Editor’s note: Brian Fletcher, cyber assessment practices advisor at ISACA, recently visited with ISACA Now to discuss how chief information security officers (CISOs) can start off by achieving some quick wins for their organizations and how organizational cyber maturity enters the equation. The following is a transcript of the interview:
ISACA Now: Why is it important for CISOs in particular to get some quick wins?
Success is always the best advertisement for change, which invariably enables further success. Anytime a leader is trying to make changes, especially ones that are to an organization’s culture, it is vital to illustrate success very early in the process to win over skeptics, neutral parties and stakeholders. Quick wins also start to move the needle toward a more secure organization, which is why CISOs have the job they do.
ISACA Now: What are some areas in which attaining quick wins is most achievable?
Basic information security hygiene is the most straightforward and essential quick win. Basic security hygiene includes but is not limited to a secure password policy, including Multi-Factor Authentication (MFA), critical vulnerability management, basic security training and inventory management. Harder wins are related to the organization’s culture. They include a good governance strategy, sound risk management strategy, good software management practices, up-to-date policies, alignment with the organization’s objectives and a good incident response.
ISACA Now: How can CISOs best balance the need to notch some quick wins with devising a long-term strategy for their organization?
By utilizing a roadmap like the one generated by the CMMI Cybermaturity Platform. Roadmaps are the key to seeing the whole picture and getting things done. A roadmap enables the CISO to balance which tasks are done so the organization can illustrate progress, address critical issues and better secure their environment. The platform aids the CISO and the organization in generating a practical, prioritized roadmap that highlights critical issues that must be addressed and quick wins that can rapidly be completed.
ISACA Now: Why should focusing on organizational cyber maturity be a leading priority?
Cyber maturity refers to enterprise readiness to mitigate vulnerabilities and threats. Focusing on cyber maturity is all about improving an organization’s culture and asking what if. Focusing on cyber maturity also allows an organization to ask what our organization’s most significant risks are, where the organization should focus its efforts and which quick wins will have the most impact on our organization. The ultimate goal of focusing on cyber maturity is to align the organization’s cybersecurity program with the organization's goals and strengthen the organization's security program so that the organization is cybersecurity proactive instead of cybersecurity reactive. Once an organization has matured to a specific point, it no longer responds to each crisis that pops up but plans for what is next and “what if something happens we did not plan for.”
ISACA’s CMMI Cybermaturity Platform delivers a risk-based approach for organizations to understand their specific maturity targets. The platform gives a strategic look at your organization’s capabilities to easily measure, communicate and provide a blueprint to reach your maturity goals.
ISACA Now: Going back to the concept of quick wins, what is an efficient path for an organization to make quick headway on becoming more cyber-mature?
Utilize a risk-based roadmap like the one generated by the CMMI Cybermaturity Platform. Have the CISO and your cybersecurity organization analyze outstanding tasks, then update the roadmap to illustrate a path forward that enables quick wins and culture changes while addressing critical issues.