At the end of every year, CISOs and InfoSec teams prepare a detailed audit report of the cybersecurity strategy that took place across the year in their respective organizations. The teams brief the board on the status of their cybersecurity and the budgets required to enable efficient planning of the incoming year. This seems to be an easy task even though it is so much complicated because the CISOs can only plan through budgeting and estimate the risk of the attacks that can happen in the near future but preventing them from happening is quite difficult.
According to current statistics, billions of records had been exposed during the first six months of 2020. This is a double-figure as compared to the previous year hence showing clearly how security teams are struggling to handle the security posture which poses a great challenge to the development of cybersecurity. Due to lack of clear strategies on the security posture which greatly affected the state of cybersecurity this year, CISOs need to analyze what led to the short comings and come up with a clear plan for 2021.
The first step to setting up a clear vision for 2021, is understanding the attack surfaces and the risks associated with the attacks. CISOs should analyze and understand the cybersecurity stand of an organization before drafting their budget and proposals. The number of security signals across an enterprise always keeps on increasing and this creates an urge to implement new technologies such as Artificial Intelligence to detect these signals. Most executive board members of organizations lack cybersecurity skills hence CISOs are required to communicate to their audience through business terms which can be easily understood in order to gain their support.
Secondly, the security teams should make a board presentation that shows the progress made by the organization on matters cybersecurity based on the data collected from the previous year. CISOs should quantify these risks with investments made on security controls by the company and come up with financial terms that visualize the impact made and effects of breaching the agreement made. Security teams should integrate the attacks by analyzing the existing structure independently. This enables them to identify the highly affected areas and the possible measures to be implemented in order to solve the risks involved.
CISOs should visualize the progress in order to showcase the trend of the risks since the last meeting of the board members happened. This enables the management to know whether the measures implemented made an impact by observing the increase and decrease of risks in specific areas by supporting their decisions with the current data. The vision and the target of the company as far as cybersecurity is concerned is also discussed. As companies grow towards their target and vision, the technology used and data available increase hence making the attacking surface to also increase. These together with the urge of employees to work from home remotely stages a conversation between the board and CISOs on the need to intensify their security controls. All these discussions lead to a single conclusion. The urge of having a solid layout plan in order to stop the possibility of having a breach, understanding the vulnerable areas and the impacts of a possible breach on the business.
Finally, during budget preparation, CISOs should apply a risk-based analysis by prioritizing bigger risks. It’s difficult to do away with all cyber risks hence effort should be centered on eradicating the most significant risks by quantifying all the possible risks across all vulnerable units of the business. This will enable CISOs to manage cyber risks with minimal resources i.e. budget. Security teams should be more vigilant when dealing with risks to avoid any occurrence of a breach because it is even more costly than the budgets of many organizations. Communication between CISO and the board is key in determining the allocation of resources and the cybersecurity status of an organization.
The board of the company also has a crucial role to play by investing on the technology required to analyze data signals across the attack surface, prioritizing the most important risks and working towards achieving the vision of the organization through implementing well-defined plans.