CISO Insider – June 2023

Written by Süleyman Yilmaz

CISO Insider Newsletter

June 2023 Edition

Welcome!

Welcome to the second edition of our Chief Information Security Officer (CISO) newsletter!

As we delve deeper into the ever-evolving world of cybersecurity and the challenges faced by CISOs, we are excited to bring you the latest insights and updates in this issue.

In this edition, battle-tested CISO Patrick Van den Branden explains how to make your organization (more) cyber resilient. We take a deep dive into the new NIST CSF 2.0 framework and how AI will impact the CISO role. Finally, we provide a comprehensive Guide on cloud security for CISOs.

Read our previous newsletters

Welcome!

Welcome to the second edition of our Chief Information Security Officer (CISO) newsletter!

As we delve deeper into the ever-evolving world of cybersecurity and the challenges faced by CISOs, we are excited to bring you the latest insights and updates in this issue.

In this edition, battle-tested CISO Patrick Van den Branden explains how to make your organization (more) cyber resilient. We take a deep dive into the new NIST CSF 2.0 framework and how AI will impact the CISO role. Finally, we provide a comprehensive Guide on cloud security for CISOs.

Read our previous newsletters

On this edition

Guest article
How to Make Your Organization (more) Cyber Resilient, written by Patrick Van den Branden, IT Security Officer @ Euroports

Curated content
Take a deep dive into the new NIST CSF 2.0 and prepare for the impact it will make

Curated content
Security and Risk Strategy: How AI Will Change the CISO Role by Carrie Pallardy

Toreon insights
The Importance of Cloud Security: A Comprehensive Guide for CISOs, by Toreonite Jasper Baes

Career watch
We are currently looking for a CISO as well as a Business Development Manager. Sounds like you? Let’s talk!

GUEST ARTICLE

How to Make Your Organization (more) Cyber Resilient

Patrick Van den Branden, IT Security Officer @ Euroports

Phishing, Ransomware, DDoS attacks, Business email Compromises, … are all known attacks on IT environments that can lead to serious business interruptions and financial loss for organizations or private persons. As a Security Officer, one of the most important tasks is to pull management into this Cybersecurity pool and assist them in navigating it. In the fight against adversaries of all sorts and all around the world, Cybersecurity awareness is key. And with Cyber awareness comes automatically Cyber resilience. Reports and articles of all sorts including DataNews, Voka, Agoria, and even the Flemish Government, indicate that there is still a huge mountain to climb to make Belgian companies (more) resilient against Cybercrime.

Like many things in organizations, this has to start from the top. CEOs, General Managers, and Board Members should make this a top priority in their organization. In the end, it’s all about risks. What are the risks to the organization, what are the odds that they happen and what is the risk appetite of the organization? A report from Voka shows us that 50% of the questioned SMBs in Flanders have no IT security plan. And it’s safe to assume that the majority of companies that were not included in the inquiry or did not respond to it do not have one either… Fortunately, there is a shift in climate as more attention is being given to this issue. We even see several initiatives from the government to highlight this problem and assist organizations in taking steps to improve their Cyber resilience. What with organizations that still do not want to take any steps? Well, there is still a lot of legislation that is either already in place or will be in the future months that need to be complied with, which makes this strategy not the best approach.

If we look up the definition of the word “resilience” we can translate it into “the power to restore as quickly as possible from a bad situation”. We also often use the term to indicate the ability to withstand attacks, but what does this mean for organizations? What must CEOs, MDs or Board Members do to make their organization (more) Cyber resilient? Well it’s easy: in my view the way to (a better) Cyber resilience can be divided into 3 chapters:

Who?

Cyber resilience is a concern for the complete organization, not only for the IT department. The Management, the IT team, the Users (which represent the business), and also “the Others” (3rd parties) all play very important roles in making the organization (more) Cyber resilient. Acknowledgment of a sense of urgency and sometimes even a sense of neediness is key. “Bad things happen to other people”… Yeah right. Just look at the data, look at which companies have been successfully attacked in the same sector and hopefully, there is a realization that it’s not a matter of “if” but “when” an attack will happen and be successful. 

Who?

Cyber resilience is a concern for the complete organization, not only for the IT department. The Management, the IT team, the Users (which represent the business), and also “the Others” (3rd parties) all play very important roles in making the organization (more) Cyber resilient. Acknowledgment of a sense of urgency and sometimes even a sense of neediness is key. “Bad things happen to other people”… Yeah right. Just look at the data, look at which companies have been successfully attacked in the same sector and hopefully, there is a realization that it’s not a matter of “if” but “when” an attack will happen and be successful. 

