A risk-based approach is critical to developing a resilient cybersecurity posture

By prioritising resources based on risk, an organisation can focus on the areas that matter most, while also minimising the impact of potential security incidents on its critical assets, says Alejandro Guinea.

Samir Aliyev, CEO and Founder of the Swiss Cyber Institute has been talking with Alejandro Guinea, Global Architecture and Offensive Security Manager, Corporacion Multi Inversiones – CMI. In this interview, Samir has been discussing how Alejandro views problems in the field of cybersecurity, such as key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how it should prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience.

Many CISOs see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or stay ahead of the threat landscape?

The role of a CISO is evolving to become more strategic and business-focused, rather than solely focused on technology. In today’s rapidly changing threat landscape, it’s not enough to just have strong technical skills and expertise in cybersecurity. A successful CISO must also have a deep understanding of the organisation’s business objectives, risks, and operations in order to develop and implement effective cybersecurity strategies.

To stay ahead of the evolving threat landscape, CISOs must focus on building a strong security culture across the organisation, and establishing a comprehensive risk management framework that includes not only technical risks but also business risks. This includes working closely with other executives and departments to ensure that cybersecurity is integrated into all aspects of the business, including business processes, risk management, and compliance.

Another important aspect of the CISO’s role is to stay up to date with the latest threats and trends in the cybersecurity landscape. This requires ongoing education and training, as well as staying connected with industry peers, attending conferences, and collaborating with external security partners.

Overall, I see the CISO’s role evolving to become more strategic, business-focused, and collaborative to effectively manage the risks and challenges of the ever-evolving threat landscape.

Common ways to assess the value of a senior executive to an organization’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?

Measuring the value of a CISO can be a complex process that requires consideration of a range of factors beyond just financial metrics. Probably the most important measure a CISO should be looking to accomplish is business enablement. A CISO can play a critical role in enabling business operations by providing security guidance and support that allows the organisation to operate securely and efficiently and achieve its goals. Measuring the CISO’s contributions to enabling business operations can be an effective way to demonstrate their value to the organisation and that can be done by measuring the reduction of the risk for any new business initiatives. I like the analogy of F1 cars… The car is the business and the business wants to go as fast as possible, and cybersecurity is the brakes of the car. The car can go really fast because you know you have brakes to stop it whenever necessary.

Also, some common ways an organisation can measure the value of a CISO include:

1. Reduction in security incidents: A CISO’s primary responsibility is to ensure the security of an organisation’s information assets. Measuring the reduction in security incidents such as data breaches or cyber-attacks can be an effective way to demonstrate the value of a CISO.
2. Compliance: Compliance with industry standards and regulations such as GDPR, HIPAA, and PCI DSS can be an important aspect of an organisation’s risk management framework. Measuring compliance levels and any improvements made under the guidance of the CISO can be a valuable way to assess their contributions to the organization.
3. Implementation of security initiatives: A CISO may be responsible for developing and implementing security initiatives such as security awareness training, threat intelligence programmes, and vulnerability management. Measuring the success of these initiatives and their impact on reducing the organisation’s risk can be a valuable way to demonstrate the value of the CISO.
4. Board engagement: A CISO who can effectively engage with the board and executive management team can help to build support for security initiatives and ensure that the organisation’s security posture is aligned with business goals. Measuring the CISO’s success in engaging with the board and executive management team can be a valuable way to assess their value to the organisation.

Overall, measuring the value of a CISO requires consideration of a range of factors beyond just financial metrics, and should focus on the CISO’s ability to reduce risk and enable business operations while aligning security initiatives with business goals.

What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?

There are several key steps that an organisation can take to ensure that it is well prepared to respond to that can recover from a potential cyber-attack. These include:

1. Establish a comprehensive cyber resilience plan: This plan should include clear procedures for incident response, crisis management, business continuity, and disaster recovery. It should also identify key stakeholders and their roles and responsibilities during an incident.
2. Conduct regular risk assessments: Regular risk assessments can help identify potential vulnerabilities in an organisation’s systems and processes. This information can then be used to prioritise and allocate resources towards addressing the most critical risks.
3. Implement appropriate security measures. Organisations should implement appropriate security measures, including firewalls, intrusion detection and prevention systems, and security monitoring tools, to detect and prevent cyber threats.
4. Train employees on cybersecurity best practices: Employees are often the weakest link in an organisation’s security, so it’s important to educate them on cybersecurity best practices and how to identify and respond to potential threats.
5. Conduct regular testing and simulations: Regular testing and simulations of the organisation’s cyber resilience plan can help identify weaknesses and improve overall readiness for a cyber-attack.

Prioritising and allocating resources towards achieving and maintaining an effective state of cyber resilience requires a thorough understanding of the organisation’s risks and priorities. This requires a risk-based approach, where the most critical risks are identified and addressed first. Resource allocation should be based on the potential impact of a cyber-attack on the organisation’s critical assets and operations.

