Re-evaluating CISO goals Re-evaluating CISO goals

October 11, 2021

Re-Evaluating CISO Goals for the Rest of 2021

Now that we are 2/3 of the way through 2021, it is time to re-evaluate some of the cybersecurity goals you may have set at the beginning of the year and check whether you’re making progress. This is also a good time to readjust priorities and make any course corrections.

We surveyed our network of CISOs and security leaders and asked them to reflect on what their cybersecurity goals for 2021 were and how they were doing on them. Three key trends emerged. CISOs wanted to:

  • Get visibility into their cybersecurity posture
  • Automate their cybersecurity posture management
  • Be able to quantify their risk and get data to track their cybersecurity practice

Get an accurate picture of my cybersecurity posture

Several CISOs we talked to believed they have cybersecurity tool sprawl. They even got some new ones deployed this year. Yet, it doesn’t really translate into enhanced security posture visibility. This year, it became even more evident that an incomplete and fractured view into assets and risk results in vulnerabilities and security issues being missed. They need the 3 key capabilities to achieve this:

  1. Automatic and comprehensive discovery of enterprise assets (devices, applications, services, and users) across on-premises, cloud and 3rd party environments.
  2. The ability to continuously assess all enterprise assets for vulnerabilities and other risk items to discover, prioritize and fix not just CVEs, but also non-CVE related security bugs like password issues, phishing, misconfigurations, weak or missing encryption, and lateral movement/attack propagation.
  3. The ability to identify the risk mitigating effects of security controls already deployed in the enterprise.

“I need to continuously assess my security posture to discover assets, identify vulnerabilities, and understand risk.”

Automate cybersecurity posture management

CISOs agree that there is a lot of friction in effectively managing the cybersecurity posture. Discovering and monitoring assets, managing silos of deployed IT and security controls and consolidating the data generated by them, and getting a unified view of the security posture with accurate risk calculations that incorporate both security and business context, all involve many manual steps that lead to inefficiencies and blind spots. These can be mitigated by automating cybersecurity posture management.

To do this, security teams need to follow a 4-step process that includes:

  1. Identifying risk as it emerges (and this can be done by having an accurate asset inventory and continuously monitoring it).
  2. Evaluating risk in terms of business criticality, analyzing vulnerabilities to get risk in monetary terms, and prioritizing action items, so the most threatening risks are addressed first.
  3. Dispatching risk to various risk owners so they are aware of what falls in their arenas.
  4. Mitigating, mitigating, mitigating.

“I need to remove friction and make it easy for all risk owners to contribute to enhancing our security posture.”

Become more data-driven in my cybersecurity practice

For all the talk of tools, risk, and cyber-resilience that is permeating the industry, it is a fact that most cybersecurity decisions are made either on gut feelings or by adopting a project-based approach (rather than an outcome-oriented approach). The board wants CISOs to quantify risk (and risk reduction) in financial terms. Individual risk owners need to see how their progress compares to others in the organization. Decisions on new tools and processes require forecasting and an evaluation of controls effectiveness. Being able to make these decisions with data puts CISOs in the drivers’ seat, while also saving valuable team time.

“I want to enable each risk-owner in the organization with the right data, the right tools and the right incentives so that they can do their part in keeping us safe.”

Mission Impossible? Not Really!

Cybersecurity leaders note that to improve their security posture and increase cyber resilience, they need visibility, automation, and ability to collect the right metrics. So, are these goals really that impossible to achieve? No, not with the right strategy, people, and tools. Cybersecurity leaders ultimately want to be data-driven, with better ownership of cyber-risk across their organization. Balbix can help with all of these. Get in touch to try Balbix for free.