CISO: A Future Plan

Posted by dmaka001 on

A Chief Information Security Officer (CISO) is responsible for all things data/information within an organization. According to CIO.gov, “the agency CISO plays a key role in working with the agency CIO to ensure information security requirements are properly implemented.” (n.d.). Meaning that this is the person that will be also handling the budget when allocating funds to the IT department and how those monies will be spent. In this scenario, I will be outlining how I would implement my security budget and the types of implementations I would expect this money to be allocated toward. On a high level, I would employ the basic principals of prevention, detection, and response.

Prevention

Prevention in my organization would be the priority task to keep our information and networks safe from cyber criminals. There are many ways to prevent attacks, but my intent would be to ensure that my organization is aware of the known threats and to mitigate them with properly employed security measures. I would allocate approximately 40% of the annual budget to accomplish my goal of prevention and this money would go toward three initiatives: (1) Infrastructure: I would ensure that the organization’s networks are filtered through a series of next gen firewalls that are able to conduct deeppacket inspections and are loaded with the latest firmware and are updated on a regular basis. AntiVirus software will be resident on all end-point devices that can host the programs, and port security will be employed to lock down any switches or routers that encounter a foreign device. (2) Penetration testing: Unscheduled, random penetration tests conducted by a third party will be held at the discretion of the CISO’s office and will never be announced to employees that do not have a need-to-know. (3) Employee training and awareness: the CISO’s office will delegate the cybersecurity department to schedule and conduct annual training to all employees that utilize the organization’s networks. STIG updates will be directed to the IT department to summarize and disseminate to the workforce, and because according to CISA.gov, 90% of all cyber-attacks begin with phishing emails (n.d.) occasional phishing emails generated by the CSOC will be sent to random employees to ensure our training is resonating with our team members.

Detection

Secondly, I would allocate 40% of the budget to detecting active intrusion attempts. The majority of this allocation would go toward hiring a 24/7 workforce that actively monitors our networks in order to supplement the programs we have in place. If these programs were to fail, a person that is savvy on current threats can recognize inconsistencies such as data transfer rates, and can alert the response team if there are suspected intrusion attempts in a timely manner. According to rapid7.com, “When it comes to detecting and mitigating threats, speed is crucial. Security programs must be able to detect threats quickly and efficiently so attackers don’t have enough time to root around in sensitive data.” (n.d.). Additionally, I would employ an intrusion detection system as a backup security measure, as well as monitor event logs on routers and switches to see what is going on within the network in realtime. This could show us where an attacker is attempting to go, where they have gone, and what damage they could have possibly created along the way. These logs will also serve us in the postincident recovery to highlight lessons learned during the attacks.

Response

Lastly, the remaining 20% of the budget will be allocated toward response. It is my responsibility to ensure that every possible precautionary measure has been exercised before it gets to the response, which is why the lion’s share of the budget will go to prevention and detection, using the strategy of ‘the best offense is a good defense.” This money will be allocated toward a planning cell that will meet quarterly to ensure that our response plans cover known threats, a detection and analysis team that will stay current on emerging threats and will analyze the events that take place during an attack, a containment and eradication team that will set up black holes and defensive operations in the event of an attack, and a post-incident recovery team that will recover all systems to a known good point to attain the availability of our networks.

While I would like to think that my plans, budget, and diligence will make my organization impenetrable, I am not naïve to think that there is no one out there smarter than us. However, it is my duty to keep our organization safe and available for everyone that conducts business with us and I believe this budget will serve as a useful tool in doing so. Money doesn’t buy everything, but if we can use that money to train employees and maintain up-to-date infrastructure, that will enable us to do the best job we can.

References:

4.7 chief information security officer (CISO). CIO.GOV. (n.d.). https://www.cio.gov/handbook/keystakeholders/ciso/

“General Information | CISA.” Www.cisa.gov, www.cisa.gov/stopransomware/general-information.

Rapid7. “Threat Detection and Response Techniques: A Deep Dive.” Rapid7, 10 May 2022, www.rapid7.com/fundamentals/threat-detection/.

Leave a Reply

Your email address will not be published. Required fields are marked *