The current wave of ransomware shows that the cyber security of the average organisation still leaves a lot to improve. In order to be able to cope with this kind of threat a certain level of maturity is required.
HSD organises various CISO Intervision meetings, meetings where a small group of CISOs come together to discuss, learn and share. This week saw two groups meet, led by cyber security specialist Peter Zinn, on the theme of Maturity of the organisation.
The CISO (Chief Information Security Officer) is the executive responsible for the organisation’s information and data security - a role that is growing in importance and in scope. Not every company has one, but every company should. The role of CISO is often a ‘lonely’ one within an organisation - unless there is a CISO office there is not much opportunity to find sparring partners.
Maturity is quite a broad subject - all aspects of cyber security are related to it. This leads to a broad discussion in the session on Tuesday, with topics like risk-based security, zero trust, business vs ICT, measurements, and how to translate standards to organisation-specific recommendations to the board.
The meeting on April 15 zoomed in on exercises as a way to test the level of maturity and find unresolved issues within the organisations. The group spoke about scenarios, how to embed the exercises in the organisations, who to inform, testing on a live environment, costs and benefits and what to do with the results.
The examples and opinions of the participants of the CISO meetings stay in the room. We can only share some of the general findings here which may seem obvious but do reflect the changing position of security within the current organisation.
- Never stop. Cyber security should be cyclic. Both business and the environment continually change, and knowledge erodes. Exercises should be done on a repeating basis, just like any other part of cyber security.
- The business is leading. Tech is just one of the tools. Security should follow the business, the risk appetite, business goals and threat environment of the organisation.
- Communication is the main tool of the CISO. He or she should be able to translate the risks into terms the board can work with.
- The gap between digital and physical security keeps shrinking.
- Start with an inventory, then create a road map, then start implementing; not the other way around.
- However, there will always be urgent situations interfering with your organised approach.
- Don’t forget the chain partners in improving your security
Both groups will meet again in the fall. In June, CISO group 5 will meet on a different topic.
These groups are invite-only. If you want more information and might want to join one of these groups, please send an enquiry to Hetty de Ruijt.