Retrospective review is an important part of any good cybersecurity program. So much so, NIST builds it into the Cybersecurity Framework, and many other industry standards and best practices incorporate continuous improvement as part of their methodologies. But one frequently overlooked, but critical, point of retrospection is for a CISO who has been on the job for a while to consider how they might have made things better from the beginning. In an interesting article posted on HelpnetSecurity, Ray Pompton of F5 networks started asking CISOs that very question. If you follow our blog, the results shouldn’t be that surprising: the single biggest regret was that they had not put in place a cybersecurity strategy. Instead, they dove into the technical weeds, and the result is a patchwork of cybersecurity tools and duplicated efforts that was neither cost-effective nor efficient.
Another interesting take-away is that CISOs would implement more independent validation of the information from their staff. As we discussed in an earlier post, traditional approaches to cybersecurity and data privacy create inherent, systemic incentives for staff to down-play, and sometimes outright hide, problems they encounter or create. Independent review, though a combination of a strong compliance program and automation, can significantly strengthen a company’s cybersecurity program and is an important part of a comprehensive cybersecurity strategy.
Are you a CISO with similar concerns, but are you unsure how to get started? Fathom Cyber can help you create a defensible cybersecurityTM program that protects your organization, and you, when a breach occurs.