CISOs Need Teamwork & A Strategic Framework
NIST Enterprise Architecture Model
Eduardo Cabrera is the Chief Cybersecurity Officer at Trend Micro, responsible for analyzing emerging cyber threats to develop enterprise risk management strategies. Before joining Trend Micro, he was a 20-year veteran and former CISO of the United States Secret Service.
Given his background, Cabrera is eminently qualified for offering insight about information security challenges in both the government and the private sector.
Freedom to innovate
While serving in the US Secret Service, Cabrera lead information security, cyber investigative, and protective programs. “I lean on this experience and trusted partnerships daily to understand emerging threats but also to help develop resilient risk management strategies for Trend Micro and its Fortune 500 clients and strategic partners,” he says.
As you can imagine, working for the government has its unique challenges, and it’s not just about the paycheck.
“The differences are in perspective and mission. With that said, there is definitely a level of freedom found in the private sector that isn’t found in government. But the most significant freedom is the freedom to innovate. The speed and agility of innovation is incredible. I think that’s where the private industry, specifically cybersecurity companies, excel and can really help law enforcement, as well as the public sector at large, mitigate and eradicate the dynamic threats we see daily,” he explains.
The big picture
Companies may not fully understand the nature of modern threats, and simply placing a higher priority on security may not lead to improved measures, according to a CompTIA survey.
When asked what advice he would give to those new to the CISO position, Cabrera emphasized the importance of teamwork. “Listen! Listen to your direct reports. Listen to your organization’s business units or divisions. Listen to your partners in your sector and most of all listen to your partners in government,” says Cabrera.
“Cybercriminals have incredible networks that now allow them to automate and orchestrate their criminal enterprises. They do so by scaling trust within these criminal undergrounds. We need to do the same. The only way to defeat a network is to be a network. This requires much more trust on our side. We currently suffer from a trust deficit between private industry and government that will only be overcome by working closer together,” he concluded.
Strengthening your cybersecurity strategy
When it comes to the essential steps for strengthening and refining cybersecurity strategy in a large organization, Cabrera believes that a framework really comes first.
Unsurprisingly, he’s a big fan of the NIST Cybersecurity Framework, which consists of standards, guidelines and practices that help organizations address cyber risks by aligning policy, business and technological approaches. It was created by the National Institute of Standards and Technology (NIST) in partnership with the US Department of Homeland Security and the private sector.
It allows organizations to shift from old static information security best practices to proactive cybersecurity risk management standards. It maps existing industry standards such as NIST and the International Standardization Organization (ISO) to five core functions: identify, protect, detect, respond, and recover.
“The framework is critical for CISOs and their teams to build a cohesive strategy to brief up to the board room as well as down to the server room and apply the critical resources where they are needed most,” says Cabrera.
According to the information technology research company Gartner, the framework is now used by 30 percent of US organizations, and that number is projected to reach 50 percent by 2020.
A look into the future
We are in the midst of an Internet of Things explosion. 76% of companies interviewed by Vodafone believe that taking advantage of IoT technologies will be critical for the future success of any organization.
“Advances in technology are improving all aspects of our lives, however it is equally improving the lives of cybercriminals. With each new advancement there is a new opportunity for them to target, attack and monetize,” says Cabrera.
While 63% of companies have IoT devices already deployed, only 34% have security measures in place, indicating that the IoT is opening up new threat vectors but too few organizations are focused on preventing connected devices from being compromised.
“A layered connected threat defense using Big Data analytics and machine learning will be required to bring together often disparate and overlapping security stacks where visibility and control are the biggest challenges. It is needed today but will be essential in the coming years for CISOs and their teams,” explains Cabrera.