Most companies with small security teams face the same issues. They have inadequate budgets, inadequate staff, and inadequate skills to face today's onslaught of sophisticated cyberthreats.
Many of these companies turn to virtual CISOs (vCISOs) to provide security expertise and guidance. vCISOs are typically former CISOs with years of experience building and managing information security programs across large and small organizations.
Autonomous XDR company Cynet, a provider of an automated breach protection platform and MDR service for even the smallest security teams, is conducting a webinar with well-known vCISO Brian Haugli to understand the common challenges faced by CISOs with small security teams [register here].
In the first part of the webinar, Haugli will share the four foundational risks that are common across most companies he helps. He will then discuss the most common pieces of advice he provides across the companies he serves. Haugli will also share a situation where a company failed to recognize basic security risks and the resulting failures.
Four Most Prevalent Foundational Risks
Most small companies believe their situations are unique. Brain finds this to be true when it comes to cybersecurity as well. However, when he first meets new CISO clients, he finds most have not adequately addressed the same foundational risks.
Lack of access control
Many companies have not adequately addressed administrative access privileges and put in the proper controls such as multifactor authentication. Inappropriate use of administrative privileges is the primary cause of security incidents.
Lack of visibility across the environment
Companies lack visibility into their environment to be able to detect and respond to malicious activities that are happening, whether it's an employee doing something foolish or a malicious actor doing something with intent. They can't say they know what's going on, so therefore they really can't prevent anything malicious.
Lack of email security
Email continues to provide a huge front door for attackers. However, many companies have not addressed email risk with proper controls, along with ongoing employee awareness and education.
Lack of cybersecurity training for employees
Related to email security is that companies do not spend time on training to help users understand the power they have on their laptops and the responsibilities that, therefore, must assume. This is not just compliance-based training, but real ongoing education and awareness.
Pragmatic Advice for CISOs
vCISO Haugli takes a very pragmatic approach to understanding and addressing risk. He finds many CISOs seem frozen, believing they cannot address necessary controls because they don't have enough budget for the required technology.
Haugli, however, shows how companies can assess and address risks without the need for multimillion-dollar systems. At a high level, most CISOs could benefit from a very simple approach that doesn't require "a lot of lift."
- You can't defend what you don't know exists. Start small by building basic governance structures and cataloging inventory, perhaps just using an excel spreadsheet.
- Once you have a lay of the land, define the most critical assets across the company. If this system supports a million-dollar revenue line, perhaps I want to put in different controls than for other, less critical systems.
- Then determine how to protect each system appropriately.