top
Meet the Boss logo
The fear of being exposed

The fear of being exposed

by Muhammad Saleem, CISO, Ministry of Health, Saudi Arabia

shutterstock_133645907
Connect with Muhammad on LinkedIn

One of the biggest threats to all multinational corporate CISOs? One day they wake-up to terrible news: their corporate website has been hacked or someone released their sensitive data on the internet…

What you will learn:

  • What should be a CISO’s skill sets?
  • What strategy and initiatives should take place as soon as possible?
  • What you must be aware of as a CISO
  • How to know your weakness before hackers do
  • Basic knowledge of information security principles, responsibility of security officer

What you should know…

One of the biggest threats for all multinational CISOs is that one day they wake-up and their corporate website has been hacked or someone released their sensitive data on internet.

If you are one of those CISOs who has been facing this issue, then you will agree with me that when corporates do not take immediate action it is the CISO who has to face the consequences.

Fear of failure in reality has direct and indirect effects. If this fear becomes reality then what?

A direct effect would include – but is certainly not limited to – being fired,  being under investigation, and humiliation by a board of Governance (based on top hierarchy). Indirect effects could include public defamation, a tainted profile, the ‘no one is going to hire you on this position again’ mantra. and the list goes on…

If you’re a smart CISO, you must know all of these things ahead of  time, which could be a key for your success. But sometimes bad luck just happens; that “everyday there is web site hacked, and today is your turn,” kind of thing.

However, fear shouldn’t bee seen as an absolute negative. Sometimes it leads you to perfection and you act more carefully, learning from your unexposed failures.

Fear of failure, however, should be taken seriously – especially in a  competitive market where you’re unlikely to have another chance at survival.

With that in mind, I’d would like to share a couple of thoughts that might help others who are in the same boat:

First and the foremost…

  • Understand existing security infrastructure that is already built by someone. If it doesn’t exist, then build it
  • Understand corporate business strategy and goals
  • Build and align security strategy with business strategy
  • Build Information Security and Risk Management Program, a five year road map and Enterprise Information Security Portfolio – and fully align them with corporate strategy
  • Gain mandate and portfolio charter by higher management
  • Build your skilled team and group them based on skill nature
  • Create sub groups based on skill set
  • Compile a list of critical and non-critical assets
  • Do GAP analysis
  • Build a Risk Management sub unit inside your security department
  • Build business cases and Return on Security Investment (ROSI)
  • Build a risk based security program
  • Build a Business Continuality and Disaster Recovery program and manage it
  • Keep your toolbox complete and updated

What you must be aware of:

  • Security in-depth and 360 degree security is failing due to vulnerabilities in security controls and the human factor
  • Corporate critical assets
  • Vulnerabilities of your infrastructure in a holistic manner

Know your weakness before hackers know:

  • Conduct regular penetration testing and vulnerability assessments
  • Acquire integrated vulnerability assessments and management solutions
  • Use a GRC platform

Summary

If you are a smart CISO, you must know all of your weaknesses and strength ahead of time. Fear is not a bad thing; sometimes it leads you closer to perfection, allowing you to you act more carefully and learn from your unexposed failures.

Muhammad Saleem, CISO, Ministry of Health, Saudi Arabia