their steps and actions are.
“Plans are nothing...Planning is everything.”
- Dwight D. Eisenhower
Carol: In the military, they train as they fight — it becomes rote memorization and muscle memory to do certain things. In my experience, a plan is nothing, but planning is everything. I know that is a cliche, but it is true. You probably will throw out the playbook about two seconds in because the bad actors do not operate how you want them to or how you planned for them to operate. There are always those anomalous activities. However, the decision-making process that you have and the decision-making process that your leadership has should be the same. It should not be a one-off, depending on the incident. Your goals are the same: you want to recover the most critical applications as quickly as possible; you want to make sure that people can work, and you want to ensure you can provide the services to your clients. Those priorities do not change, but what does change is how you execute your plan.
The CISO’s Role in Evaluating New Technology
Ben: As information security and governance leaders, often you are introduced to new technology either from a business line, a department, or a third party. How do you evaluate the potential use of that technology piece?
Carol: The earlier in the process that you can get involved, the better. If you can get involved at the procurement level, that is extremely helpful to ensure you can assess and understand new technology. The business might decide to take the risk anyway, regardless of what the technology was for or who that vendor might be; at least you are ahead of the game in planning for some controls that can be implemented to mitigate some of the risks that might exist with that vendor.
Use a variety of sources to gather information, and make sure that your vendors are included in your threat intelligence.
Jake: I like the traditional model to this, but I think we all live in a world where things are changing rapidly and integrating into those points of opportunity of engaging with vendor management, procurement, architectural reviews, some of those traditional practices that we have had in IT are difficult because the business is moving faster than we are. There is still a place for those in some nuances, a new form of governance. However, we cannot discount the natural conversations and relationships we have. The more we work alongside our business partners, the more they open up to us. In casual discussions instead of intentional ones, we learn about new opportunities they are exploring, allowing us to engage slightly differently.
Christina: You also need to understand the business continuity aspects of bringing on a new technology, a new vendor, a new relationship. How do you validate a vendor’s business recovery capability? What are you signing up for?
Jake: It goes back to those relationships. Because of those, you can help educate your business partners by saying, “Hey, I want you to succeed; I want this to happen for you, and here are some things we have to do to make that successful.”
Carol: I think one other aspect to this is to make sure that you have established communication between the CISO of your organization and the CISO of your key vendors so that everyone understands how security is being handled from both sides.
Vendor Due Diligence Suggestions
Ben: How do you incorporate vendor due diligence practices within the organization, and what are some best practices you have found in your careers?
Christina: You are trying to offset that risk by lending it out to a third party or engaging a third party, but are you really getting rid of that risk? Now you are handing that over to somebody, and you have no idea what their environment looks like, what their controls are, and how they manage that. In some cases, they may have a SOC report, but SOC 1 is point in time — is there much value in that? SOC 2 is a little bit better, but what do you do in the absence of a SOC report at all? You have no third party in there looking at that vendor. Can you do manual procedures, review their policies, site visits, and how do you manage that? I do not necessarily have a good answer for it. It depends on the vendor, it depends on the relationship, it depends on what you are using them for, and what the risk is associated with that service. I know it is not something that has been sufficiently solved in my mind.
Carol: Everybody who has ever reported to me already knows what I am going to say, but the BIA is under-leveraged as a resource to help inform your vendor management, your disaster recovery, etc. If you do your BIA right, then literally everything that you need to know should be in your BIA to help direct you on what should be a priority. That being said, many organizations struggle with that — they do not understand the interdependencies within the BIA across the different processes and technology. That is the key: you first have to know what you have. You have to know what is critically important, and then who are the vendors that support what is critically important? Then you go to ask who are the fourth parties that support the third parties? Even if they tell you that they are ready for the pandemic, they may not be prepared for the pandemic, and you may not know that until after the fact.
All of these things have to be taken into consideration, and how things actually turn out is different from how you planned it. The more you can understand the business, what they are dependent upon, and how they are using a vendor, the better you can secure it.
Jake: I think we still need to solve this problem, and it will only get tougher. We talked about emerging threats earlier, and I think this is one that we, as a community, need to get our heads around because it is not just a third party anymore; it is a fourth party, and beyond that, we are really struggling to wrap our heads around.
Talking about AI, for example, has my head spinning around the comprehensive landscape and understanding how our companies, partners, and vendors are using AI. Well, if it is a third party, we can reach out to them, but then the chain of data custody starts to flow down to a fourth party and beyond, which is a nightmare. It is a practice with much room for opportunity and growth.
Ben: You think back to the SolarWinds incident a few years ago, where a third party was implicated and had a vulnerable application that skirted many folks' preferred patch management process. You introduced a change, let it sit and bake for a bit, everything is great, let us go ahead and bring it back into our production environment, only to find out a month later there is a callback. You are compromised. You do not even know you are compromised until a news article says you may be impacted. The interesting aspect of that particular event is the folks that were the most secure were behind in their patch management process because the older instance of SolarWinds was the one that wasn't vulnerable. So, you preach vendor due diligence, third-party risk management, patch management, and the people that were the least affected by the event were the ones that needed to be updated in their security processes.
Employing Effective CISO Practices
The role of a CISO is more critical than ever. The insights shared by industry experts at Secure Iowa 2023 provide a valuable roadmap for navigating the complex world of cybersecurity. From incident response program development to evaluating new technology and managing vendor relationships, these CISO best practices can make a significant difference in securing your organization's digital assets.
At HBS, we understand the importance of staying ahead of digital threats and ensuring robust cybersecurity practices. Our virtual CISO (vCISO) service is designed to complement your organization's security efforts and provide you with the expertise needed to protect your valuable data and assets. Whether you're facing a security incident, considering the adoption of new technologies, or enhancing your vendor due diligence, our team of security professionals is here to support you.
If you're interested in learning more about how HBS's vCISO service can benefit your organization or have questions about our approach, we encourage you to get in touch with us. Your cybersecurity journey is unique, and we're committed to helping you strengthen your defenses.