Cyber News

Because protecting a company means knowing every nook and cranny and all its external connections, an effective security policy relies on meticulous mapping of the areas to be covered. In practice, however, monitoring all spaces and aggregating information is an ambitious task. The levers for achieving this are technical, organizational, and human.

Whether it's making decisions on issues within their remit or getting top management approval for strategy and budget, decision-making is at the heart of the CISO's concerns. What should decisions be based on? How can you be sure you're making the right decisions? Here are some best practices for making good decisions and ensuring good decision-making in cybersecurity.

Faced with the expansion and fragmentation of the information system, the CISO would love to have the gift of ubiquity, to see and protect everything, both within the company and beyond. In the absence of this ability, the only option is to remain vigilant in monitoring areas that are sometimes neglected, while carrying out meticulous mapping work. This pragmatic approach lays the foundations for a solid strategy, providing greater visibility to enable prioritization.

In many organizations, the CISO is still perceived as a technician, or as "the expert who says no." CISOs therefore face a major challenge in demonstrating that security is not a cost, but rather an investment in securing the future of the company. There is only one solution to this challenge: having a clear idea of the stance to take and positioning oneself as a business facilitator on a daily basis.

According to the 2020 edition of CLUSIF's study "IT Threats and Security Practices in France," conducted among 350 companies with more than 100 employees, the CISO function is attached to senior management in 56% of cases. This still low figure illustrates the difficulty of cybersecurity in occupying a prominent place at the top management level. How can the CISO remedy this situation and work towards greater recognition of their role by senior management? Perhaps simply by daring to take the first step!

In cybersecurity, data is essential. Without it, it is impossible for the CISO to assess the security situation and know what stance to take! While HR and finance departments have their own information systems, cybersecurity is most often practiced with the means at hand. To be effective, what data should be collected? How can it be disseminated to the field? Here is a methodological overview of the subject.

CISOs as superheroes? CISOs are stressed. That's the finding of a study conducted by Vanson Bourne on behalf of Nominet, which surveyed 800 information security managers in the United States and the United Kingdom. Although France was not included in the study, it seems reasonable to assume that the situation there is similar. Why all the stress? Quite simply because CISOs take on the role of superheroes, superhero CISOs, without having the appropriate resources at their disposal.

From design to formatting, not to mention the thorny issue of data collection, SSI dashboards make life difficult for CISOs. A complex environment, difficulties in engaging contributors, unsuitable tools... there are many reasons for the time wasted and frustration generated, to the point that some CISOs are almost tempted to give up. They therefore sometimes turn to predefined, technical dashboards provided by the multitude of technological solutions available on corporate networks.

What if the solution was to continue creating dashboards, but in a different way?

While the ANSSI hygiene guide recommends raising user awareness of basic IT security best practices, the reality is enough to make CISOs tremble. According to the CESIN cybersecurity barometer established in January 2020, employees remain difficult to mobilize. 45% of companies believe that their employees do not follow the recommendations! So what solutions are available to CISOs to raise awareness and engage teams?

CISOs and the race against time: is this just anecdotal? According to a study conducted by Nominet among 800 CISOs in the fall of 2019, 95% of CISOs exceed their working hours by around 10 hours per week. Of course, this phenomenon can be partly explained by the skills shortage in the field of cybersecurity. But that's not the only reason! On a daily basis, this race against time is due to cultural and organizational issues that slow down CISOs. Fortunately, solutions now exist to help them regain peace of mind and efficiency.