Auston Davis, Chief Information Security Officer (CISO) at Stanford Children's Health, discussed cybersecurity risk management and what it means for today's organizations in his keynote presentation to Argyle's CISO membership at the 2017 Chief Information Security Officer Leadership Forum in Los Angeles on November 9. In his presentation, "Cybersecurity Risk Management: Changing Cybersecurity from a Zero to a Hero," David provided a proven methodology to help organizations transform cybersecurity into a business enabler.
Davis offered six recommendations to help organizations bolster their cybersecurity strategies:
1. Enlist the Workforce
How a CISO educates a workforce about cyber dangers plays an important role in an organization's ability to identify and mitigate cyber-attacks.
If a CISO dedicates time and resources to teach about cyber risks, they empower employees to prevent cyber-attacks before they happen. A CISO can drive cybersecurity collaboration across a workforce and ensure that employees will come forward any time they identify the signs of a cyber-attack.
"The workforce is part of the information security team," Davis stated. "There is no one solution that can stop modern-day attacks. An aware and trained workforce is not only vital, it's key."
Conversely, a CISO who fails to teach workers about cyber threats risks missing out on opportunities to stop cyberattacks. This CISO may struggle to detect a cyberattack before it's too late – something that may lead to data breaches and other costly, time-intensive cybersecurity problems.
"If everyone is not part of the information security team, we will fail," Davis noted.
2. Look at Additional Risk and Vulnerability Sources
Having the ability to closely examine cyber risks is paramount, particularly for today's CISOs.
CISOs must be able to look at security incidents from multiple perspectives. That way, CISOs can understand why cyberattacks are happening and work quickly to minimize such problems.
"We need to communicate risk in terms of monetary impact … and impact to operations, as well as impact to the brand."
Furthermore, CISOs should reach out to IT teams and other key organizational stakeholders for feedback. If CISOs collect and analyze feedback, they may be able to safeguard their respective organizations against cyber-attacks.
"IT teams are those who are out in the field … and are able to provide user feedback," Davis indicated. "And the more we can have users being compliant, the less risk they pose for us."
3. Establish Security Priorities
A CISO is responsible for effectively managing the time and resources at his or her disposal. By establishing security priorities, a CISO is better equipped to do so.
With security priorities in place, a CISO should have no trouble determining how to respond to a cyberattack. These priorities also may help a CISO find the best ways to assess the probability and potential impact of a cyberattack, enabling an organization to protect its sensitive data against a wide range of cyber threats.
"We really have to look at probability and impact, and a lot of times, we don't," Davis noted.
4. Communicate Risk
To communicate risk, CISOs must define cyber dangers in common terms. By doing so, he or she can gain leadership support.
"When it comes to other business leaders, if you started talking with too much technical jargon, you'll lose them," Davis said. "So we need to know how to translate risk in layman's terms."
Moreover, CISOs must be able to educate C-suite leaders and employees about cyber risks.
"If everyone is not part of the information security team, we will fail."
If CISOs define cyber risks in real terms, he or she may enable key stakeholders to understand how cyber-attacks can affect an organization, its revenues and its brand reputation.
"We need to communicate risk in terms of monetary impact … and impact to operations, as well as impact to the brand," Davis noted.
5. Develop an Effective Security Approach
When it comes to cybersecurity, CISOs must offer recommendations to business leaders which must be data-driven and enable those business leaders to determine the best course of action to address cyber risks.
"Ultimately, we want the lines of business to decide what they're going to do with the risk," Davis said. "But we also have to be able to position ourselves to be able to provide a recommendation to the business."
By providing cybersecurity recommendations, CISOs can empower business leaders to take action against cyber threats. In addition, these recommendations may help business leaders take a proactive approach to cyber threats, thereby reducing the risk of cybersecurity issues in the years to come.
"When we tell people what to do, it remains our problem. But when we provide people with recommendations, we become their saviors," Davis pointed out.
6. Track Risks
As cyber risks become more advanced, CISOs must track these dangers to ensure fast, efficient threat response and remediation.
If CISOs monitor cyber risks, they can limit the chance that these dangers will worsen over time. Plus, CISOs can educate C-suite leaders and employees about emerging cyber threats and show them how to manage these problems.
"People want to do the right thing if you show them how to do the right thing," Davis concluded.
Mr. Auston Davis is the CISO at Stanford Children’s Health. He also services as an Adjunct Professor teaching Cryptology and Computer Security at San Jose state University. He is an award-winning leader and information security professional commanding more than 19 years of experience. He has worked in multiple industries to include: government, military, healthcare, high tech and higher education sectors to include 7 years at Stanford University. Auston is a proud 23-year veteran of the United States Air Force and Air Force Reserves. He retired in December 2013 after serving for several years as a Special Agent-in-Charge with the United States Air Force Office of Special Investigations (AFOSI) specializing in Counter-Intelligence and Computer-Crime Investigations as an Individualized Mobilized Augmentee (IMA) reservist.