New CISO? Get A Handle on Your Organization's Security Posture in 100 Days
You just signed on as CISO. Congratulations! Now you can expect to be deluged with security emergencies and unresolved issues from your predecessor while you're getting to know and building credibility with your team. Meanwhile, cyberattackers are still pounding at the door. All of these immediate pressures are important, but optimizing organization-wide security is why you were hired. Here are four steps that will help you identify security priorities and appropriate remediation steps, so you can begin moving the organization forward as quickly as possible.
1. Take Inventory, Test, and Measure—30 Days
What's already in place at your organization? According to Gartner, large enterprises report having 30 to 70 security vendors. That can mean having dozens or hundreds of security controls, policies, and management tools. Disconcertingly, the report also notes there is a "veritable epidemic of misconfigured, disconnected, turned off, and non-optimized security tools all over the organization." That's not counting the possibility that an attacker has already breached the organization and compromised controls. Don't forget to assess gateways and connections to third-party business partners. Supply chain attacks are increasing as attackers seek to exploit weak links in small companies' security practices in order to gain access to the much larger enterprise that the smaller companies serve. Policy review is critical to ensuring a full understanding of the security environment. It's likely that systems, business processes, policy owners, legal requirements, and other factors have changed during your predecessor's tenure and existing policies no longer align with business needs. Getting your arms around the current security posture means first identifying all vendors, controls, policies, and third-party connections currently in place. Once you know what is there, assess what is working—and how well—and what isn't. In dynamic threat landscapes with dozens of threat vectors that change constantly, you need specific data about your controls.- How broad is the coverage?
- Network only? Network, hosts, and endpoints?
- How sensitive are controls?
- Can you successfully defend against attackers' current tactics, techniques, and procedures (TTPs)?
2. Assess Risk and Identify Gaps—15 Days
Once you have tested and measured the existing security environment, you have data for assessing risk and identifying gaps. Compare your test results with security best practices and risk assessment guidelines. Cybersecurity risk increases with gaps in coverage, lack of specific functionality, or reduced incident response ability. Gaps can occur anywhere:- Enterprise perimeter: Gaps that threats exploit to gain entry through email, web browsing (such as drive-by-downloads), and web applications (including retail or online banking websites)
- Enterprise internal network: Gaps that enable an attacker to compromise endpoints, establish command and control, move laterally to other endpoints or network segments, or exfiltrate data