7 Common Mistakes CISO Are Making

The CISO job has risen from the bowels of the IT department to a seat at the C-suite table. But time in the spotlight comes with great risk and responsibilities. Not all CISO are as competent as they claim or like to think of themselves.

We know from experience our peers are making a host of cyber security mistakes – here are the top 7 mistakes we have noticed CISOs making ...

Skipping the basics – It’s the simple things that will get you. If you don’t have basics in place such as governance, training and awareness, patching, anti-virus management, etc, spending six figure sums on shiny new Security Information and Event Management (SIEM) solutions before getting the basic right will not help you.

Taking the tools-before-jewels approach - Some CISO often covet using the latest tools - sometimes for its own sake - and are naturally attracted to shiny new tech. As a result, they can end up managing several fragmented tools, feel secure in their own mind, but the organisation still wide open to criminals.

Doing cyber security training just the once a year – Security training and awareness is an ongoing exercise. Delivering one training session to all staff once a year simply will not allow key messages to permeate their day to day working attitude and behaviours. With the daily noise of internal communications to staff, CISOs need to cut through and get there messages heard.

Concentrating too much on the Defend & Prevent rather than Hunt & Detect - Attackers will inevitably make it through your border defences. And once they're inside, they will look to acquire privileges that will camouflage them as trusted users. They may evade you for a long time, unless you have the capability to spot them. Prevention is better than cure, but cures are needed to.

Dismissing leadership – In instances where businesses have reached a high level of maturity, security it is ingrained in the culture, from boardroom to basement. Gaining leadership team support may be uncomfortable, but in today's climate it is essential to protect the business. CISOs should not be hiding away in the back IT office, they should be known and visible to the leadership team.

Thinking you can do it all on your own – Some CISO are completely averse to using suppliers - the mindset is outsourcing is bad. Whether you're a small business that lacks any security skills at all, or a larger company that needs help enhancing certain areas like penetration testing, security monitoring or incident response, doing all yourself just isn’t going to work.

Letting security suppliers scare you - The threat is present and a breach will cost you serious money from the second you discover it. That doesn’t mean you should let suppliers lead you to their cyber security solution. Separate the problem from the solution and get what is right for your business.