Cybersecurity and decision-making: what best practices should you adopt?

Cultivate composure and analytical skills

In all areas, the difficulty lies not so much in deciding, as in making the right decision. The CISO's problem in this area is twofold: bound by an obligation of means, he has to make decisions in the knowledge that there is no such thing as zero risk, while at the same time being subject to significant time and budget constraints. Perfection is clearly unattainable, so it's in the CISO's interest to cultivate a certain state of mind to maximize his chances of making the right "decision".

In practice, this means not relying on first impressions. While it's not uncommon for newly recruited CISOs to have to decide technical issues "on instinct", this approach is not sustainable in the long term. As the American economist and sociologist Herbert Simon theorized, our rationality isbounded. Whether they like it or not, CISOs, like everyone else, are exposed to the trap of cognitive biases, including :

• confirmation bias, which consists of paying attention only to elements that support one's initial point of view;
• conformity bias, which leads us to make decisions similar to those of our peers, even though the situation is not the same;
• information bias, the tendency to seek out more and more information, even if it's useless, in the belief that this will lead to a better decision.

It would be possible to extend this list, but these few examples suffice to illustrate the point: to "make the right decision", CISOs must, time and again, step back from their "on-the-spot" reactions and give priority to reasoning based on elements that are both concrete and reliable. This is the best way to make informed decisions - and, incidentally, to convince decision-makers on questions of budget or corporate strategy.

Cybersecurity tools are on the increase, and that's a good thing! However, we must be extremely cautious. Each tool has its own way of working, which means that it is not necessarily capable, on its own, of providing answers to all the questions that need to be asked.

For example, the default settings of a data collection tool may falsely alert the user to the existence of workstations not covered by the corporate antivirus. If the CISO doesn't make the effort to understand how the tool handles the data, and then interpret the material it provides with his or her own reading grid, the decision taken is very likely to be wrong. Based on a false belief, it may not be relevant, and it may also cause the CISO to lose credibility.

Conclusion: using tools to make decisions is one thing, but letting tools make decisions is another!

Based on relevant data

As all CISOs know, the practice of cybersecurity relies first and foremost on data. However, data collection alone cannot guarantee the quality of the decisions made.

For the CISO, the exercise is like unrolling a thread of reasoning, chaining from top to bottom.

• What are the key points of a cybersecurity strategy?
• What are the requirements for meeting these objectives?
• What indicators are derived from this?
• What information do you need to gather in the field?

It is by starting with the strategy that the CISO succeeds in identifying the most relevant data to look for, while setting priorities: the best being the enemy of the good, the ideal would always be to work with a few well-chosen indicators, rather than risk getting lost with too much information.

As for CISOs struggling to get information up and running, the best decision is certainly to apply the basics before embarking on the construction of a dashboard:

• patch ;
• install an antivirus ;
• manage backups and vulnerabilities ;
• do not let users be administrators of their workstations ;
• raise awareness of cyber risks.

Unfortunately, reliable data on its own is not enough to make the right decision. You need to "make the data talk", which involves various manipulations, such as cross-referencing information, or modeling, as enabled by Business Intelligence tools.

Better still, the data deserves to be processed to the point where it can be used to assess the company's security position. In this area, the ideal approach is to start with the most important subject (corporate IT, for example), then carry out an objective analysis based on a previously selected politique (ANSSI guide, CIS, NIST...). The situation should then be re-evaluated on a regular basis, even if it means extending the analysis over time, for example by including subsidiaries, partners or business units.

To this end, security scoring tools such as Bitsight or Security Scorecard are of particular interest, although they should be used with an awareness of their prism. As these tools only collect information from open sources, they may not detect a priority if it is not visible on the Internet.

It's also worth remembering that scoring is only useful... if the data evaluated is reliable! Benchmarks are also useful, in that they enable you toobjectify your level of security by observing that achieved by your peers on the same politique. Because they attract the attention of top management, they also help CISOs to obtain the necessary budgetary approvals.