Why CISOs need to keep on top of their cybersecurity investments [Q&A]

by · BetaNews

With the current climate of new and more sophisticated cybersecurity products, greater risk and pressure on budgets, it's more important than ever to ensure that they get the best return on their investments.

We spoke to Karthik Swarnam, chief security and trust officer at ArmorCode, to discuss the best practices to ensure ROI from security investments.

BN: What are the main challenges now facing CISOs?

KS: The main challenges facing CISOs today are multi-faceted and often stem from a lack of needed support and resources. These challenges include:

  • Maintaining an Appropriate Security Posture: CISOs must ensure that their organization's security posture is robust and aligns with business objectives. A significant challenge is achieving a reduction in remediation activities while maintaining or improving overall security posture. Organizations must continuously track and quantify the number and severity of cybersecurity vulnerabilities, both before and after implementing security measures.
  • Balancing Business Enablement and Risk Management: A critical challenge for CISOs is finding the right balance between enabling business operations and managing associated risks. This includes meeting regulatory obligations, such as those required by the Securities and Exchange Commission (SEC), without hindering business agility and growth. Navigating this balance requires a deep understanding and visibility into businesses and security priorities.
  • Addressing Subjective Risk Components: Determining which risks are most significant and deciding on the best materials and strategies to mitigate these risks effectively can be highly subjective. CISOs must be given a platform to influence business leaders to recognize and address risks, requiring not only technical acumen but strong communication and leadership skills.
  • Leveraging Advanced Security Tools: Despite the availability of valuable tools like Posture Management with risk-based capabilities (such as Application Security Posture Management (ASPM) or Risk-Based Vulnerability Management (RBVM)), CISOs face the challenge of effectively integrating and utilizing these tools. This involves ensuring that tools align with an organization's overall security strategy and effectively contribute to mitigating risks.

CISOs are tasked with maintaining a strong security posture, balancing business enablement with risk management, navigating subjective risk assessments, and leveraging advanced security tools. Addressing these challenges requires a combination of strategic insight, technical expertise, and strong leadership capabilities.

BN: Why is it so important to have an integrated approach to acquiring security tools?

KS: An integrated approach to acquiring security tools is crucial for several reasons:

  • Ensuring Platform-Centricity and Modularity: Integrated tools that are platform-centric and modular in design allow for cohesive management and operation within an organization's existing infrastructure. This avoids the pitfalls of a siloed approach where individual tools operate independently without sharing context or information.
  • Bolstering Interoperability Across Solution Layers: Security encompasses multiple layers such as protection, detection, and response which then taps into assessment and governance. These layers must work together seamlessly to provide comprehensive security posture. This holistic view is essential for effective threat detection and response.
  • Aligning with Security Posture: A philosophy that centers on the organization's security posture should be taken into consideration while adding tools. This helps tech decision-makers to select the right set of tools that complement each other rather than creating a disjointed collection of solutions. Without this alignment, organizations risk acquiring a patchwork of tools that lack integration, leading to gaps in security coverage and increased operational overhead.
  • Minimizing Blind Spots and Gaps: Integrated security tools can reduce blind spots by providing comprehensive visibility across an organization's digital landscape. In contrast, a fragmented approach can result in certain areas of the technology infrastructure remaining unprotected or inadequately monitored.
  • Making Risk Management More Efficient: Integrated tools automate processes, facilitate centralized monitoring, and enable faster incident response times. This efficiency translates into reduced time spent on managing disparate tools and more time dedicated to addressing actual security risks.

BN: How can businesses ensure that they match their security investments to their risks?

KS: To ensure that businesses match their security investments to their risks, they need to adopt a structured approach:

  • Define the Security Posture: Start by defining the overall security posture of the organization. This involves identifying and understanding the current vulnerabilities and weaknesses within the system along with the threats the business faces. Imagine, for a through-line example, you are implementing an Application Security Posture Management (ASPM) solution. You would begin by defining what will be measured, such as the total raw vulnerabilities and weaknesses identified from source tools.
  • Set Objectives for Security Investments: Clearly identify the objectives of the security investments. This involves understanding what specific goals the investments are intended to achieve, such as reducing vulnerabilities or improving overall security posture or/and generating productivity.
  • Define Key Performance Indicators (KPIs): Establish KPIs to measure the success of these investments. These should be tied to the specific objectives and include timeline-based measures of success. In the ASPM example, KPIs could include the number of vulnerabilities addressed or the level of security posture maintained over a specific period, i.e. improvement in risk score.
  • Measure and Adjust: With multifaceted tools and ASPM platforms, organizations can focus on risk-based metrics. This makes it much simpler to track how many vulnerabilities were addressed and ensure remediation activities are kept to a minimum. Organizations should prioritize the adoption of tools that address the most relevant risks first, adjusting and scaling security from there.

BN: Which areas should CISOs be prioritizing at the moment?

KS: CISOs should prioritize areas based on the unique needs and maturity of their organization's security program. Here are some key areas they should focus on, adapting to their specific business cases:

  • Assessing Program Maturity: Conduct thorough assessments of the maturity of security programs. This evaluation will help define specific priorities tailored to organizations' current state and needs.
  • Shifting from a Vulnerability Mindset to a Risk-Based Strategy: Move towards a risk-based strategic security program rather than focusing solely on deploying tools and technologies. This approach emphasizes understanding and managing the most significant risks to an organization, rather than not triaging, throwing solutions at vulnerabilities, and expending too many resources.
  • Security Posture Management: Prioritize security posture management by continuously monitoring and improving the overall security stance of the organization, ensuring that vulnerabilities are identified and addressed promptly to maintain a robust defense against potential threats.

BN: How can complex cybersecurity information be communicated in a management-friendly way without dumbing down?

KS: By employing the following techniques, complex cybersecurity information can be communicated effectively to management, ensuring they appreciate the depth of the issues without feeling overwhelmed:

  • Emphasize Educational Aspects of the Security Program: Incorporate educational components into communication strategies, providing executives with foundational knowledge about cybersecurity concepts and threats.
  • Defining Capabilities and Metrics: Clearly define the capabilities of a security program along with relevant metrics. Explain what each capability entails and establish what 'good' looks like in measurable terms.
  • Focusing on Impacts and Outcomes: Focus on the impacts and outcomes of security programs, including the potential consequences of not addressing certain risks. Illustrate how security measures directly support business objectives, reduce risk, and protect critical assets. Highlighting real-world examples and scenarios can make the information more relatable and underscore the importance of security initiatives.

Image credit: PantherMediaSeller/depositphotos.com