Well, it’s, you know, I it’s one of those things that it’s an interesting trend that I’ve been saying, you know, if you think about, you know, four or five years ago, a lot of CSOs were not responsible for cloud security, for instance, or they may not have responsibility over identity.
That could have been the CIOs organization. So more and more CISOs are having to accept more risk. And, you know, not to oversimplify it, but a CISOs job is to accept risk and reduce risk.
So, you know, we’ve seen this explosion in asset classes that CISOs are now responsible for. Ot being a great example where it was, you know, the manufacturing plant manager that was responsible for the OT security environment, and not the CISO.
So now the CISOs are having all this responsibility. I think that you know the first thing, and not to oversimplify it, is having a dashboard that has your all of your inventory, far too often.
I think organizations go, I’m only going to focus on the critical assets for my organization.
But there, that’s again, a miss, because if you look at the ransomware example that we used far too often, organizations didn’t know that they had, you know, a Citrix Server externally facing, misconfigured and had known vulnerabilities on it, and the attackers based.
Went breach that and move laterally within the organization. So have that inventory, analyze that inventory to understand what misconfigurations, what risks.
I like to call them toxic combinations, you know, this asset plus these cohort of users that have access that’s bad, something that you need to go and focus on. I also think that building a baseline of how you want to go through and communicate with the other teams.
It’s one thing for the security team, they probably have a very good technical understanding. But how are you going to communicate with the operations team? How are you going to drive that efficiency?
Because unfortunately, the operations team, they’re about uptime and availability and patching that goes against it, they’re going to have to take downtime. So and then ultimately, how do you drive and explain this to the organization? How do you report on this?
How do you make show how effective it is having a business conversation? You know, trend that I’m seeing is more and more CISOs are reporting directly to the board.
They’re reporting into the CEO in some cases, and we’re seeing CISOs actually join boards now, because cybersecurity is no longer an insurance policy, it’s a critical business process. So I think for the CISOs out there, I think that’s kind of the baseline fundamentals.
It’s the other side of the coin of incident response is exposure management. It’s how do you do proactive security? How do you understand what your risk is. How do you mitigate that risk? And I think that’s the give and take. Estelle Quek Yeah.
