Promoting CISO cybersecurity expertise

Panel of Global 1000 CISOs share advice for implementing strategic security programmes, gaining stakeholder support and measuring results.

  • Monday, 23rd November 2015 Posted 9 years ago in by Phil Alsop
CyberArk has launched an industry initiative and report to mine cyber security insight and peer-to-peer guidance from a panel of Chief Information Security Officers (CISOs) from Global 1000 enterprises. The CISO View industry initiative is based on independent research, sponsored by CyberArk.
The CISO View panel’s collective expertise in managing large enterprise security deployments is featured in a new report, “The Balancing Act: The CISO View on Improving Privileged Access Controls.” CISOs from ANZ, Carlson Wagonlit Travel, CIBC, CSX Corporation, ING Bank, Lockheed Martin, Manulife, McKesson, Monsanto Company, News UK, Rockwell Automation and Starbucks provide real-world advice for getting organisational buy-in, implementing sustainable privileged account security programmes and measuring effectiveness of the controls. 
Making privileged account security an organisational priority
One of the goals of the CISO View industry initiative is to provide a forum for the CISO community to share best practices and tangible guidance for building effective cyber security programmes.
In the report, the CISO panelists focus on concerns about the potential for compromised privileged credentials, which are the common denominator in nearly all cyber attacks. According to the report, the rise in awareness about advanced threats is prompting many organisations to proactively shore up privileged access controls in order to help mitigate risks.
“If you don’t have good practices in privileged account management, you’re making it very easy for adversaries to traverse your whole network,” said Jim Connelly, VP and CISO, Lockheed Martin. “If they (attackers) get a hold of an over-privileged account, they’ll run through the environment like a brushfire.”
Based on a soon-to-be-released global survey from CyberArk, privileged account security has become a top organisational priority. Survey respondents (primarily IT security professionals) ranked privileged account security second only to endpoint security as the priority for their security programmes.
CISO Views – Business value and establishing the right metrics
Featuring practical first-hand guidance not available anywhere else, the report leverages panelists’ hard-won experiences. It describes what it takes to deploy comprehensive programmes that improve privileged access controls at large enterprises, encompassing people, process and technology.  The report offers peer advice in three key areas:
  • The strategic decisions that CISOs and their teams will need to make, including how to prioritise based not only on risk but also on business opportunities
  • The conversations CISOs need to drive across the organisation, such as how to negotiate with and influence stakeholders
  • The essential components of a successful programme, including how to develop metrics to measure security and business results
The panelists describe specific ways to ensure that security and business objectives are aligned including:  
  • Establish business value: Determine the line between “sufficiently secure” and “overly restrictive”
  • Focus on metrics that matter: Use metrics  to steer course corrections, measure control efficiency, and assess the impact of controls on system availability and application performance
  • Make milestones count: Set early goals in conjunction with business partners, define phases to minimise business disruption, and capitalise on initial successes by creating blueprints for repeatable processes
“We believe the CISO View is an important industry initiative to help organisations that are trying to make informed, pragmatic decisions as they work to improve privileged access controls,” said John Worrall, Chief Marketing Officer, CyberArk. “Peer advice can be an invaluable resource to CISOs as they work to get ahead of the ever-changing cyber threats facing their organisations. We are grateful to the members of the panel for helping the larger community address business-critical security issues.”