Successful security objectives: A 2022 guide for CISOs
Over the last two years, cybersecurity has seen a seismic shift, and security objectives have had to evolve in response.
The world of work was turned on its head by the pandemic, creating security headaches relating to remote and hybrid working. Digital transformation has expanded your potential “attack surface”. At the same time, the threats you face grow ever more sophisticated.
With the issuing in March 2022 of the SEC’s cyber regulation proposal, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, the pressures on CISOs to get security right are only intensifying.
To tackle the growing range of cyber risks, ensure their information security strategy remains relevant and ensure their strategy aligns with their organization's overall governance, risk and compliance (GRC) framework, CISOs need to regularly review their security goals and objectives. What should information security objectives look like in 2022?
What Do Successful Information-Security Objectives Look Like?
There may be debate around the fundamental objectives of information security. But as a whole, security objectives around computer networks and systems coalesce around three themes.
What are the three objectives of security? They are generally agreed to be:
Achieving these main goals relies on a number of other security objectives. With that, in 2022, the CISO’s objectives should also include:
- Aligning security objectives with business priorities: your security objectives need to be in line with your corporate goals and must evolve with your business
- Putting in place a robust measurement framework: setting Key Risk Indicators (KRIs) for IT risk management gives you a baseline for the maturity of your security strategy and enables you to measure progress
- Ensuring your approach is aligned with recognized external frameworks such as NIST: more detail on which below
- Turning your security operations center (SOC) into a strategic CoE (Center of Excellence): a mature, effectively resourced operation that acts as a business partner to the board and executives
Information-Security Objectives and the NIST Framework
The NIST Cybersecurity Framework is a set of US federal government guidelines for organizations around preventing, detecting and responding to cyberattacks.
How Are Security Objectives Essential for the NIST Framework?
The NIST Cybersecurity Framework splits security principles into five core functions; each represents a key step in an organization’s security program.
- Identify — your ability to spot potential cybersecurity risks and areas of weakness
- Protect — the safeguards you implement to ensure the continuity of your critical infrastructure services, by limiting or containing the impact of a cybersecurity event
- Detect — the ability to identify cyberattacks or breaches
- Respond — the plan you have in place to tackle any attack or breach
- Recover — the steps you take to get systems up and running again
The NIST core functions align closely with the security objectives of confidentiality, integrity and availability. By looking at both in parallel, you can ensure your cybersecurity strategy is designed to fit with NIST’s guidelines and achieve the three core information-security objectives.
Tackling 2022’s Biggest Cybersecurity Threats
In such a fast-moving field, security objectives cannot be static or even sluggish; cyber threat actors are finessing their attack strategies all the time, and with the main objective of information security being to repel these threats, CISOS cannot let their guard down.
And this doesn’t end at your network’s perimeter. As we touched on earlier, organizations’ attack surfaces have become bigger and more fluid for several reasons including remote working and growth in access via devices. This is leading many organizations to adopt zero-trust security frameworks to bolster their defenses.
Then there’s the need to consider those outside your perimeter. The need for bullish third-party risk management has led Security magazine to place “Increased Scrutiny on Software Supply Chain Security” top of its list of Cybersecurity Predictions for 2022.
All too often, these threats originate far closer to home: a Yahoo Finance article believes that insider threats, and organizations ill-equipped to respond to them, are 2022’s biggest risk to cyber security.
Looking both inside your organization, making use of audits and controls to detect potential internal threats, and beyond your walls to review third-party risks, should be among your core objectives for 2022.
Keep Pace with New Threats and Best-Practice Response Strategies
Success as a CISO means setting security objectives that align with the external landscape and equip your business to respond to fast-changing cybersecurity threats. Ensure you’re always on the front foot by subscribing to Diligent’s Governance, Risk and Compliance (GRC) newsletter.
The regular newsletter showcases the latest reports, blogs, industry insights and thought leaders, giving CISOs the lowdown they need on all things GRC.