编者按: 布莱恩弗莱彻, cyber assessment practices advisor at ISACA, recently visited with ISACA现在 to discuss how chief information security officers (CISOs) can start off by achieving some quick wins for their organizations and how organizational cyber maturity enters the equation. The following is a transcript of the interview:
ISACA现在: Why is it important for CISOs in particular to get some quick wins?
Success is always the best advertisement for change, which invariably enables further success. Anytime a leader is trying to make changes, especially ones that are to an organization’s culture, it is vital to illustrate success very early in the process to win over skeptics, 中立人士及持份者. Quick wins also start to move the needle toward a more secure organization, 所以ciso才有他们的工作.
ISACA现在: What are some areas in which attaining quick wins is most achievable?
Basic information security hygiene is the most straightforward and essential quick win. Basic security hygiene includes but is not limited to a secure password policy, including Multi-Factor Authentication (MFA), 关键漏洞管理, basic security training and inventory management. Harder wins are related to the organization’s culture. They include a good governance strategy, 健全的风险管理策略, 良好的软件管理实践, 最新的政策, alignment with the organization’s objectives and a good incident response.
ISACA现在: How can CISOs best balance the need to notch some quick wins with devising a long-term strategy for their organization?
By utilizing a roadmap like the one generated by the CMMI网络成熟度平台. Roadmaps are the key to seeing the whole picture and getting things done. A roadmap enables the CISO to balance which tasks are done so the organization can illustrate progress, address critical issues and better secure their environment. The platform aids the CISO and the organization in generating a practical, prioritized roadmap that highlights critical issues that must be addressed and quick wins that can rapidly be completed.
ISACA现在: Why should focusing on organizational cyber maturity be a leading priority?
Cyber maturity refers to enterprise readiness to mitigate vulnerabilities and threats. Focusing on cyber maturity is all about improving an organization’s culture and asking what if. Focusing on cyber maturity also allows an organization to ask what our organization’s most significant risks are, where the organization should focus its efforts and which quick wins will have the most impact on our organization. The ultimate goal of focusing on cyber maturity is to align the organization’s cybersecurity program with the organization's goals and strengthen the organization's security program so that the organization is cybersecurity proactive instead of cybersecurity reactive. Once an organization has matured to a specific point, it no longer responds to each crisis that pops up but plans for what is next and “what if something happens we did not plan for.”
ISACA’s CMMI网络成熟度平台 delivers a risk-based approach for organizations to understand their specific maturity targets. The platform gives a strategic look at your organization’s capabilities to easily measure, communicate and provide a blueprint to reach your maturity goals.
ISACA现在: Going back to the concept of quick wins, what is an efficient path for an organization to make quick headway on becoming more cyber-mature?
Utilize a risk-based roadmap like the one generated by the CMMI网络成熟度平台. Have the CISO and your cybersecurity organization analyze outstanding tasks, then update the roadmap to illustrate a path forward that enables quick wins and culture changes while addressing critical issues.
