COVER story detection and response , leveraging AI and Machine Learning is very effective .
It also enables organisations to defend against AI-enabled cyberattacks . Applying the basics is still very important as is building a cybersecurity framework on a foundation of layers of defence which are based on applicable standards , such as ISO-series , NIST and CIS .
A combination of IT and OT security standards is key in protecting critical environments , such as :
• NIST or ISO / IEC 27000 series for establishing , implementing , maintaining and continually improving an Information Security Management System ( ISMS ).
• ISO / IEC 19249 – A catalogue of architectural and design principles that should be used to foster the secure implementation of convergence . These also help in addressing the balance between functionality and security .
• IEC 62443 – Designed for the cybersecurity of industrial automation and control systems ( IACS ) which provides guidelines for implementing robust security measures in sectors such as manufacturing , energy and transport .
• Applications using Purdue Model – Defines the best practices for the relationship between Industrial Control Systems and the Business Networks i . e ., between IT and OT .
How can CISOs succeed in fostering a culture of cybersecurity awareness among employees at all levels of an organisation ?
A sustainable security culture requires care and feeding . It is not something that develops naturally , it requires nurturing relevant investments . It is bigger than just ad-hoc events . When a security culture is sustainable , it transforms security from ad-hoc events into a lifecycle that generates security returns forever .
A CISO and team should engage and encourage employees at all levels to participate in a security culture that is co-created , enjoyable and valueadding . Furthermore , for people to invest their time and effort , they need to understand what they will get in return . In other words , it should provide a return on investment , such as improving a business solution , mitigating risks associated with cyberbreaches .
Culture change can either be driven from the top or be a bottom-up approach , depending on the composition and culture of the organisation . A bottom-up approach rollout allows engaged parties to feel they are defining the way forward rather than participating in a large prescriptive corporate programme , while support from the top helps to validate the change , regardless of how it is delivered .
In particular , a top-down mandate helps to break down barriers between various business functions , as well as being one of the few ways to reach beyond the technical teams and extend throughout the business .
CISOs can co-create a strong cybersecurity culture through the following :
• Senior leadership support from the board and executive committee which echo the importance of cybersecurity within the organisation
• Define a security awareness strategy and programme , including the Key Performance Indicators ( KPIs )
• Targeted awareness campaigns which segment staff based on risk . Grouping users by risk allows for messages and the frequency of messages to be tailored to the user group
• A cybersecurity champion programme which allows for a group of users embedded in the organisation to drive the security message
• Usage of various mediums to accommodate different types of people who learn differently
• Employees are always encouraged to report cybersecurity incidents and they know where and how to report incidents
• Creating an organisational culture where people are encouraged to report mistakes could be the difference between containing a cyber-incident or not
• Measurements to test effectiveness which is often done with phishing simulations
• Employees have a clear understanding of what is acceptable versus what is not acceptable
• Information security becomes a shared responsibility instead of the CISO ’ s sole responsibility .
A sustainable security culture requires care and feeding . It is not something that develops naturally , it requires nurturing relevant investments .
WWW . INTELLIGENTCISO . COM 53