CISOs must be proactive in their cyber strategies, MapleSEC conference told

Share post:

Infosec pros should be more aggressive in their cybersecurity strategies, an expert told this week’s MapleSEC conference.

That doesn’t mean hacking back or going after the infrastructure of threat actors, said Nick Aleks, senior director of security at fintech Wealthsimple. Instead, he said, CISOs and their equivalents have to stop being reactive to cyber threats.

Aleks was the keynote speaker at the latest MapleSEC conference, which is organized by IT World Canada and continues online today.

Unfortunately, Aleks said, most IT and security leaders have rigid cybersecurity frameworks and test systems irregularly. Taking a proactive approach to building a security program means expecting a breach will happen.”You’ve got to have a mindset of ‘when’ not ‘if'” you’re going to be hit, Aleks emphasized.

“Fighting back in security is a simple set of five core principles you can embed and adopt in your organization,” he said.

These include:

taking a proactive attitude to cybersecurity. “It’s about thinking what you’re going to do when something bad happens, not trying to prevent something bad from happening. Your controls, your people and your strategy all have to be aligned to that.”

taking a unified approach to cybersecurity. Too many organizations approach cybersecurity in silos, where information about threats is kept to certain departments. Not only should threat information be shared across business units, Aleks said, it should also be shared with other companies and law enforcement.

All staff must be involved in cybersecurity. Start by building a security champions program from different business units and have them join the security team. They will also be part of your attack response and containment strategy.

Sharing outside your organization is vital as well. “The problems you are facing today in your security program are not novel,” Aleks said. “Everyone outside your space is also facing those same issues.”

“It’s not OK to hoard intelligence,” he added. “Only when we come together can fight threat actors.”

thinking in terms of Continuous Security Assurance. Don’t just implement new hardware/software/policies after an incident and expect that to fix things. Test your security controls regularly — at least quarterly — and rehearse your response to expected attacks.

You don’t necessarily need to invest in a breach attack simulation tool or hire a penetration testing firm, he added. Just look deeply at your last big cyber incident. Do more than find the root cause and ensure it doesn’t lead to another compromise. A post-mortem should allow you to see how effective you were, ask how your response could have been better. “Only then will we get really good at fighting fires,” he said.

having a flexible security program. Enforcing security controls from the top down won’t always work. Instead, work with employees before they work against you. Find procedures that are most flexible, easy and simple for employees. Among other things, that will help get around shadow IT (using unapproved personal devices to connect to the corporate network). It will also empower employees and customers to work with security, not against it. Coming up with secure ways of doing something involves a conversation, he said.

and having a program that stops being the department of ‘No.’ Build trust, not fear, among employees. Report on the benefits to customers of having a strong cybersecurity program.

The post CISOs must be proactive in their cyber strategies, MapleSEC conference told first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Cyber Security Today, June 21, 2024 – US to ban Kaspersky for businesses, consumers

U.S. to ban the sale of Kaspersky products to consumers and businesses. Welcome to Cyber Security Today. It's Friday...

Biden administration to ban US sales of Kaspersky software over ties to Russia

The Biden administration is set to announce a ban on the sale of Kaspersky Lab's antivirus software in...

Security bug may allow anyone to spoof Microsoft employee emails

A security researcher claims to have discovered a bug that enables anyone to impersonate Microsoft corporate email accounts,...

Cyber Security Today, June 19, 2024 – How an attacker hid on an IT network for three years

How an attacker hid on an IT network for three years Welcome to Cyber Security Today. It's Wednesday June...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways