How to secure budget for some key initiatives; a sales pitch to the C-Suite - Build a presentation on the increase in cyber risk to the company - Goal is to convince the C-Suite that ownership of risk needs to be at their level. You need to build a culture of security awareness throughout the organization The CISO must hone their skills as a salesperson or public relations master. Security must be sold as a crucial part of the business culture of the organization. Concise points with little to no technical information is crucial if you want to keep the level of attention of the key decision makers. Rehearse your sales pitch and keep it short. Graphs and charts with red/orange/green representing current status seem to be examples of good approaches. The absolute last thing you want to present is the number of attacks, or, for that matter, the number of anything! Talk risk, likelihood, and potential impact to the business. Speak in “businessese”.

What do you do if you suspect you have a phishing attack? What is your response plan? Does it include: Request forwarding, as an attachment, of the suspicious email? Analyzing the url links, headers, sender address, business need or applicability? Were there any attachments? If yes, filter through Virus Total or some other reliable online tool looking for reported vulnerabilities. If the attachment or url are malicious, check the logs for user activity and be sure to interview the user or users. Interviewing the user is important to ascertain if they either intentionally or inadvertently clicked on a link to a possible malicious site. But review the logs, as often users either don’t recall, or will not admit their behavior. Clearly some technical knowledge and skills are necessary to address this possible security incident. But there also is a project planning aspect to managing this. Having a good Incident response process has always been important, but with the proliferation of phishing attacks on all businesses and organizations, never more so than today. This must be one of your highest priorities. Mock drills are an essential part of this process. Just like testing backups, testing your IR plan is crucial. You have to know if you have been breached.

Synergy Between the CISO and Application Development

CISOs must work collaboratively with the heads of Application Development to ensure a Secure Development Life Cycle process is being implemented and followed. Developers must be following our secure coding standards. Are secure ESAPI libraries being used? ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. An effective CISO must have some knowledge of Application Security best practices. OWASP, the Open Web Application Security project is a great resource for this. It is a not-for-profit international organization of volunteers who are passionate about secure coding and development. Most CISOs I have known, other then the few who came up as developers, are admittedly weak in this area, and will often rely heavily on the myriad of tools and projects from OWASP. The most recognized is the OWASP Top 10, a broad consensus about what the most critical web application security flaws are. Part of a good Application Development Security Strategy is having both static and dynamic application vulnerability scanning in place. These scanning tools cannot be run out of the box; they need configuration.