One of the questions generally asked of a CISO is “How do you sleep at night?” The answer is “generally well with periods of sheer terror!” I can personally attest to this as a CISO in the higher education field.
Let me start with the idea that we generally spend considerable time making sure that we have put into place good policies and procedures, along with technical controls to repel most attacks. For example, we employ anti-malware/anti-phishing/anti-spam technology in our email environment that deflect more than 80% of the email targeted at our domain. We employ many “best practices” controls as well.
But beyond this, I always go back to a statement made by a commercial banking professor whom I admired very much. When discussing the financial crisis of 2008, Ward Hickey stated that “Banks failed to manage risk!” Of course, this should also be applied directly to the field of cyber security. It is all about assessing, controlling, mitigating and transferring risk.
While my job consists of the normal duties involving policy development, staffing, training and deploying controls in our environment, I would say that nearly half of my job involves managing risk. When new systems, ideas or upgrades are proposed for review, I always like to find a way to support the business model that’s in alignment with my institution. This requires assessing and controlling the associated risks. Many firms and institutions have ended up in the news, for the wrong reasons, because their cyber security teams failed to adequately manage risks.
For information that has a sensitive or restricted nature, then well-planned controls and monitoring must be employed to minimize the risk. We use a combination of advanced controls and monitoring technologies to protect our information. This also requires a highly capable technical staff of analysts and administrators to maintain, monitor and respond to alerts provided by this technology. You also have to be careful not to “chase the dream” solution by purchasing more technology than your staff can handle.
"While my job consists of the normal duties involving policy development, staffing, training and deploying controls in our environment, I would say that nearly half of my job involves managing risk"
This brings us to the training requirements that must be provided. Your staff is only as good as the knowledge they are given in the pursuit of cyber security. Failure to provide adequate training will invalidate your program as effectively as not having a program at all! I will also point out that a good CISO works closely with IT Operations to ensure that they are properly informed and trained to mitigate threats within the environment. You can, and should, use assessment tools such as vulnerability scanners and penetration testing. However, if your IT staff is not prepared to respond to discovered risks, then your effectiveness will be severely diminished.
Finally, about that sleep… All you can do is your best. Mistakes will be made, and breaches will occur. It is how you respond to these situations that determines your resolve and your willingness to constantly evolve and improve. To quote Jack Kennedy; “We choose to do these things not because they are easy, but because they are hard!”