Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Why CISOs Need a Security Manifesto

CISO Manifesto

CISO Manifesto

Manifestos have been around for centuries but seem to have become trendy lately. Originally manifestos were used by political parties or candidates to publicly declare policies, goals, or opinions before an election. More recently, manifestos have gone mainstream and are used by companies, individuals, and groups to promote better work and life habits. There are even articles and blogs devoted to collecting inspirational manifestos or teaching us how to write a manifesto.

But when I started thinking about the idea of a “Security Manifesto” it was with the original intent in mind. As I wrote in my previous column, security needs to become a boardroom discussion, and having members with technology and cybersecurity expertise at the table is the only way for this to happen effectively. Today’s CISOs are candidates in the midst of a campaign, striving to ascend even higher in the organization: to the boardroom. Every candidate needs a platform upon which to run, and that’s where the manifesto comes in.

CISOs need to be prepared to answer hard questions: How do I make my security team the first point of contact for the business when potential security issues arise? How can I ensure my team has the tools and visibility to determine what security issues are most relevant, and require action? And how do I keep users—the key to business success—safe, and not just when they are working onsite?

A Security Manifesto can prepare CISOs to address these questions based on a core set of security principles. To help CISOs develop a manifesto, below are five principles that can serve as a baseline as they strive to become more dynamic in their approach to security, and more adaptive and innovative than adversaries:

1. Security must be considered a growth engine for the business. Security should never be a roadblock or hassle that undermines user productivity and stands in the way of business innovation. Yet security teams impose technological solutions that do exactly that. A primary reason: they are not invited in time, or at all, to discussions about business projects that require the deployment of new technology. However, security professionals are also guilty of waiting for an invitation they may never receive. They instead must take proactive steps to ensure they are involved in technology conversations, and understand how security processes can enable the organization’s agility and success, while also protecting its data, assets, and image.

2. Security must work with existing architecture, and be usable. Security teams should not have to create or re-build an architecture to accommodate new technology solutions that are meant to improve security. Organizations should not have to change the way they do business to accommodate new security technologies, or be prevented from making changes in how they operate because of the technologies they already have in place. The end result of “architecture overload” is that users will circumvent security architecture, leaving the organization less secure. In addition, if a security technology is too difficult for users to understand, and must be maintained by hard-to-find, specialized security talent, it is not useful to the organization.

3. Security must be transparent and informative. Users should be presented with information that helps them understand why security is stopping them from taking a particular action. They also need to know how they can do what they want to do safely, instead of bypassing security in the name of doing their jobs. As an example, when a user attempts to access a web page and is met with the message, “Access to this site has been denied by your administrator,” there is no context as to why they can’t access the page. But if the message said, “Access to this site has been denied because it has served malware in the last 48 hours,” the user would be better informed and understand the potential risk not only to the organization, but to them, as an individual user. Security technologies also should help users to achieve their goals safely through clear recommendations or by directing them to appropriate resources for timely assistance.

4. Security must enable visibility and appropriate action. Security solutions with open security architecture enable security teams to determine whether those solutions are truly effective. Security professionals also need tools for automating visibility into the network so they not only can see traffic, but also the assets that make up the network. By understanding how security technologies operate, and what is normal (and not normal) in the IT environment, security teams can reduce their administrative workload while becoming more dynamic and accurate in identifying and responding to threats and adapting defenses. In taking this approach security teams can take full advantage of more relevant and targeted controls to aid in resolution.

Advertisement. Scroll to continue reading.

5. Security must be viewed as a “people problem.” A technology-centric approach to security does not improve security; in fact, it exacerbates it. Technologies are merely tools that can enhance the ability of people to secure their environment. Security teams need to educate users about safe habits that they should apply no matter where they are using technology—at the office, at home, on the road—so they can make good decisions and feel empowered to seek timely assistance when they think something is wrong. Improved dialogue between security professionals and users will also help users see that technology alone cannot assure security. People, processes, and technology, together, must form the defense against today’s threats. Commitment and vigilance by all users in the organization, from the top down, empower security success.

A Security Manifesto outlines how security technology, policies, and best practices should be used to raise the average level of security for everyone in the organization. With strong principles to guide them, everyone across the organization – users, security practitioners, and business leaders – can see the “big picture” on security and work together to understand and minimize risk while advancing the business.

Request an Invite to the 2016 CISO Forum at Half Moon Bay

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...