CISO Nadine Hoogerwerf investigates how data protection professionals can prioritize the strategic compliance initiatives with the day to day tasks required to keep an organization running safely and securely.
Anyone working in cybersecurity will know this feeling. It is 6pm and another day has passed. You are not sure how this happened and part of you feels like you just started the day. You look at your to-do list and see some important items still standing there. And, to be honest, they have been there for a while. Sure, you have done a lot of work today, you have answered questions regarding the safe use of new tooling, reviewed a proposal from another team and identified the security risks, and explained (again) why you have not (yet) approved a new workflow.
But the things that you did not do today were the things that you know in the back of your head are critical for the midterm security. And they have been on your list for a while.
As a CISO it is important to have control over your work. To make time to assess risks, to assess the changes in the field and/or within your organization and to study new regulations like NIS2 and DORA and new technologies like IA. To create an understanding of the implications for your organization, for the data and processes that you need to protect. And from that understanding define what you need to do to keep the security levels at the same high or (if you are feeling bold) improve the security levels further.
This is a time intensive activity that requires focus and some peace of mind. Two things that are very hard to come by as a CISO.
It is a critical part of the job. Yes, as CISO you can be the chief firefighter but you are also in the lead for preventing fires and nowadays are expected to be a business enabler too. While you will receive support and maybe even applaus when you put down a fire or identify a new business opportunity, you are usually not winning the popularity prize when you are working on preventing problems. Still if you as a CISO truly feel the ownership over the protection of your organization, you will prioritize this.
Preventing problems can be done in two ways:
- Reactively: your colleagues came up with a great plan and you share recommendations on how to mitigate the associated security risks.
- Proactively: you assess the organization's risks and threats and you build defense in depth.
It is important to make time for the proactive approach. The benefit of focussing on defense in depth is that it will offer protection against a wide range of threats including unknown threats. Defense in depth is about adding layers of defense. If one of your protection layers fails, nothing is lost and/or the blast radius is limited due to the other layers. In this way preparing for mistakes, oversights and insufficiencies.
As a CISO you may not know everything that is going on within and around your organization, you may not fully understand new technologies, you may not know all the details of the new regulations coming your way yet, but at least know your critical business processes, your most sensitive data and the core risks in this regard.
Stay focussed on those core risks and processes and add layers of defense so you can be prepared for the expected and unexpected fires.
Read more from Nadine:
Humans make email mistakes, but tech can help us do better
Taking care of people by taking care of their data | A CISO’s perspective