CIS Logo
tagline: Confidence in the Connected World

10 Cybersecurity Practices CISOs Should Stop in 2020

cisoCISOs are often the leaders of the cybersecurity world – keeping a close watch over their organization’s systems, networks, and data. Just like everyone else, leaders need a little help sometimes to avoid falling into bad habits. We sat down with the Center for Internet Security, Inc. (CIS) CISO, Sean Atkinson, and asked him to share a handful of cybersecurity practices that he thinks other CISOs should stop in 2020. Here’s what he had to say.

In 2020, STOP…

Thinking just about the physical infrastructure.

Look towards code as a service, with cloud migrations and Software-Defined Networking (SDN) becoming more mainstream options. Consider integrating a DevSecOps approach to your infrastructure.

Focusing on the problem.

Shift your focus towards “solutions yet to be found.” Sometimes it helps to begin the journey by making business value an inherent part of the cyber risk assessment.

Jumping to “NO.”

There’s a window of acceptable risk for each organization when it comes to new initiatives or provisioning products and services. Create a foundation for a rational process of managing risk and generating the value within defined risk tolerances.

Managing risk as a “gut” feeling.

Manage risk as a science, instead. It takes time to understand and address risks appropriately. Due diligence is a necessary component to formulate an approach that is more collaborative than being a “denial gatekeeper.”

Fearing the unknown.

Understand the risk through a managed approach. This includes a clear picture of the impact of particular configurations and access controls. You should promote overall security defense as a requirement of the organization by looking at how it helps develop and sustain a controlled, secure environment.

Basing success on a number.

Avoid basing success on the number of security controls implemented or threats that have been mitigated. Security should be about understanding your organization’s needs and contributing to the success of the team with the mandate of security as the integrated goal. Engage early and provide input into the strategic decisions as “security by design.” It’s a value-add to protect – not a detractor from the business vision.

Laser focusing on specific threats.

Reframe the conversation with leadership by illustrating your organization’s assets to cybercriminals and the value of implementing supported security controls. It’s less about “NO,” and more about gaining consensus for the best solution given the risk.

Underestimating the value of culture.

Culture will make a CISO’s life easier if you can make it a point to address the fact that cybersecurity is a shared responsibility. If we frame the culture as key to implementing security controls, cybersecurity should become an inherited trait within your organization, leaving you less focused on dictating the need for security.

Trying to solve security with a single solution.

Continuously evolving threats create a constant challenge for CISOs and other cybersecurity leaders. It’s not insurmountable, but it’s worth keeping in mind that cybersecurity is a journey, not a destination.

Looking at cybersecurity as a technology issue.

Focus on a holistic approach for your organization that integrates policy with real practices. You’ll need a cybersecurity program that anyone in the organization can understand and actually implement. Consider minimum-level security awareness training for every employee.

Check out our free eBook, A CISO’s Guide to Bolstering Cyber Defenses, for more tips on managing risk, data, and privacy issues in today’s cyber threat landscape.