How can CISOs patch their knowledge gaps?
There were more security vulnerabilities disclosed in 2020 (18,103) than in any other year to date – at an average rate of 50 Common Vulnerabilities and Exposures (CVEs) per day. With threat actors constantly trying out new hacking techniques, as well as new network features and tools being regularly released (which introduce new vulnerabilities), it is hard for CISOs to keep up. In an attempt to mitigate these threats, global corporations continue to patch and upgrade systems, but what about patching the knowledge gaps of their staff?
Cyber security is an ‘evergreen’ discipline as organisations introduce new approaches, technologies and strategies to their operational challenges. The skill sets required by today’s cyber security leaders are also evolving, with CISOs and cyber security leaders required to hone and tone a multitude of different ‘muscle groups’, from Governance, Risk and Compliance to technical to influencing the Board. Those in charge of security are incredibly busy maintaining and refining the security standards within their corporation, and this pressure is not going to ease up: earlier this month the Biden Administration issued Binding Operational Directive (BOD) 22-01, ‘Reducing the Significant Risk of Known Exploited Vulnerabilities’, to drive urgent and prioritised remediation of vulnerabilities that are being actively exploited by threat actors. This means that security leaders will soon have remediate such vulnerabilities within specific timeframes. Being so short on time, they almost have no option but to neglect their own well-being and professional development. Fortunately, there are several actions security leaders can take to ensure their knowledge is up to date.
Identify your knowledge gaps
Work out where your knowledge gaps are and acknowledge where you can improve by defining your objectives and industry needs and determine whether you have the skills to meet them. It is also important to align your knowledge gaps with the organisation’s overall strategy. For example, if international expansion is in the pipeline, make sure that you are fully informed of the security implications of that and any additional learning that may need to take place.
Collaborate with colleagues
Have conversations with your peers – they may not have the technical expertise, but they will be able to tell you the pain points they experience with security, and how it can be improved. Where this is difficult in a hybrid environment, use online social collaboration tools to ask questions and share insights to cultivate knowledge sharing.
Keep on training
Make sure you regularly brush up on your technical knowledge through academic courses and completing industry certifications. Continuous cyber learning gives the chance for CISOs to both learn new skills and practice old ones, ensuring that knowledge remains up to date. Cybersecurity training has a proven high return on investment, so it is worth spending money on it.
Learn from your team
Hire a diverse talent pool who can provide different perspectives that you can learn from. Diversity is all about bringing people together that challenge each other, to encourage new ways of thinking and bring a more creative perspective to the workplace. Without this melting pot of different types of people, cultures and ideas all existing together, innovation will be stunted. With threat actors employing more inventive and complex attacks, we need cyber security teams to be coming up with new ways to keep their organisations safe and cyber criminals at bay. That’s why cyber security teams need to be doing all they can to cultivate original thinking and coming up with new approaches to cyber defence by bringing diverse individuals into their teams.
Join an industry trust group
There are no new ideas under the sun, and everything is adaptation. That’s why learning from the experiences of others and sharing wisdom within a peer-to-peer network is fast becoming an essential route for people to increase their understanding of cyber security approaches. A trust group with a confidentiality agreement also gives the added advantage of allowing participants to challenge their own thinking and take a step back from the day-to-day challenges whilst reflecting and refining their approach.
Furthermore, when considering the adoption of new defensive network technologies or approaches, it is prudent to leverage the experiences of others and learn from them to avoid the obstacles in delivery from those who have gone before you. A confidential discussion with trusted individuals can help to patch the gaps in your understanding of current best practices and shortcut the time required for research and vendor comparisons. Most CISOs value collaboration and are happy to share useful insights to help others avoid unfortunate mistakes.
Ensure you are adequately resourced with budget and staff
The ever-present pressures on time and delivery make it all too easy to sacrifice the investment in learning from others. Make your case to the Board to ask for additional team members, so that training is actually possible.
What marries all these tactics is that they essentially replicate how threat actors learn. While they operate in different groups, the individuals within these groups come from a whole host of backgrounds and all actively share intelligence to get ahead. If CISOs can mimic their approach they are more likely to have the necessary knowledge and skills to minimise the risk of a serious attack or data breach in the future.