Articles
>
Cybersecurity and decision-making: best practices to adopt

Cybersecurity and decision-making: best practices to adopt

Whether it's making decisions on issues within their remit or getting top management approval for strategy and budget, decision-making is at the heart of the CISO's concerns. What should decisions be based on? How can you be sure you're making the right decisions? Here are some best practices for making good decisions and ensuring good decision-making in cybersecurity.

October 10, 2022
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

Cultivate composure and analytical skills

In all areas, the difficulty lies not so much in deciding as in making the right decision. The CISO faces a twofold problem in this regard: bound by an obligation of means, they must make decisions knowing that zero risk does not exist, while being subject to significant time and budget constraints. Since perfection is clearly unattainable, the CISO has every interest in cultivating a certain mindset in order to maximize their chances of making the right decision.

Avoiding bias

In practice, this means first and foremost not relying on your initial impression. While newly recruited CISOs often have to make technical decisions "on instinct," this approach is not sustainable in the long term. As theorized by American economist and sociologist Herbert Simon, our rationality is inherently limited (bounded rationality). Whether they like it or not, CISOs, like everyone else, are exposed to the trap of cognitive biases, including:

  • confirmation bias, which consists of paying attention only to elements that support one's initial point of view;
  • conformity bias, which leads to making decisions similar to those of peers, even though the situation is not the same;
  • information bias, referring to the tendency to seek out more and more information, even if it is useless, in the belief that this will lead to a better decision.

This list could be expanded, but these few examples suffice to illustrate the point: in order to make the right decisions, CISOs must tirelessly take a step back from their immediate reactions and focus on reasoning based on concrete and reliable information. This is the best way to make informed decisions and, incidentally, to convince decision-makers on issues relating to the budget or corporate strategy.

Don't rely 100% on cybersecurity tools

Cybersecurity tools are developing, and that's a good thing! However, extreme caution is required. Each tool has its own mode of operation, which means that it is not necessarily capable, on its own, of providing answers to all the questions that need to be asked.

For example, a data collection tool may, due to default settings, incorrectly alert users to the existence of workstations not covered by corporate antivirus software. If the CISO does not make the effort to understand how the tool manages data and then interpret the information it provides using their own framework, the decision made is likely to be a bad one. Based on a false belief, it may not be relevant and may also cause the CISO to lose credibility.

Conclusion: using tools to help make decisions, yes, but letting tools make decisions, no!

Base decisions on relevant data

All CISOs know that cybersecurity practices are primarily based on data. However, collecting data alone is not enough to guarantee the quality of the decisions made.

Identify the right data based on the strategy

For the CISO, the exercise amounts to following a line of reasoning, with a top-down chain of events.

  • What are the key points of the cybersecurity strategy?
  • What requirements must be met to achieve these objectives?
  • What indicators result from this?
  • What information should you gather in the field?

It is by starting with the strategy that the CISO manages to identify the most relevant data to collect, while setting priorities: since the best is the enemy of the good, the ideal would always be to work with a few well-chosen indicators, rather than risk getting lost in an overload of information.

As for CISOs who struggle to gather and process information, the best decision is certainly to apply the basics before embarking on the creation of a dashboard:

  • patch;
  • install antivirus software;
  • manage backups and vulnerabilities;
  • Do not allow users to be administrators of their workstations.
  • raise awareness of cyber risks.

Making data speak

Unfortunately, reliable data alone does not enable us to make the right decision with certainty. We need to "make the data talk," which involves various manipulations, such as cross-referencing information or modeling, as enabled by Business Intelligence tools.

Better still, the data should be processed to enable an assessment of the company's security position. In this area, the ideal approach is to start with the most important subject (corporate IT, for example), then carry out an objective analysis based on a pre-selected reference framework (ANSSI guide, CIS, NIST, etc.). The situation must then be reassessed on a regular basis, even if this means gradually extending the analysis, for example by including subsidiaries, partners, or business units.

To do this, security scoring tools such as Bitsight or Security Scorecard are certainly useful, but they must be used with an awareness of their limitations. Since these tools only capture information from open sources, they may not detect a priority if it is not visible from the internet.

It should also be remembered that scoring is only useful if the data evaluated is reliable! Benchmarks are also useful in that they allow youto objectively assess your level of security by observing that achieved by your peers using the same reference framework. Because they attract the attention of top management, they also help the CISO obtain the necessary budget approvals.

‍

How can this virtuous circle be established?

Contact us
Other articles

You may be interested in

6 acronyms for cyber compliance
Life as a CISO
ISO 27001, NIS, LPM, NIST CSF, PCI-DSS, NC: compliance in 6 acronyms

The cybersecurity industry, and particularly the field of incident response, is an environment where all kinds of acronyms flourish. It's so easy to get lost. Standards, directives, laws, processes... Let's take a look at the definitions of six acronyms commonly used in compliance that no one should be unaware of.

November 15, 2022
SSI dashboards: should we abandon them? - Tenacy
Life as a CISO
SSI dashboards: should we abandon them?

From design to formatting, not to mention the thorny issue of data collection, SSI dashboards make life difficult for CISOs. A complex environment, difficulties in engaging contributors, unsuitable tools... there are many reasons for the time wasted and frustration generated, to the point that some CISOs are almost tempted to give up. They therefore sometimes turn to predefined, technical dashboards provided by the multitude of technological solutions available on corporate networks.

What if the solution was to continue creating dashboards, but in a different way?

November 3, 2020
The challenges of cyber awareness
Life as a CISO
Cyber awareness: how to rise to the challenge?

While the ANSSI hygiene guide recommends raising user awareness of basic IT security best practices, the reality is enough to make CISOs tremble. According to the CESIN cybersecurity barometer established in January 2020, employees remain difficult to mobilize. 45% of companies believe that their employees do not follow the recommendations! So what solutions are available to CISOs to raise awareness and engage teams?

October 27, 2020