There is a saying in the motorcycle world that goes: “You have two types of motorcyclists: those who have already fallen and those who have yet to fall”. The same goes for Cybersecurity: you have organizations that have already been hacked and those that have yet to be hacked. Nobody is in the clear… So, get everyone on board and work as a team to build your Cyber resilience.

How

Cyber resilience is obtained by working on 3 axes: a Human, a Governance, and a technical axis. Depending on the source of information 80% or even 90% of cyber-attacks are initiated via the users of the IT environment. So make the users aware of the dangers in the digital world. Train them to achieve a higher level of Cyber resilience using simple techniques and creating a “sixth sense” for malicious mail. Are they not interested? Well, use the argument that almost everything you teach them can also be used to protect them in their private digital life.

Organize the training in that way and everybody will benefit. They refuse to use their private smartphone for the organization’s MFA? No problem, organize pop-ups with the Service Desk to install MFA on their smartphone to protect their private content … Facebook, Instagram, PayPal, Hotmail, Gmail, and whatnot. And when they see the benefits of this usage it’s maybe a smaller step to add the organization’s MFA to the list… Make the training lively and entertaining: nobody is waiting for a dry and technical explanation of all the risks but take them on a journey they understand.

How

Cyber resilience is obtained by working on 3 axes: a Human, a Governance, and a technical axis. Depending on the source of information 80% or even 90% of cyber-attacks are initiated via the users of the IT environment. So make the users aware of the dangers in the digital world. Train them to achieve a higher level of Cyber resilience using simple techniques and creating a “sixth sense” for malicious mail. Are they not interested? Well, use the argument that almost everything you teach them can also be used to protect them in their private digital life.

Organize the training in that way and everybody will benefit. They refuse to use their private smartphone for the organization’s MFA? No problem, organize pop-ups with the Service Desk to install MFA on their smartphone to protect their private content … Facebook, Instagram, PayPal, Hotmail, Gmail, and whatnot. And when they see the benefits of this usage it’s maybe a smaller step to add the organization’s MFA to the list… Make the training lively and entertaining: nobody is waiting for a dry and technical explanation of all the risks but take them on a journey they understand.

Leave plenty of room for interaction and testimonials of the participants. The feedback and involvement of your users will surprise you! Create a climate where “IT is a friend”. Encourage users to report “mistakes” when they have clicked on a strange link, opened a suspicious document, or entered credentials on a website in a “No Shame, No Blame, and No Judgement” atmosphere.

On the governance level, the following strategic documents must be addressed: an Incident Response Plan, a Business Continuity Plan (noticed the word “Business” in Business Continuity?), an IT Use Policy (internal), and an IT Security Policy (external). Get everybody on board to develop these procedures and processes, not as an obligation but as a partnership with your business to become (more) Cyber resilient as a team.

When

Cyber resilience can only be accomplished gradually, it is critical to make the steps small enough so that everybody in the organization is and stay on board so that these steps can be achieved. Maturity assessments, identifying risks, defining mitigation actions, categorizing the risks (“crown jewels”), and prioritizing the mitigation actions are all steps to be taken in this chapter. Establish a clear plan over a longer period (ex. 3 years), carry out this plan, and re-evaluate it on a regular basis (yearly). Remember: a plan that is not tested is … just a piece of paper.

Many organizations are starting their journey towards a Cybersecurity Culture. But realize that this journey takes some time. Mainly because it involves changing human behavior. To achieve this goal, a timeline of a couple of years must be considered.

When

Cyber resilience can only be accomplished gradually, it is critical to make the steps small enough so that everybody in the organization is and stay on board so that these steps can be achieved. Maturity assessments, identifying risks, defining mitigation actions, categorizing the risks (“crown jewels”), and prioritizing the mitigation actions are all steps to be taken in this chapter. Establish a clear plan over a longer period (ex. 3 years), carry out this plan, and re-evaluate it on a regular basis (yearly). Remember: a plan that is not tested is … just a piece of paper.

Many organizations are starting their journey towards a Cybersecurity Culture. But realize that this journey takes some time. Mainly because it involves changing human behavior. To achieve this goal, a timeline of a couple of years must be considered.

In conclusion: organizations can be made (more) Cyber resilient by involving the whole organization with both internal and external stakeholders, by working gradually on 3 axes. Obtaining cyber resilience from a “check the box” or legislative perspective is fine but there is much more to be gained by doing this as a team-engaged project. Above all, a high level of Cyber resilience will become an asset and a way to differentiate the organization from its competitors.  The fact that much is depending on human behavior is a very crucial factor in how to approach this. A hot topic today is sustainability. It’s clear that Cyber resilience is a significant part of the sustainability of organizations.

So let’s do it!
Engage!! Initiate!!

CURATED CONTENT

Handpicked for you

Toreon insights: The Importance of Cloud Security: A Comprehensive Guide for CISOs

Updating the NIST Cybersecurity Framework – Journey To CSF 2.0

How Will AI Change the CISO Role?

