Light Dark
March 23, 2016 By Christophe Veltsos 3 min read
CISO
Risk Management

You’ve heard it a thousand times: “Sit up!” “Keep your back straight!” “Watch your posture!” When you had the luxury of youth, you could will yourself back into (correct) shape in a snap. But slowly, as the years passed, it became more and more difficult for you to quickly and easily correct your posture. Back pains, which used to go away as soon as you shifted position, now last for minutes or even hours.

The Importance of a Correct Security Posture

Much like the warnings from your parents or grandparents about your physical posture, an organization’s poor security posture can often lead to greater pains down the road if small, corrective actions are not implemented quickly. And like loved ones reminding you about the need for good posture after a quick glance, seasoned security professionals can usually assess the security posture of an organization they walked into just a few hours or days ago.

Just because an organization hasn’t felt any pain yet doesn’t mean that there isn’t a significant security threat looming over the horizon — or, worse, already inside the body of the organization. There are telltale signs that an organization’s posture is headed for trouble.

Five Ways to Reduce Aches and Pains

Here are five areas of your organization’s security posture that should be reviewed:

1. Tone From the Top

Much like the head controls the body, the act of toning from the top is critical if an organization is to improve its security posture. Good governance, as well as appropriate attention and support from management, is key to keeping tabs on, detecting and correcting possible security weaknesses well before pain shows up.

2. Organizational Factors

Having someone in charge of the security program is a good start. However, simply appointing a chief information security officer (CISO), or even a security manager, isn’t good enough. A healthy security posture needs a lot more than just a figurehead.

The implementation of a security program isn’t something done quickly or cheaply. It is more of a long-term corrective posture; something that will need the right amount of time and attention, constantly, over many months and years in order to have lasting impact. There are many security controls to choose from and many assets to be better protected, and the CISO will need the right vision and support to help the organization’s posture.

3. Human Factors

However, organizations need to keep in mind that, just like bad posture is hard to correct, human habits are hard to change, especially in the absence of any obvious pains.

Why should your employees change the way they do things when there’s no visible threat? The CISO, working in partnership with the rest of the C-suite, needs to engage in a slow, yet unstoppable set of projects whose aim will be to change employee habits and teach them better posture.

4. Communication About Information Risks

Much like one side of the body might send a shooting pain to alert you to a health event, communications around and about cyber risks are key. Organizations and their moving parts (i.e., people) need to be aware of the barriers to effective communication and ensure valuable conversations about cyber risks occur on a regular basis.

If done well, the moving parts can even start acting as alert sensors, ready and willing to share anything out of the ordinary they might observe.

5. Preparedness

In 2012, then-FBI Director Robert S. Mueller III said, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

Much like posture during your youth will impact your later years, organizations can no longer wait years to get themselves prepared for the inevitable security incident. Having a plan, practicing it — before any actual incidents — and refining your procedures will go a long way toward enabling your organization to react more quickly and effectively when the pain of a real security incident happens.

Ultimately, correcting your organization’s security posture is a long-term process; any pains that are currently experienced are likely the result of years of poor posture. The good news is that it’s not too late to start rectifying the problem — just don’t expect perfect posture overnight.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

 |  |  |  | 
Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature