A CISO Checklist: 10 Tips to Get Back on Track

The world of the CISO is becoming an almost  thankless job. No matter what you do, how well you present to the Board, how complete your program is, it seems your back is always against the wall.

The business complains of the burden security places on operations, the delays it causes, the relationships it destroys, etc. Whatever you do, you know that a data breach is coming. What you really hope for is that it never happens on your watch.

At the end of each and every day, it is the passion that we security professionals have that bring us back the next morning into that hot seat once again. We love the challenge; we love the cat and mouse game.

I’ve picked 10 items from a long list that can help the CISO get back on track. Your 10 may be different based on your industry and priority but hopefully these 10 tips can help you take less aspirin, less Tums, perhaps allow you to once again have lunch in the park or a stroll down Main Street – enjoying the beautiful sights and sounds that is summer.

Funds may not allow it. But if you don’t have an established security architecture, you  might be kissing your sensitive data goodbye and not knowing it! Even if it takes getting an outside firm to help you build one, just do it. It is perhaps one of the best moves you can make.

There are scheduled monthly/quarterly patch releases by the big ones – Microsoft, Adobe, Oracle, etc. If you are not getting at least these patches in on a timely basis, you are allowing a lot of room for attacks.

Don’t let the business always decide when you patch your servers, your infrastructure devices, your desktops, mobile devices, and applications. Advertise your patch schedule and barely allow any wiggle room for deviation or compromise. Give enough notice. Publicize how you may need to handle zero-day malware as well. Sometimes all it takes is communication, education and awareness.

Laptops, tablets, smartphones. These devices may be on the move with your data. Hopefully, that data is encrypted. Hopefully, as applicable, you have full disk encryption. Hopefully, you are able to track these devices globally in almost real-time and you have the ability to erase them at will if need be.

Now, more than ever before your users, the executive management, need to understand and be fully aware of the dangers of having a device lost or stolen close to home and on the road. Constant preaching helps.

You’ve got your sensitive data in the cloud. Not your cloud but somebody else’s. Yes, it is way cheaper to host it externally than internally. We hear you! “Quick win” you say! But lo and behold, did you do your thorough due diligence – encryption for data in motion and data at rest, exit strategy, access controls, making darn sure you have the right security provisions in the contract including reasonable audit rights?

Hope you’re smart enough by now not to allow removable media to be able to remove your data from your company’s possession without explicit permissions and the proper sign-offs. USB sticks are no longer a miserly 256MB, now they can store gigs and gigs of your precious data.  Don’t forget encryption.

You provide Internet-facing web portals to your employees and customers. A perfect entry point for anyone near or in a land far, far away. How regularly do you perform penetration tests and follow up against any high and medium findings? That’s easy.

Don’t forget to pay attention to your vendor who’s hosting a web site for you and your data and doesn’t want to show you their penetration test report. They may give you a redacted executive summary report or just show you the report over WebEx or in person. Would they allow you to do a pen test against their production environment where your data lives or would they allow it against their UAT environment? Would that suffice? Getting pen test reports from vendors is getting more and more difficult as it is becoming more and more important.

DDoS attacks are on the rise. Do you know how secure your services, such as DNS, SSDP, and NTP are? Go through the exercise to make sure that you’ve done thorough due diligence. But also make sure that you have a backup plan in case it happens – especially during critical business periods.

Think where your data live – the data center, the office, in the cloud, storage facilities, vendors, trash, etc. I am sure you can think of many more places. Do you know how your data are protected in each of these places? Don’t let the auditors discover your weaknesses. Find them first. Perform your own internal audits. Physical security that  ensures that only  the right folks are permitted the right access is paramount.

Well if you’ve got boat loads of sensitive data that keep you up at nights – let’s hope you’ve got a DLP solution or at least one in your near future. Data can leave your organization unencrypted, in a zip file, via emails, via SMS, via portable media. Does your DLP solution only work within your network? What happens when a user has data on their laptop, vacationing in Moscow?

Yes, your DLP must talk to you – provide you with alerts, reports, and the right information that can be actioned if need be. Surely this is one way to make sure that you just don’t get to bed  each and every night but that you actually get some sleep!

You are a security professional and you are amazed how easily people can be duped. Run phishing campaigns so you can learn who in your organization is most vulnerable to these attacks. Follow up with effective targeted training for those users and departments even if that amounts to as much as 20-25% of your user population.

After that dangle the hook in front of them again.  See who nibbles (opens the email) and who bites (clicks the link/surrenders their credentials).  Phishing and Spear Phishing are still big and your users are the trophies! Don’t let them get duped.