6 Ways to Be Your CISO’s Security Team MVPApril 20, 2017 No Comments
Featured article by Arden Rubens, Social Media Manager and Content Writer at Checkmarx
Security maturity, as cliché as it sounds, is a journey – not a destination. Security isn’t something that can ever be considered “done” because there will always be new technologies, business objectives or processes to secure and align with.
The good news is you don’t have to be a CISO to affect changes in an organization. If you’re a dedicated security professional, you can absolutely help guide how security is implemented in your organization, as well as how security is perceived to the larger organization. Incorporate the following 6 tips into your professional role and make yourself and the security team look like total pros!
1. Mapping Out Every Security Objective Back to Business Objectives is No Easy Task – Ask Your CISO
This is likely the most crucial part of the CISO position, and can also be the most difficult. A CISO’s role carries the responsibility of managing every intersection security has with the business, including shareholder value, in operations and even protecting the brand. In addition, CISO’s are required to map every security practice, tool and procedure back into relatable terms that can be explained to the board and other stakeholders.
For those that are on the security team it’s easy to understand why certain security protocols exist – but for those on the outside, it’s not always as clear and can be difficult to explain to business-oriented stakeholders. You can help your CISO tremendously by adding business context and proper data to discussions. This is especially important when it comes to attaining the budget your team needs because without mapping your needs to the organizations’, the full security budget may be slashed.
2. Keep Your CISO in the Loop
CISO’s may not work on the security team day-to-day and not know what security is doing daily. But security is a fast-paced industry and chances happen quickly and often, so it’s important to keep your CISO them updated on what’s being worked on.
If possible, try to make a weekly or bi-weekly meeting between the CISO and security team. Providing feedback and having open discussions with clear communication creates an environment where a strong relationship between the CISO and the security team can be established, allowing for everyone to get the job done.
3. Continue Complying and Ensure Your Organization is Adhering to Important Regulations
Adhering to relevant compliances and regulations is critical for organizations to succeed and compete in the market. While a CISO will likely have a grasp on the regulations that apply to its organization, there’s always room to improve processes around how the compliance regulations are handled and ways to detect areas that haven’t reached full compliance.
This is especially important when preparing for new regulations such as the GDPR. Security teams can help by mapping out new mandates in terms of security and how the security team is handling it – or recommend how it should look like.
4. Raise Security Awareness and give Shout Outs to Security Champions
Every company is in its own stage of security awareness and unfortunately the security team has often been viewed as a block to innovation, speed and growth. One way to further integration and a healthier working relationship between security and other departments is to identify “security champions”. These are non-security team members who show extra interest in security best practices.
By identifying and engaging your security champions in ways they find meaningful, you can forge a new image for security which helps break down a siloed structure and how the security team is viewed among the organization. A win-win!
5. Improve Communication with DevOp Teams
DevOps is an integral part of many organizations and the continued integration of developer and security teams (DevSecOps) is of the utmost importance to streamline and improve processes.
You can pioneer the change in your own organization, because as research shows. Keep teams relevant by identifying tools, processes and integrations that could be implemented to help DevOps in their goal to become faster and more productive while maintaining a high security posture.
6. Continue Security Education – Time to Learn!
Another critical key in helping a CISO is effective security training and education throughout other departments. Find out, using your knowledge of the threat landscape, how threats are prioritized and understood by relevant departments and what’s being done about educating employees. You’ll be able to identify gaps about what’s being taught and how employees are applying their training and education.
For example, email phishing is always a major concern for non-security employees, but what about drive-by-attacks? Do your database admins understand the prominence and dangers of XSS and SQL injections? Does your finance department understand what a spear-phishing attack looks like? Identifying the blind spots and helping your CISO find ways to mitigate risk is a huge win for the organization as a whole.
In the end, helping your CISO and organization’s security posture is a commitment to your craft that will often pay off big time in the end. Because not only will you have a much better understanding of the work that CISOs do and what they’re charged with, you’ll be seen as a supporter of innovation and the organization as a whole.
About the Author
Arden is the social media manager and a content writer at Checkmarx. Her blogs focus on cyber security trends and the latest developments in the world of AppSec. She aims to educate and inspire developers, security professionals, and organizations to find the best defense against online threats.