Intelligent CISO Issue 09 | Page 38

FEATURE vulnerable will crucially help protect against the vast majority of future attacks in 2019. Aligning risks Preparation is best when the organisation is clear on the translation of cyber-risks into business risks. In 2019 CISOs must prioritise how they identify and report this to the c-suite. They need to identify how gaps in cyber could put the company at risk, from a financial, regulatory or reputational perspective. This ‘risk list’ will change depending on the organisation but no company is outside the increasing number of threats and the regulations that are being put in place to help mitigate exposure. The security team must methodically align where the cyberissues lie and plot them against these major risk groups, ensuring this is clearly outlined in reports. By using this method, it helps focus the security team on prioritisation, so they can invest time and resource in areas that deliver the most RoI. For example, a critical vulnerability that is identified on a business-critical server that can’t be taken down to be fixed could be a risk the company will need to live with. On the other hand, a system vulnerability on a server that holds and processes data that is critical within Once you have decided which risks you want to fix, it is key to break this down to milestones for planned risk reduction across the year. 38 EU GDPR guidelines may need to go straight up the list and be communicated to the c-suite in the next report. that the situation is improving – and ultimately in every case it’s better if this measurement is automated. Choosing projects in 2019 Lastly, as well as providing the c-suite with accurate and appropriate information, it’s also key in 2019 for CISOs to remember the whole rationale of reporting is to document a current situation and make it better. It’s not a back patting or tick box exercise and security teams shouldn’t be afraid of managing upwards and asking for help next year. After all, with cybersecurity, there is never a status quo. Another key criterion with reporting is how security teams choose which projects to focus and report upon. Once you have decided which risks you want to fix, it is key to break this down to milestones for planned risk reduction across the year. For these milestones the security team needs to educate and communicate what ‘getting better’ looks like. Good isn’t zero – it’s less and addressing the most important issues first. Milestones then need to be broken down into projects that can be measured at each step. There is no point wasting resource reporting on projects where you cannot prove Cybersecurity in 2019 Jason Hart, CTO, CTO, Data Protection at JASON HART, DATA Gemalto PROTECTION AT GEMALTO There is no doubt that 2018 has been a memorable year for cybersecurity Issue 09 | www.intelligentciso.com