CISOs face many challenges when working with cybersecurity. There are not only laws you must follow, but also best-practices that can help you avoid pitfalls and security risks along the way. And even if you have a clear plan of how you should work with cybersecurity, it can be difficult to explain to the management team that cybersecurity needs resources in order to protect your business. We have sorted out some of the major challenges for CISOs and help you battle them!
Convince management to prioritise cybersecurity
Digitalisation has led to cybersecurity becoming increasingly important, but it does not always receive the priority it deserves. It is not always easy for the CISO to explain to the management team why working with cybersecurity is so important. However, there are some things that you can keep in mind during a presentation for the management team.
In order for you to be able to make the right priorities in your security work, some sort of risk analysis is needed – a protective security analysis. By asking yourself a number of questions, you can deliver a security protection analysis that allows you to be very concrete when you present to the management team or the IT manager.
You can also reveal what the consequences could be if you neglect cybersecurity. For example, if you have discovered that you have shortcomings in your software updates, it is more communicative and convincing to say that ”a hacker can copy the entire payroll and post it on the internet” than to talk about the need for several security updates. So, adapt the scenario of consequences to your business and what you need to protect.
A counterargument you can get is: ”But does it not cost a lot to introduce a structured approach with information security?”. This is something you can quickly respond to by explaining that the cost of an attack is usually much higher than the investment needed for higher security. Not investing in your cybersecurity can therefore actually mean that you take an extremely large financial risk. Ask the management team if they really want to take that risk?
It is good if management associates cybersecurity with something positive and uncomplicated. Therefore, it is important that you end the presentation with explaining that systematic cybersecurity work allows you to avoid negative publicity, information leakage, downtime – you can simply avoid several risks that could lead to lost business.
Laws and directives
There are vital laws and directives you should be aware of, for example the NIS Directive. The NIS Directive (The Directive on security of network and information systems) is a directive, meaning that it is translated into each member state’s national legislation. This means that there may be differences in application.
The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy. Learn more about the NIS Directive!
Another law that might be important for your organisation is the Protective Security Act. It clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing security protection analyses for their operations. The Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden's security or which is to be protected according to an international commitment for security protection. The protection of other security-sensitive activities, such as important information systems, is also being strengthened. Read more about the Protective Security Act!
Risks the CISO needs to be aware of
A CISO needs to be aware of a lot to avoid that vulnerabilities are exploited for a cyberattack – something that can have enormous consequences both for the company and for society.
Remote control of systems
Many organisations depend on remote access via RDP, for example for suppliers to be able to perform maintenance, or for operating personnel to be able to monitor a facility. Secure remote access solves many of the security risks that are otherwise associated with such solutions.
Digitalisation means that IT and OT systems need to be connected, and often the same type of technology is used in IT and OT. The different needs in IT and OT easily lead to technical conflicts that can be challenging to handle. With secure solutions, you can maintain accessibility and at the same time increase security.
Traceability and logging
Most IT systems generate logs that enable troubleshooting and traceability. Logging benefits from having one shared system for all zones/subsystems, but a shared system also increases the risk of attacks. To reduce the risks, a solution is required that protects both log information and all connected systems.
Transmission of SCADA information
For many years, companies using SCADA systems have been gradually automated. But transferring socially critical information, for example from a SCADA system to an administrative office network, involves potential security risks. Here, secure solutions are needed that take care of security issues and at the same time enable an exchange of information.
Conducting updates is something that in itself can pose a security risk if not done properly. The integrity and availability of the systems must be maintained, and most system updates are normally not sufficiently evaluated in the environment in which they are used, or in combination with the applications running. To avoid the risks and to maintain the integrity and availability of the systems and be able to make secure updates, special solutions are required.
Cybersecurity today is not only a technical challenge but also a human challenge – it is a matter of security culture. Criminals do not always use only technical shortcomings, but often rely on people to access sensitive data. Therefore, the human factor is the main cause of the most serious security breaches. To become better at security culture, attitudes and behaviours need to change. The organisation needs to see cybersecurity and security culture as a critical activity for the whole company and not as an isolated IT issue.
There are many things to keep track of as CISO. To make life a little bit easier, we have created a guide for CISOs. Read it here!
Do you need help with your cybersecurity? Do not hesitate to contact us!