Keeping Up with the CISOs: How to Stay Prepared in a Constantly Changing Cyber Landscape
by Tori Thurmond / March 1st, 2023
How can CISOs keep up with the ever-changing world of cybersecurity? With threats constantly evolving, regulations growing, and technology changing, CISOs have a lot to keep up with, not to mention the increasing amount of data paired with growing numbers of threats. The struggle to keep up is putting organizations at risk for data breaches and other cyber-attacks.
At the 2022 Information Systems Audit and Control Association (ISACA) conference in Chicago, one of the sessions consisted of a panel of CISOs discussing the constantly changing cyber landscape and how they are staying prepared in the ever-changing industry. The panel explored topics such as how organizations can protect the data they possess, prepare for the inevitable, and stay one step ahead.
Note: These answers were compiled from the panel discussions and summarized for readability. The answers below are not direct quotes.
Q: Can you protect all data at the same level?
A: Technology is catching up to the increased amount of data organizations are accruing, so it’s becoming easier to encrypt data. However, the challenge may be going through a backlog of data that’s built up over time and making sure that data is appropriately protected.
While protecting everything at the same level may not be possible, it’s important to have a wide breadth of protection. Assess the risk associated with each type of data your organization possesses and then decide how to proceed.
To help manage the risk associated with different categories of data, limit internal access. Grant access to only those who require it to better control internal risk. This way, you’ll know exactly where your data is and who is responsible for its protection.
Q: How should an incident response plan be managed?
A: Your organization’s incident response plan should be modified regularly as regulations and risk change.
Consider including your communication plan, your Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP) in the same policy document as the rest of your incident response plan to allow for easier updates and better communication between responsible parties if an incident occurs.
No organization is too small to overlook security needs. All organizations are at risk of an attack, so having a recovery plan is essential to the success and longevity of an organization.
Q: How can organizations reduce phishing attacks?
A: A major key to reducing the number of phishing attacks your organization faces is awareness. Make sure all members of the organization know how to identify suspicious messaging through adequate security awareness training.
One way to keep phishing top of mind for your employees is by celebrating success and failures. If an employee successfully identifies a phishing attempt, make that success known. On the other hand, if an employee fails a phishing test or your organization experiences a real-life phishing attack, talk about what went wrong and how to prevent a recurrence.
In addition to preparing employees to recognize and report phishing attempts, perform continuous testing on your environment. Hire penetration testers to safely identify overlooked vulnerabilities and have your cloud environment scanned regularly.
Q: How can an organization increase internal security on a budget?
A: Not every organization has the budget to hire a full security team. While prioritizing security is important, all members of the organization can become security champions, people within the organization who support the organization’s security initiatives.
By providing educational resources and communicating security needs clearly across all branches of the organization, the overall security posture will be improved.
Technical skills are trainable. Instead of hiring new employees to meet your security needs, consider providing funding for current employees to earn security certifications. Cross-skilled employees always prove to be an asset to organizations.
Q: What’s the true value of an audit?
A: We need to learn that audits are your friend, not your enemy. Partner with your auditors to discover areas for improvement so you are prepared to face today’s threats confidently.
Leverage your audit for cyber resilience. When done right, an audit will identify vulnerabilities and provide you with an opportunity to strengthen your organization’s security posture.
A quality audit will always pay off.
Find a Partner to Help Achieve Your Goals
Making changes within your organization can be intimidating, whether you’re revising your policies, looking to implement new practices, or preparing for a yearly compliance audit.
As a licensed CPA firm, KirkpatrickPrice specializes in information security audits and security assessments that can help protect your organization.
If you have any questions about how your organization can improve its security posture, connect with one of our experts today to learn more about our risk assessment services, security awareness training, and compliance audit services!
