FEATURE
vulnerable will crucially help protect
against the vast majority of future attacks
in 2019.
Aligning risks
Preparation is best when the
organisation is clear on the translation of
cyber-risks into business risks. In 2019
CISOs must prioritise how they identify
and report this to the c-suite. They need
to identify how gaps in cyber could put
the company at risk, from a financial,
regulatory or reputational perspective.
This ‘risk list’ will change depending
on the organisation but no company is
outside the increasing number of threats
and the regulations that are being put in
place to help mitigate exposure.
The security team must methodically
align where the cyberissues lie and plot
them against these major risk groups,
ensuring this is clearly outlined in
reports.
By using this method, it helps focus the
security team on prioritisation, so they
can invest time and resource in areas
that deliver the most RoI.
For example, a critical vulnerability that
is identified on a business-critical server
that can’t be taken down to be fixed
could be a risk the company will need
to live with. On the other hand, a system
vulnerability on a server that holds and
processes data that is critical within
Once you have
decided which risks
you want to fix, it
is key to break this
down to milestones
for planned risk
reduction across
the year.
38
EU GDPR guidelines may need to go
straight up the list and be communicated
to the c-suite in the next report. that the situation is improving – and
ultimately in every case it’s better if this
measurement is automated.
Choosing projects in 2019 Lastly, as well as providing the
c-suite with accurate and appropriate
information, it’s also key in 2019 for
CISOs to remember the whole rationale
of reporting is to document a current
situation and make it better. It’s not a
back patting or tick box exercise and
security teams shouldn’t be afraid of
managing upwards and asking for help
next year. After all, with cybersecurity,
there is never a status quo.
Another key criterion with reporting
is how security teams choose which
projects to focus and report upon. Once
you have decided which risks you want
to fix, it is key to break this down to
milestones for planned risk reduction
across the year.
For these milestones the security team
needs to educate and communicate what
‘getting better’ looks like. Good isn’t
zero – it’s less and addressing the most
important issues first.
Milestones then need to be broken
down into projects that can be
measured at each step. There is no
point wasting resource reporting on
projects where you cannot prove
Cybersecurity in 2019
Jason
Hart,
CTO, CTO,
Data Protection
at
JASON
HART,
DATA
Gemalto
PROTECTION AT GEMALTO
There is no doubt that 2018 has been
a memorable year for cybersecurity
Issue 09
|
www.intelligentciso.com