In an ever-changing cyber threat landscape, here are some ways CISOs can bring teams together and establish a security culture.
When I begin a new relationship with a CISO, I try to convey to them the importance of their role, whether it's in a hospital, payment processor, research company, or pharmaceutical manufacturer.
Too often I meet with cybersecurity teams who are overwhelmed by the complexity of the task at hand. Many are dealing with a mix of legacy devices that haven't been updated in years, raising concerns that their organization could become the next victim of ransomware, or that an incident that starts digitally will eventually turn physical and harm a patient.
They all know that healthcare lives are at stake and they play a serious and important role in keeping the organization functioning, profitable and safe. It's important to step back and see the big picture: how to modernize your organizations and bring them into the modern world of hybrid working based on zero trust and multi-cloud environments.
Here are four ways security leaders can adopt a proactive mindset:
Take on the role of a diplomat.
CISOs need to bring people from different departments together. Start building bridges between the IT staff and the security team. It is also important to include public safety, physical security, human resources and the management that controls budgets. Explain to them that cyberattacks overlap, so security is everyone's business, not just the CISO and security team.
Emphasize to IT and network staff that it's best for everyone if the organization moves away from legacy infrastructure and adopts tools that can provide improved visibility and communication across the enterprise. Many IT and network teams have worked in their specific fields for years, investing time, money and a lot of effort to become familiar with specific products. Get them excited about learning new technologies that will make their work life easier while increasing visibility across the organization and putting the team in a stronger position to anticipate, respond to and prevent future cyber incidents.
Manage risks properly
Health professionals always assess the risk. Before major surgery, the surgeon performs a test and tells the patient that under certain circumstances they have a 90 percent chance of a good result. The patient must then weigh the risks and decide whether to proceed with this assessment.
CISOs need to do the same kind of risk calculations for security technologies. You must be asking yourself: if we continue to use our legacy devices, what is the risk of compromise and traversal through the network? What is the likely outcome of a system compromise? Another possible question could be: What is the risk of having a legacy Electronic Medical Record (EMR) system versus modernizing and moving the EMR system to the cloud? As risky as it is to move an EMR to the cloud, does it serve the organization to continue operating an EMR that is nearing the end of its useful life?
In healthcare, we find many “analysis paralysis” where organizations continue to study new technologies and never act, worried about downtime and mistakes during the inevitable learning process. What I say to CISOs is assess the risk.
Take multi-factor authentication (MFA) for example. There are CISOs who tell me that it is theoretically possible to hack MFA. While that's true, I'm telling you, Microsoft has found that MFA blocks almost 99% of all account takeover attempts. Also, a sophisticated threat actor is required to bypass MFA. Conduct a risk analysis. I think most people would agree that 99% is an acceptable number.
A CISO's job is to conduct a risk analysis and decide whether it makes sense to maintain the status quo or to move the organization forward and innovate with new technologies that will make employees more productive and safer in the long term.
Benefit from the switch to the hybrid working model
The pandemic has presented technology companies with a unique opportunity to advance digital transformation projects.
