Feb 23, 2024
Proactive Security Strategies: CISO Perspective
Is it more important for your business to address an existing threat exposure in your product portfolio, or to ship that new product feature on time? In 2024, CISOs are being asked to lead this discussion and communicate cyber risk as part of an honest, informed and unbiased decision process to make this critical call.
So, what do security leaders think of this decision process? We had the chance to ask one.
In a recent webinar, Tunde Oni-Daniel, Head of Technology Operations and Engineering at One Main Financial, joined Brinqa CEO Amad Fida and VP of Solutions Alex Babar to offer his perspective on the importance of proactive security strategies in 2024. Below is a summary of key insights shared during this discussion. You can also listen to the full conversation in this on-demand recording.
“I just love the word proactive because it means you are doing something before it becomes a problem. Being proactive just makes sense. Doing what’s important; risk-based remediation proactively means you are creating value so things don’t cause an outage, an issue, a complication or impact your organization. If we think about it from that perspective, you are driving business value by being proactive. We’re no longer trying to wait for something to happen. We’re dealing with things before they become a problem to make sure that we are better than our competition.” ~ Tunde Oni-Daniel
Part I: Everything, Everywhere, All At Once (Vulnerability Management Edition)
The webinar’s conversation began with a thought-provoking question: “Can you fix every vulnerability?” The consensus among the panelists was that, while it’s impossible to address every vulnerability, prioritization based on impact is essential. Tunde emphasized that not every single vulnerability is something that creates impact, highlighting the significance of understanding the potential impact of vulnerabilities on business operations and prioritizing those that pose the highest risk to the organization’s critical assets.
Amad pointed out that, even with unlimited resources and budgets (which by the way, are not expected to double or triple in the coming months), fixing every vulnerability would still be unattainable. At the end of the day, there will always be issues that your business can make exceptions for, so the focus should always be placed on a program’s effectiveness and efficiency.
“The bottom line is that every organization has their own thresholds, tolerances and acceptance levels for risk.” ~ Amad Fida
Part II: Making Change is Hard, But Prioritization Doesn’t Have to be
Tunde goes on to elaborate on the three lenses he uses when assessing threat impact: outcome, threat model and timeliness. He stresses the importance of aligning risk remediation efforts with business objectives and understanding the unique threat landscape of the organization, while Amad reiterates the need for security teams to overlay their findings with business information. He shares that risk profiles and risk tolerances will vary depending on the organization, and there may be certain issues that one organization can make exceptions to while others cannot.
“What we’re doing today is not working, so we need to change. Yes, change is hard, but it’s time for cybersecurity to transform from these reactive ways of working to join the business and be more proactive, gain visibility, provide insights and metrics that make the business run better.” ~ Amad Fida
Part III: Egos Need Not Apply for Risk Management – Mutual Respect Encouraged
When communicating risk prioritization to business leaders, security experts often fall into the trap of focusing on the technological aspect of a given risk, neglecting the business impact entirely. The panelists stressed the importance of conveying risk in terms that non-technical stakeholders will understand. Tunde emphasized that lingo matters, including mannerisms, in how you communicate. Language in all forms plays a very important role in having effective communication, and making sure that what you are saying is captured properly.
“Communication is essential, and you must unify that plan because if that dialogue is there and your shared outcome is driving a secure culture within what you’re building, it doesn’t matter what part of the build it is or what part of the business it is. Once you see the mutual respect unifying that journey for the betterment of the customer, agility is enabled.” ~ Tunde Oni-Daniel
Part IV: Like Beauty Lies in the Eye of the Beholder, So Does Success
Measuring success in cybersecurity can be challenging due to the nature of the discipline. Afterall, how do you know you’re successful when the goal is that nothing happens to your systems?
Tunde highlighted the importance of metrics, such as Mean Time to Remediate (MTTR) and system availability in gauging the effectiveness of proactive security measures. Amad emphasized the need for security teams to be proactive in addressing vulnerabilities and gaining visibility to provide insights that enhance overall business operations.
Part V: Proactive Security is a Team Sport for Business Units
As organizations navigate the complex cybersecurity landscape of 2024 and beyond, proactive security measures will be imperative to stay ahead of emerging threats and safeguard critical assets. The discussion concluded with insights into building a compelling business case for proactive security initiatives. Tunde shared that when organizations think about funding initiatives to make you faster, we often think about the security outcome, but we don’t think about the business case. What does it do for the business? He argues that security must articulate what value they’re creating.
By prioritizing vulnerabilities, effectively communicating risk and measuring success through proactive metrics, organizations can enhance their overall security posture and mitigate potential risks more effectively. At the end of the day, embracing a proactive approach to security not only protects against potential threats but strengthens the overall resilience and competitiveness of your organization within the dynamic business environment.
“You can’t imagine how many people are very successful in always getting their business case because they know how to articulate it to trigger an emotional experience. What is the big red button you need to push that will always make that leader say yes? Once you find that in your business case, it doesn’t really matter what you’re doing—if you can tie that to a business outcome and something that will enable your business to be better, it positions you in the right light. ” ~ Tunde Oni-Daniel
Thanks for reading. Be sure to watch the full recording and access the go-to guide for even more insights.
For more information about Brinqa, visit www.brinqa.com/risk-operations-center/ or contact us to get a personalized demo of the Brinqa platform.
