How the CISO Can Transform Into a True Cyber Hero

08 July 2024

Three steps that can help CISOs bring calm to incident response, redefine how they are perceived, and emerge as the hero in a cyber crisis.

The job of a chief information security officer (CISO) often hangs by a thread. Just one difficult-to-manage cyber incident can lead to the loss of their job. And there's been no shortage of examples in recent years. But many times, CISO departures are less about their individual performance and more about how their peers felt during the incident.

The good news is that CISOs can take preventive measures to shape those feelings for the better, applying human savvy to instill a sense of calm during a tense incident response. By following these three steps, CISOs can redefine how they are perceived and emerge as heroes in a cyber crisis.

1. Take Charge of Expectations for Response

CISOs already understand how to play defense well, with a focus on bolstering security, adopting the latest innovations, such as artificial intelligence (AI), and deploying automation and orchestration capabilities for accelerating incident response. Unfortunately, none of these activities alleviates the stress an organization feels during a cyberattack. Unclear expectations on how colleagues outside of cybersecurity should assist in a response only amplify that stress.

Compounding the problem are traditional cyber-incident response plans (CIRPs), which tend to focus entirely on cybersecurity without hooking into the other business departments required for an effective response from a large-scale incident. But CISOs can better manage expectations by focusing their energy on a cyber-incident management plan (CIMP) designed for department heads and senior leadership across the organization.

Responding to cyber incidents may involve professionals in legal and regulatory affairs, public relations, human resources, IT, and other departments. A CIMP codifies the roles each leader will play in a response — from implementing offline workarounds to communicating with internal and external stakeholders — and establishes a strong foundation for expectations. Codifying and socializing this information and the associated processes will alleviate confusion and prevent duplicate efforts during a response.

2. Drive Consensus for Recovery Priorities and "Minimum Viable" Operations

A nonsequential restoration process can also slow down operations recovery — particularly when the organization has forgotten (or can't align on) what its "minimally viable product" is. The CISO can help by guiding others toward a minimum viable business operating environment, which will help the IT team understand what to prioritize following a cyber incident.

Any "minimum viable" plan should align with essential business services and functions within the organization; it should not be purely application focused or developed via a traditional business impact analysis (BIA) application-centric process. Such a plan means that, when requests for application restorations start coming in, IT will have the authority to prioritize those requests based on the ability to restore a function or service to the business, rather than a standalone application. This kind of process, aligned to functions or services, also lets businesses skip the traditional "application criticality tiering" (for restoring a lower-tiered application first if it supports a high-priority service or function).

The ultimate results of this sequential recovery process? An accelerated revival of basic functionality, a well-organized return to business as usual, and a deeper understanding among stakeholders for what happens when — and why.

3. Make Cyber-Incident Readiness an Integral Part of the Entire Organization

Operationalizing readiness, response, and recovery is where the rubber meets the road for the CISO. Plans, processes, and technologies underpin operations, but they each rely on people. Tabletop exercises that focus only on technical response activities strengthen only one "muscle group" of the organization. Consider a different kind of cyber exercise — a war game that involves the entire organization. By exercising the incident management plan with a broader constituency of stakeholders, organizations can build "muscle memory," test communication channels, and identify decisions or risks based on a given scenario.

As part of the war game, the recovery team should run through the sequential restoration. By socializing the order in which operations will return after a disruption, the team can reduce the number of "Is it back online yet?" queries received during a real incident. Giving the broader workforce a foundational level of experience also makes it easier for individuals to pivot and improvise as necessary during a real incident.

Taking on a New Role

There's an old joke that "CISO" stands for "career is seriously over." But today’s CISO has a serious role to play as a hero for their organization. It is a simple matter of evolving from a primarily technical role to a role that incorporates empowering their human peers and stakeholders to become greater collaborators in cyber-incident response, recovery, and readiness.

Building the plans, setting the expectations, and "practice, practice, practice" for individuals who will be involved can bring cooler heads and calmer hearts to the chaos of a large-scale incident response. And when it's all over, the CISO is the hero — just like everyone else who played a role in readiness, response, and recovery.


Related News

New “Paste and Run” Phishing Technique Makes CTRL-V A Cyber Attack Accomplice

09 Jul 2024

A new phishing campaign tries to trick email recipients into pasting and executing malicious commands on their system that installs DarkGate malware.

Read More

Microsoft Outlook Flaw Exploited by Russia's APT28 to Hack Czech, German Entities

07 May 2024

Czechia and Germany on Friday revealed that they were the target of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as APT28, drawing condemnation from the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S.

Read More

Understanding Vulnerabilities and Configuration issues

03 May 2024

Vulnerabilities refer to flaws or weaknesses in a system that can be exploited by a threat actor to perform unauthorized actions. These vulnerabilities can exist due to inadequate security controls, outdated systems, or inherent weaknesses in software and hardware. Examples include SQL injection, cross-site scripting, and buffer overflow vulnerabilities.

Read More