PART ONE
People

Cybersecurity is no longer only the domain of I.T. and security teams. From the loading dock to the C-suite, everyone must be security minded.

Within your organization, a well-trained staff can be your best line of cyber defense. But people can also be your worst enemies. You can buy top-of-the-line security technology and implement best practices, but if your people won't follow good security practices and policies or use that technology properly, your organization remains at risk. You must also get buy-in from your board of directors to create a culture of security.

How the CISO Role Is Evolving

What's the most important skill set for being a CISO? Current knowledge of the latest threats? Deep understanding of cybersecurity technology to mitigate security risks? Familiarity with the latest tools, tactics, procedures, and activities of well-funded hacking collectives?

Tech knowledge is not the most important characteristic of a CISO today.

Increasingly, CISOs are being elevated to the C-suite and becoming trusted business advisors. This requires soft skills, with the ability to communicate in terms that everyone understands. The CISO must be a business enabler and a strategic advisor who explains risk in business terms. Chapter 1 discusses the evolution of this critical role so you can focus your efforts on becoming a strong security leader.

Getting the Board on Board

Corporate boards are becoming more focused on cybersecurity than they have been in the past. Board members are beginning to understand that a security threat is not just a problem for the security team but a risk to the entire business.

Inadequate cybersecurity can expose employee and client data and put your organization at risk of failing to comply with privacy regulations. Weak security can also expose proprietary business information. In factories, weak cybersecurity can lead to injuries and even deaths. Poor cybersecurity can lead to lost revenue, lost reputation, lawsuits, and fines. When a breach happens in an organization, the fallout impacts revenue, operations, shareholders, and the entire business.

Increasingly, CISOs are requested to brief board members and answer questions regarding cybersecurity. If CISOs are fortunate, cybersecurity even helps drive board-level business decisions.

When speaking to the board, CISOs must learn to transition from tech talk to business strategy and risk and from troubleshooting tactical problems to looking at the big picture. Your team has to give board members the information they need to make decisions about cybersecurity and drive company direction, framed in a business context. So what should you know about speaking to the board? Chapter 2 covers this important topic.

Building a Culture of Security

Security is not a separate aspect of your business. As we'll see, security must be thought of and included in every process. Humans can often be the weakest link in cyber defenses. They usually want to do the right thing, but they need to fully understand their responsibilities with regard to cybersecurity.

A comprehensive all-in approach to security is needed across the business to drive security into your organizational DNA. It starts with the board but should also incorporate key ambassadors across business units to create a culture of security. These ambassadors bring specificity to the culture as it applies to each business area, offering examples for following good practices and policies.

Although security is a serious issue, security training doesn't have to be. Look to utilize initiatives that are fun and interactive to engage the workforce: think gamification. Rather than an annual approach to security training, awareness should be continuous throughout the year.

As more people work remotely, the need is growing for cybersecurity training that addresses multiple work environments. Employees need security awareness training to address a number of potential issues that arise both in traditional office environments as well as in home offices.

Building a strong security culture has a lasting impact on your organization. But your security culture must not stop with your internal processes; it should permeate your dealings with customers and business partners. It should be built into the products, services, and solutions that you provide to others.

How can you promote a culture where cybersecurity becomes everyone's responsibility? Chapter 3 offers strategies for building a culture of security, a culture that will be strengthened by processes in Part II and technology in Part III.

Mitigating Today's Threats

Today's threats have greatly evolved, and the nature of the adversary has evolved as well. Lone hackers, hackers for hire, and small collectives still exist, their numbers growing as online materials enable almost anyone to become a hacker. Exploits are bought and sold as a commodity on the dark web and are readily available to any of these adversaries. Today, however, these attackers are joined by well-funded adversaries from organized crime rings around the world as well as government-supported hacking groups from particular nation-states.

Your security posture must be strong enough to prevent a wide variety of outsiders from gaining access to your private and proprietary data, your processes, and your machines.

Unfortunately not all of your malicious adversaries are outside your enterprise. Sadly, some threat actors have inside access to your systems, including disgruntled or unethical current and former employees misusing access and data for personal gain or simply to cause trouble. Other potential insider threats include suppliers, partners, board members, and anyone else who has access to your systems and data.

There are other internal threats. We call them accidental insiders. You might call them humans. Accidental insiders expose the organization unintentionally because they are untrained, overworked, or unmotivated. These folks become threats when they respond to phishing attempts, use weak or default passwords, share passwords, leave devices unpatched or unlocked, and work over unsecured Wi-Fi networks.

Your organization is up against well-funded adversaries as well as people who might just press the wrong key. You'll learn about the many players behind today's evolving threats in Chapter 4.

Addressing the Skills and Diversity Gaps

The gap between the number of cybersecurity workers we have and the number we need is widening. As of 2021, more than 3 million cybersecurity workers are needed globally, according to the (ISC)2 Cybersecurity Workforce Study.1 More than 65% of all organizations struggle to recruit, hire, and retain cybersecurity talent, according to a Fortinet report, "CISO Ascends from Technologist to Strategic Business Enabler," which explores the skills gap.2

Addressing this gap requires a multi-pronged approach. Security knowledge needs to be more widely disseminated across the organization. Security and IT should be integrated, with cross-training between IT and security personnel. IT should also not be the only recruitment area for the security team: look across business units to identify potential candidates who bring experience of all types, from risk to finance to customer care to build out the security workforce.

To close the skills gap, we need to create a culture where people want to engage in the security business. To make the field more attractive, from frontline security workers to leaders, we need to increase the visibility of and influence of the CISO. They need to be considered an integral part of the C-suite and central to business success, not a cyber janitor to clean up problems or take the fall when a breach happens.

Although technical skills remain important, soft skills such as leadership, communications, planning, risk management, and strategy are just as vital. Such skills are especially critical for those in the CISO role who are leading security teams and communicating with the board.

We also need to make the field more diverse by recruiting more women as well as people of all backgrounds including race, ethnicity, orientation, and disability status. Further, we need to expand hiring efforts to recruit veterans, whose backgrounds position them as valued and committed employees.

Women are finally making some inroads in cybersecurity. In 2013, women held 11% of cybersecurity jobs; now women make up 24% of the cybersecurity workforce. While this improvement is positive news, more progress needs to be made, particularly since women make up half of the entire workforce.

Closing the diversity gap is not just a feel-good measure. Closing the diversity gap drives business success and change. To lower cyber risk, we need to lower the level of group think. Teams with diverse backgrounds and experiences can uncover new, creative solutions to problems. Women bring unique traits to leadership, problem-solving, and security. For example, female CISOs scored higher than their male counterparts in critical soft skills, including 46% higher in leadership and 150% higher in analytical skills.3 These are important traits as we work to ensure that people and processes make effective, safe use of technology.

Finally, we need to generate excitement within the security field by creating programs that effectively promote the security field including mentoring, internships,...