Elad Yoran, a cybersecurity expert who has held various roles in the industry, including having sat on the FBI Information Technology Council, discussed best practices for cybersecurity leadership and securing your organization against cyberattacks with Raines International's Senior Vice President and Head of Agribusiness Melissa Oszustowicz and Managing Director and Head of the Security Officers practice Patrick Gray at the Raines Cybersecurity Leadership webinar. As businesses in a rapidly shifting cyber landscape, many organizations have a lot of catching up to do in order to protect information assets against cyberattacks. According to Yoran, that's where a Chief Information Security Officer (CISO) can help.
Essential traits for enterprise security leadership
Many organizations no longer see cybersecurity as purely a risk mitigator and cost center, but an enabling tool that allows the enterprise to grow. With this mindset, businesses need security executives who can advocate for cybersecurity investments and conduct due diligence for the organization and any external security tools it utilizes. Yoran noted the importance of having a security voice on the board — nowadays, security leaders cannot do their jobs effectively without the interpersonal skills necessary for financial negotiations in the boardroom. Someone with the interpersonal and managerial skills of a C-suite executive manages up, down and laterally, and they must have the ability to communicate clearly and advocate for organizational cybersecurity in many settings.
CISOs also need to be able to conduct cyber due diligence on new technologies and solutions that the company needs/acquires. Someone who is able to ask the right questions can set the company up for cybersecurity success: are management taking unnecessary shortcuts? Has the company been compromised? A security leader should be able to introduce and explain these ideas to other enterprise leaders in order to effectively advocate for cybersecurity.
Improving cybersecurity strategy
Every organization, large and small, should integrate cybersecurity. As regulatory frameworks increase in the U.S., businesses should view these as a floor, rather than a set of best practices, according to Yoran.
If an organization doesn't have the resources for a CISO and currently uses a junior employee to run security, they need to have the ability to participate in negotiations with senior executives. Using an outside security partner can also be a good solution — once an organization has conducted due diligence on potential partners and all external resources, they can determine that their security partners are qualified to do the job. Consultants and Management as a Service providers are resources that smaller companies can use to bolster their security strategies. Continuous monitoring through an in-sourced or out-sourced operations center model is paramount to maintaining a secure environment for a business.