Chief Information Security Officers (CISOs) are hired to solve cybersecurity issues and keep companies safe and out of harm’s way. This is a critical position within the company leadership team. Success is not optional. Failure is detrimental.
Here are the typical steps a CISO would take when starting at a company:
1
2
3
4
5
First, end-user training is not a check box.
These steps also applied to established CISOs with existing budget and human capitals. Here are the three blind spots that all CISOs need to recognize and fix right away.
Many CISOs will use KnowBe4 as an end-user training platform. Anti-phishing is one of the most important topics. Other training topics may be password protection, file sharing, user behavior, and cybersecurity DR/BCP process.
The training usually starts with great fanfare and excitement. Overtime, the cybersecurity team will turnover the training responsibilities over to the corporate training department or make the training sessions into online classes. With this action, come the interest detachment. Cybersecurity training is on the same level as other Human Resources training.
The blind spot is the perceived lack of urgency from the cybersecurity team. Employees will come and go. The new employees may not recognize the seriousness of the cybersecurity training or won’t pay attention to it since it is one of many training classes that are on their plate. This will increase the opportunities for employee-caused cyberattacks.
Secondly, the IT Operations team should not own the cybersecurity tool implementation.
Due to the lack of cybersecurity engineering resources, many CISOs have to ask the IT Ops Network or System Engineers to deploy various cybersecurity tools. This is doable and mostly done successfully by good engineers. The blind spot is in the ownership of the tools regarding upgrade, monitoring, and data gathering. There has to be a clear partition of responsibilities. The IT Ops team cannot manage the network and the cybersecurity tools watching the network. This is a conflict of interest.
Thirdly, a table-top exercise is a useless exercise.
CISOs will spend a great amount of time and effort to build the cybersecurity plan, the Disaster Recovery Plan, and other system-recovery plans. Every so often, the team will get together to conduct a table-top exercise to ensure everything is in good shape.
The problem is these table-top exercises are often of a very high level, incomplete, and do not realistically allow the team to experience a real crisis. It is impossible to experience a cybersecurity breach that has just brought down your entire network and create an enterprise-wide outage by sitting comfortably in a conference room with no real pressure.
Here are some recommendations to overcome these blind spots:
1
2
3
4
5
6
7
8
Dragon9 Partners is your technology enabler. We are helping companies evaluate and resolve these blind spots.
We are here to work with you throughout the entire loan cycle. We can provide strategic alignment, project execution, cybersecurity implementation, infrastructure setup/maintenance/support, and enterprise application development and maintenance. Call us. We are ready to help.
Michael H. Wilson is the President and Managing Partners with Dragon9 Partners. He is an experienced Mortgage and Technology executive. He held executive leadership positions with Plaza Home Mortgage, Option One Mortgage, First NLC Financial Services, loanDepot and Impac Mortgage. Mike received his MSEE degree at Loyola Marymount University and BS in Applied Mathematics/System Engineering at UCLA.
Contact Information –
