The CISO’s 5 R’s for a Kick-Ass Cyber Security Culture

Chief Information Security Officers (CISOs) and their cybersecurity teams are bogged down by things that don’t matter and they miss what’s most critical and important.

The infographic below outlines the critical processes necessary for Chief Information Security Officers (CISOs) and their cybersecurity teams to establish a real and valued presence in an organization by fostering an enterprise-wide security mindset.

Note the emphasis on engaging the enterprise AT EVERY LEVEL to form relationships, establish connections, and model the informed and secure decision-making that is critical to the continued maturity of every organizational culture.

Relationships

Engage with organizational leaders at EVERY LEVEL to establish relationships, understand/prioritize work & performance requirements, & develop connections to build & nurture critical relationships to mature the overall cybersecurity culture.

Regulatory Risk

Partner with Enterprise Risk Management to implement a best practice assessment (e.g. Baldridge Cybersecurity Excellence Builder) identify assets, partnerships, regulatory requirements & the organization’s risk appetite. Conduct a policy gap analysis, then create & implement a communication strategy to inform & align policies with mission & performance requirements.

Research

Engage in continued hazard recognition through security research, red team auditing, & security testing of administrative, operational & technical controls. Identify vulnerabilities of, & most likely threats to systems, assets, processes & people (internal and external to the organization) with threat & opportunity modeling. Create a cybersecurity strategy with meaningful evaluation criteria & measurable business outcomes.

Reasoning

Invite the entire cybersecurity team including internal & external enhanced users (e.g., BISO, vendors) to engage in robust evaluation, purple teaming, IR training, business simulation, & planning with Risk Management control testing & implementation (e.g., STIGS, NIST SP-800–53, COBIT5).

Results Monitoring & Control

Assess results, partner with the business to identify and leverage strengths and capabilities. Re-prioritize for continued growth, resilience, adaptation & maturation.

Subscribe to my YouTube channel, Person Centered Cyber, for unique and profitable cybersecurity news, evergreen ideas, and effective practices.