Here’s what it takes to be an aspiring chief information security officer

In today’s world, what is your opinion on the role of cybersecurity and what it should entail?
Cybersecurity practices play a crucial role in an organisation in protecting the various kinds of data elements possessed by the organisation and ensuring its confidentiality, integrity and availability. Also, cybersecurity plays a vital role in strengthening the overall business resilience capabilities of the organisation.

What does it take to be a chief information security officer? What are the necessary skills required?
A chief information security officer (CISO) aspiring to be successful should be a cross functional leader with good collaboration and problem solving skills. In addition to these, they should also have the following skills to be known as an expert CISO:

• Strategy planning
• Project and programme management
• Change management
• IT and network infrastructure management
• Application security and risk management
• IT and Information security GRC (Governance, Risk and Compliance)
• Intellectual property management
• Supply chain security and risk management
• Secured development models such as DevSecOps, SDL and OWASP
• Technology and innovation management
• Vendor management

We have seen a plethora of attacks all across the world, and they’re just getting worse. What are the top threats to organisations you see right now?
I foresee the following as very critical and emerging cyberthreats to any organisation:

• Supply chain security risks
• Digital extortion (ransomware attacks)
• Hardware hacking and side channel attacks
• Cyberattacks targeting industrial IT systems such as SCADA
• Digital security risks which are triggered by digital transformation initiatives

What advice would you give companies in the event of a breach?
Firstly, organisations should initiate the execution of the ‘Incident Management Plan and Procedure’ and make sure it is established in place. Then they should start implementing the appropriate playbooks established in place based on the nature of the breach. In parallel, they should inform their key internal and external stakeholders and regulators as required. They should further inform their incident response partners to come on board to initiate the digital forensics investigation and the recovery activities as per the IT DR procedure established. Lessons learned must be documented and retained once the investigation and recovery phases are done.

What areas would you advise organisations to focus on when developing a new security programme or rebuilding an existing one?
CISOs should focus on the following areas of practice in their organisations:

• The risks to which ICT and services supply chain of their organisations are exposed to and the controls required
• Potential cyber risks that can be triggered through the introduction of remote computing (work from home model) and new technology platforms such as fintech, blockchain, cloud computing, mobility and others used in the digital transformation initiatives of the organisations
• DevSecOps, container security and other new age security practices as well as the feasibility of implementing them
• New security architecture models such as zero trust architecture and the feasibility of implementing the same
• Improving the incident response capability of the organisation by implementing solutions such as EDR/MDR, SOAR and security analytics
• Periodic benchmarking of the existing cybersecurity practices against peers in the industry as well as against best practices from the industry
• Continuous security awareness to staff, partners, service providers and suppliers

Looking ahead, what are your top priorities for the year 2022?

• Strengthening the existing security architecture of the organisation with the potential inclusion of zero trust kind of new security architecture models
• Identifying and preventing the potential security risks of digital transformation initiatives adopted by the organisation
• Identifying and addressing the potential cyber risks targeting ICT and services supply chain of the organisation
• Improving the competencies of team members handling security related responsibilities
• Improving the security awareness of general staff
• Improving the overall cybersecurity posture and cyber resilience capabilities of the organisation

Read: What every CISO needs to do in their first 100 days: Gartner