Burak DÜNDAR

|

The way of CISO

This blog aims to give CISOs important information they need to implement cybersecurity principles and focus domains at their companies. It is designed to be useful to a new executive with no CISO position experience and to a seasoned CISO familiar with the nuances of the security world. At its core, the blog is a collection of resources illuminating the many facets of the cybersecurity challenge and the related issues and opportunities of information security and risk management. The next sections mainly focused on the CISO roadmap, risky areas, and their solutions.

If you are a world-class CISO or you want to be, you need to focus on Business agility calls for adaptive enterprise architecture principles that require sound strategic security principles to enable secure progress and innovations. Thus, The CISO roadmap will focus on addressing the evolving cyber threats and the changing digital landscape. This roadmap provides your responsibilities insight into our existing security challenges and looks ahead to emerging information security threats to formulate strategic security principles aligned with our business strategy.

Here are some key priorities:

“”What are you going to do?””
“”What need to do?””

The CISO Roadmap focuses on using business drivers to guide information security activities and consider security processes as part of the organization’s risk management processes. 

The overall objective of this roadmap is to;

  • Establish direction toward your company’s information security in line with the business and applicable regulatory requirements.
  • Elevate the information security maturity across the company.
  • Ensure an effective information security management framework within the company clear roles and responsibilities and formalize information security governance.
  • Prescribe mandatory controls to enforce information security management to protect and maintain the confidentiality, integrity, and availability of assets.
  • Provide a framework for technology-related security standards and their associated policies.
  • Enable and sustain a secure ecosystem for the business units, customers, and partners to operate and grow.
  • Ensure that information stored and processed on the company’s behalf by a Third Party (Vendors) is appropriately protected.
  • Ensure that the security objectives and business objectives of the company are achieved through efficient management of information security risk in the company.

A solid information security program is an essential component of running a business in the digital age a time when the number of data breaches and security incidents is increasing exponentially. Without a security program, you leave your company, customers, and data at risk. Let’s explore the components of an information security program, and walk through a step-by-step guide on how to implement the company.

1. Build an Information Security Organization

Before you begin this journey, the first step in information security is to decide who needs a seat at the table. One side of the table holds the executive team, made up of senior-level associates responsible for crafting the mission and goals of the security program, setting security policies, risk limitations, and more. On the other side of the table sits the group of individuals responsible for daily security operations. As a whole, this group designs and builds the framework of the security program.

2. Explore the Inventory and Investments

The security team’s first job is to understand which assets exist, and where those assets are located, ensure the assets are tracked, and secure them properly. In other words, it’s time to conduct an inventory of everything that could contain sensitive data, from hardware and devices to applications (both internally and third-party developed) to databases, shared folders, and more. And then, we have to build a budget and proper security investments.

3. Conduct A Security Risk Assessment

Risk does not exist uniformly throughout an organization. Every business has critical processes and assets essential to its operations. The goal of conducting a security risk assessment is to identify critical processes and assets and assess the contextual risk of each. This map of contextual risk is used in subsequent stages of the cyber security program development process to allocate resources and develop appropriate security policies and controls that ensure operational resilience.

4. Select a Framework and Develop a Security Strategy

A cyber security program is a continuous and iterative process. A cyber security strategy is a formalized plan or roadmap that establishes a baseline for a company’s security program and plans activities over the next 2-3 years.

After an organization has conducted a risk assessment, it can select the most appropriate cyber security framework to mitigate cyber risk in concordance with the findings of the risk assessment. The cyber security framework will serve as an advisory for best practices during the design and implementation of policies and controls.

Common cyber security standards are:

  • • ISO-27001 / ISO-27002
  • • NIST Cybersecurity Framework (CSF)
  • • Information Security Forum (ISF) (that is my best choice)

5. Create Security Policies and Controls

Policies and controls help to define the standard operating procedures that will ultimately ensure IT security best practices of the selected cyber security framework are applied and remain active. The most fundamental way to describe the key function of IT security policies and controls is to protect the:

  • Confidentiality – Data cannot be accessed by unauthorized individuals or systems.
  • Integrity – Data cannot be modified by unauthorized individuals or systems.
  • Availability – Systems that are always online can be accessed when they are needed, of data-at-rest.

Protecting these critical elements should include administrative, technical, and physical policies and controls, which are designed to detect, prevent, and recover from all incidents that could otherwise negatively impact the organization’s IT infrastructure and business operations.

The next paragraphs will identify and explain the security challenges and issues the companies experiences. Some of these issues will be solved by current trends and movements while other issues, due to current business developments and innovation, are likely to require addi-tional attention and effort to minimize impact.

Cyber risk is expected to escalate due to several factors:
  1. Increased Attack Surface: With the growth of connected devices, remote work, and cloud adoption, the attack surface for organizations has expanded significantly. This makes it easier for attackers to find vulnerabilities and exploit them.
  2. The sophistication of Threat Actors: is on the rise and becoming more sophisticated and mature. Europol is reporting an emerging trend of criminal organizations working together with criminally-minded technology professionals to commit cybercrimes Cybercrime services are now mainstream, for example, ransomware which can be bought on the dark web including full-service desk-like support or spearphishing where specific cyber actions against a target (e.g. our CEO, or local country COO) can be requested. Also, Cybercriminals are leveraging advanced tools, including AI and machine learning, to launch more sophisticated and targeted attacks.
  3. Regulatory Pressure: Balance the call from regulators, suppliers, and public demand for greater transparency about incidents while adhering to existing (data privacy) laws.
  4. 3. Party (Vendor) Risks: The interconnected nature of modern business means that vulnerabilities in a third-party vendor can have severe implications for an entire organization. Ensuring that supply chain partners adhere to robust cybersecurity practices is a growing concern.

Other hand, there are some key risky areas, challenges, and restrictions (for Türkiye)

The next lists could pre-identify and explain the security challenges and key risks the company experiences. Some of these issues will be solved by current trends and movements while other issues, due to current business developments and innovation, are likely to require additional attention and effort to minimize impact.

  • Key Risky Areas
    • Improve Information Security Management
    • Improve Information Risk Management
    • Improve 3rd party (Vendor) Management
    • Improve Security Architecture
  • Key Challenges
    • Administrative Organization
    • Information Security Governance
    • Capabilities in both 1st and 2nd line
    • Clear prioritization of security initiatives
    • Awareness and ownership
  • Restrictions
    • Turkey’s proximity to war zones due to its geopolitical location and sanctions affecting the whole global markets and intercountry financial transactions makes it possible to change,
    • The financial situation the country is involved in (sudden changes in inflation, high rates of exchange),
    • Legislations issued by regulative bodies such as EPDK, KVKK, and CMB.

As a result, if you are working on People, Processes, and Technology. The personnel of your company is one of the most effective measures of Cyber Security. Vigilant employees keep hackers and attackers outside our organization. Processes are needed to maintain a continuous process of control and assurance. The objective is to automate most of these processes. Highly automated processes foresee our need for continuous integration and continuous delivery of secure services.

Don’t forget, Predicting the future with complete accuracy is nearly impossible. However, there is value in forming the basis for a proactive approach to information security based on identified relevant trends.

Good luck for your business and I wish best for your roadmap.

Leave a Reply

Your email address will not be published. Required fields are marked *