CISOs play a vital role as organizations embrace cloud computing. Cloud security is paramount in safeguarding sensitive data and ensuring uninterrupted business operations. Toreonite Jasper Baes emphasizes the significance of cloud security for CISOs and provides key insights for reinforcing their organization’s digital defenses.

Read more

The new NIST CSF 2.0 holds significant importance in cybersecurity and provides updated guidelines and best practices for effective cyber risk management. With enhancements like supply chain security, improved threat detection, response capabilities as well as streamlined risk management organizations can strengthen their cybersecurity posture.

Read more

Artificial intelligence arms both defenders and threat actors, rapidly reshaping the cybersecurity landscape. Inevitably, the chief information security officer role must adapt to keep up. Written by Carrie Pallardy

Read more

Toreon insights: The Importance of Cloud Security: A Comprehensive Guide for CISOs

CISOs play a vital role as organizations embrace cloud computing. Cloud security is paramount in safeguarding sensitive data and ensuring uninterrupted business operations. Toreonite Jasper Baes emphasizes the significance of cloud security for CISOs and provides key insights for reinforcing their organization’s digital defenses.

Read more

Updating the NIST Cybersecurity Framework – Journey To CSF 2.0

The new NIST CSF 2.0 holds significant importance in cybersecurity and provides updated guidelines and best practices for effective cyber risk management. With enhancements like supply chain security, improved threat detection, response capabilities as well as streamlined risk management organizations can strengthen their cybersecurity posture.

Read more

How Will AI Change the CISO Role?

Artificial intelligence arms both defenders and threat actors, rapidly reshaping the cybersecurity landscape. Inevitably, the chief information security officer role must adapt to keep up. Written by Carrie Pallardy

Read more

CAREER WATCH

Join Toreon, the cybersecurity company that’s all about empowering individuals and organizations in the field of cybersecurity. Our team of over 50 security domain experts is driven by knowledge and impact, partnering with companies to define and implement strategic security roadmaps.

Chief Information Security Officer

Join our dedicated GRC and privacy team of 15 Toreonites, and work with us to raise and maintain an organization’s security maturity to a higher level.

Apply now

Chief Information Security Officer - Freelance

Join our dedicated GRC and privacy team of 15 Toreonites, and work with us to raise and maintain an organization’s security maturity to a higher level, while operating on a freelance basis.

Apply now

Business Development Manager - Cybersecurity

Be a part of our sales team and proactively explore new markets and customers to drive our growth at Toreon.

Apply now

CAREER WATCH

Eric De Smedt

Join Toreon, the cybersecurity company that’s all about empowering individuals and organizations in the field of cybersecurity. Our team of over 50 security domain experts is driven by knowledge and impact, partnering with companies to define and implement strategic security roadmaps.

Chief Information Security Officer

Join our dedicated GRC and privacy team of 15 Toreonites, and work with us to raise and maintain an organization’s security maturity to a higher level.

Apply now

Chief Information Security Officer - Freelance

Join our dedicated GRC and privacy team of 15 Toreonites, and work with us to raise and maintain an organization’s security maturity to a higher level, while operating on a freelance basis.

Apply now

Business Development Manager - Cybersecurity

Be a part of our sales team and proactively explore new markets and customers to drive our growth at Toreon.

Apply now

Upcoming trainings & events

Book a seat in our upcoming trainings

All in-person events, hosted by the Data Protection Institute

CISO M3 – Secure System Acquisition and Development

Next training dates:
12-13 June 2023 &
21-22 November 2023

CISO M1 – Security Governance and Compliance

Next training date:
20-21 September 2023

CISO M4 – Security Operations

Next training date:
26-27 September 2023

Book your spot
Book your spot
Book your spot

CISO M3 – Secure System Acquisition and Development

Next training dates:
12-13 June 2023 &
21-22 November 2023

Book your spot

CISO M1 – Security Governance and Compliance

Next training date:
20-21 September 2023

Book your spot

CISO M4 – Security Operations

Next training date:
26-27 September 2023

Book your spot

CISO M2 – Security Architecture

Next training date:
17-18 October 2023

CISO M5 – Threat & Vulnerability Management

Next training date:
24-25 October 2023

CISO M6 – Leadership

Next training date: 
29-30 November 2023

Book your spot
Book your spot
Book your spot

CISO M2 – Security Architecture

Next training date:
17-18 October 2023

Book your spot

CISO M5 – Threat & Vulnerability Management

Next training date:
24-25 October 2023

Book your spot

CISO M6 – Leadership

Next training date: 
29-30 November 2023

Book your spot

CISO Full Certification Track Module 1-7

Book your spot

Start typing and press Enter to search

Shopping Cart