The average stay of a CISO in a company is 26 months. With the shortage of talent in the cybersecurity industry, this should come as no surprise. And truly, today’s CISO is struggling with unprecedented challenges—ransomware, the sudden changes resulting from the pandemic, an abundance of alerts never seen before, and a growing attack surface.
However, for those who have just assumed the role of an organization’s new CISO, the challenge is even greater. The newly designated CISO must quickly assess the organization’s cybersecurity status in order to take immediate action. According to Fabian Zambrano, a cybersecurity professional with 20 years of experience and the new Director of Cybersecurity for Grupo Davivienda—a financial institution that operates globally with more than 24,000 employees—the following aspects are to be considered:
- Understand known risks and work to understand hidden risks: Zambrano emphasizes the importance of understanding where the organization is in terms of risk. This includes “understanding where the known risks are, what has already been done to minimize them, and trying to uncover hidden risks. These are some of the most important and urgent tasks we have as CISOs.” The biggest risk is in what we do not know. Without knowing our real landscape of attacks, improvement plans are not going to be measurable and, to make matters worse, the decisions we make may be misaligned with the reality we face. It is important to understand what our unique level of compromise is in order to design a plan that is aligned with this reality.
- Know the attack surface: “Regardless of whether we are on a vertical that is highly attacked, such as the financial sector or any other, understanding the attack surface is crucial. The attack surface never gets smaller, quite the opposite,” says Zambrano. This includes understanding what kind of exposure we have to websites, mobile applications, as well as how many devices there are in the company, what kind of systems they handle, where they are located and the risk associated with each one. This may start with identifying and counting assets, and the impact of these assets on the organization’s business. This is one of the areas where cybersecurity teams need to constantly improve.
- Evaluate what resources are available to us, and that goes beyond budgetary issues: Zambrano divides this subject into three groups:
- Human Talent: Cybersecurity is an area that is constantly evolving, so it is important to know what skills are already in the company, how long they have been there, what their talents are, and where there are opportunities for staff training and development. This has the objective of identifying the GAP that exists between the current organization and the one we need to ensure that we defend the organization efficiently in the short, medium, and long term.
- Technology Assets: As department leaders, we have the task of evaluating the tools we have, which ones really add value and which ones are obsolete, but most importantly how they align with the evolution of the business. Zambrano explains that “many times, security teams buy solutions for technological reasons, because industry analysts recommend it, or because it is an industry trend. However, it is important to be clear that cybersecurity exists as a need for business protection and that should be our main alignment.”
- Partners and providers: It is key to know who stands with us, and to have faithful and genuine accompaniment as this point can make the difference when facing a compromise or attack. Knowing early who just wants to sell to us, what technologies are evolving to solve fundamental problems in cybersecurity and who is really going to fight for your company has many benefits.
- Always keep an advisory eye “This allows us to develop a plan for the first 90, 180 days, and next year. But this is a cycle that is constantly repeating itself as a result of the capacity of cyberattacks to constantly evolve.
- Implement threat hunting tactics: “We have to live under the assumption that the attacker may be inside, and in the event that this premise becomes true we can detect them before they do any damage. And for that, we have to look for them tirelessly.” Zambrano states that this subject is absolutely critical for business continuity. “As CISOs we often focus on the trivial, when the important thing is to have initiatives that continuously and intentionally seek out the adversary,” Zambrano emphasizes.
A new CISOs job is not easy at all. However, the information we need to make decisions usually exists. It is a matter of doing everything possible to access information that is accurate so that reasonable and acceptable business decisions can be made.