It’s also important to keep in mind that cyber threats are constantly evolving, so organisations should regularly reassess their risks and adjust their cyber resilience plan and resource allocation accordingly. By taking a proactive and risk-based approach, organisations can better protect themselves against cyber-attacks and minimise the impact of any incidents that do occur.

In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?

As a professional with extensive experience in the cybersecurity field, I believe that one of the most overrated trends in cybersecurity is the excessive reliance on traditional signature-based antivirus solutions as the sole defence against cyber threats.

While antivirus software has been a foundational component of many organisations’ security strategies for years, it has become less effective in detecting and stopping advanced threats that utilise more sophisticated attack methods. Signature-based antivirus solutions rely on known patterns of malicious code to detect and block threats, but these patterns can be easily modified or disguised by attackers, rendering the antivirus solution ineffective.

Furthermore, as cyber threats continue to evolve, organisations must also keep pace with more advanced security solutions, such as machine learning-based security analytics and threat intelligence solutions, to supplement their security posture. Organisations should adopt a multi-layered security approach that includes a combination of signature-based antivirus solutions, advanced threat detection technologies, and security awareness training for employees.

In summary, while signature-based antivirus solutions are still a critical component of a comprehensive cybersecurity strategy, relying on them as the sole defence mechanism against modern cyber threats is overrated and insufficient in today’s threat landscape.

On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?

As a cybersecurity professional, I believe that one of the most underrated trends in cybersecurity is the use of a risk-based approach to cybersecurity. This approach involves prioritising resources and investments based on the level of risk posed to an organisation’s critical assets, rather than applying a one-size-fits-all approach to security.

In practice, this means that an organisation should conduct a thorough risk assessment to identify its critical assets and the potential threats and vulnerabilities that could impact them. Based on the findings of this assessment, an organisation can develop a tailored security strategy that prioritises resources and investments to address the most significant risks.

The risk-based approach is often underrated because it requires a significant investment in time and resources to conduct a thorough risk assessment and to develop a customised security strategy. Additionally, many organisations may be reluctant to invest in security measures that may not have a direct impact on their bottom line.

However, I believe that the risk-based approach is critical to developing a resilient cybersecurity posture. By prioritising resources based on risk, an organisation can focus on the areas that matter most, while also minimising the impact of potential security incidents on its critical assets.

The nature of recent cyberthreats has tended to focus on business disruption and reputational damage. Is this what you have experienced and if so, how does this impact your organisation?

Yes, business disruption and reputational damage have become increasingly common consequences of cyber threats in recent years. As a cybersecurity professional, I have seen first-hand how these types of incidents can impact an organisation.

Business disruption can range from minor inconveniences to severe disruptions that can impact an organisation’s ability to function. For example, a ransomware attack that encrypts critical files can bring operations to a standstill until the organisation can restore its systems. This can result in lost revenue, damage to customer relationships, and increased recovery costs.

Reputational damage can be even more severe, as it can impact an organisation’s long-term viability. For example, a data breach that results in the loss of sensitive customer information can erode trust and damage the organisation’s brand. This can lead to lost customers, decreased revenue, and increased regulatory scrutiny.

It is essential for organisations to have a proactive approach to cybersecurity, rather than simply reacting to incidents as they occur. This means regularly reviewing and updating security policies and procedures, conducting risk assessments, and staying up to date on emerging threats and vulnerabilities.

Overall, the impact of cyber threats on an organisation can be significant, and it is essential for cybersecurity professionals to take a holistic approach to risk management to mitigate these risks effectively.

According to several surveys, cybersecurity professionals would rather work from home (WFH). Do you feel WFH is a blessing or a curse for CISOs?

The COVID-19 pandemic has accelerated the adoption of remote work in many industries, including cybersecurity. WFH can be a blessing for CISOs because it can increase the flexibility and productivity of their teams. It can also enable CISOs to hire talent from anywhere in the world, not just from the cities where their offices are located. This can help address the talent shortage and diversity challenges in the field.

On the other hand, WFH can also present some challenges for CISOs. One of the main challenges is ensuring the security of remote devices and networks. CISOs must make sure that their teams have the necessary tools and technologies to securely work from home, such as virtual private networks (VPNs), secure video conferencing platforms, and two-factor authentication (2FA) solutions. They also need to provide training and guidance to their teams on how to identify and avoid common cyber threats, such as phishing and social engineering attacks.

Another challenge is maintaining team morale and engagement. Remote work can be isolating and can lead to feelings of disconnection and disengagement from the organisation’s mission and culture.

What do you look forward to most at this year’s Global Cyber Conference?

As a professional with a lot of experience in the cybersecurity field, I would say that I am looking forward to the opportunity to learn from my peers and industry experts, as well as to share my own knowledge and insights with others. The Global Cyber Conference is a great platform for networking, discovering new trends and technologies, and gaining insights into best practices for addressing cyber threats. I am particularly interested in attending sessions related to emerging threats and new technologies, as well as discussions on risk management and cybersecurity governance. Overall, I believe that the conference will provide a valuable opportunity to stay informed about the latest developments in the field and to connect with other cybersecurity professionals from around the world.