Making the Transition from IT Director to CISO: Challenges and Solutions.

Making the Transition from IT Director to CISO: Challenges and Solutions

Are you an IT Director whose Senior Management has just assigned you the role of Cybersecurity Manager? It’s happening more and more frequently. And It's a great promotion because cybersecurity is an exciting and dynamic field. One thing is sure, you won't get bored because hackers won't let you.

For some, this new role is a positive challenge. For others, it causes nightmares, especially with the daily media reports of organizations large and small getting hacked. Some recently promoted Chief Information Security Officers (CISOs) experience impostor syndrome, constantly questioning whether they did the right thing by accepting this role.

Welcome to the world of cybersecurity, punctuated by fun, stress and sudden jolts of adrenaline on the weekend or in the middle of the night at the slightest unexpected phone call from your system administrator! You will never get bored!

The good news is that StreamScan is here to help you make this transition smoothly and get your bearings quickly.

Over the years working with small and medium zied businesses we’ve frequently worked with IT managers who are also tasked to act as cybersecurity managers so we understand their challenges.

8 Rules for New Cyberesecurity Managers

In theis post we are setting out to help you make a smooth transition to taking on your organization's cybersecurity management. Here are 8 rules to help you make the transition:

Rule 1: Accept that you’re not a superhero and you can’t stop all cyber-attacks

Don't put too much stress on yourself unnecessarily. Your role is to strengthen your organization's cyber defense and minimize the risk of cyber-attacks. In the event of an incident, it ‘s your responsibility to respond quickly and effectively to limit the damage.

Don't try to be a superhero or assume that you can't do it alone. You'll need a team (internal or external) that specializes in cybersecurity to help you. If you move forward alone, you’ll get overwhelmed very quickly and lose focus.



Rule 2: Be transparent with senior management and manage expectations

If you don't have cybersecurity expertise, be transparent with your senior management and emphasize that you're going to need help to fulfill your mission. That help may include hiring a team or individual with cybersecurity expertise. You can also contract with an outside firm that specializes in cybersecurity.

The other important aspect to understand is support from senior management, as well as the resources and financial means that will be allocated to cyber security. Senior management must send a clear message that cybersecurity is a priority and that resources will be allocated to secure your IT environment.

If you feel that you won’t have the support of your senior management, you should be transparent with them and inform them that the organization will remain at constant risk of being hacked, even if you accept the position. In fact, nearly a quarter of Canadian SMEs are hacked every year.

At least it’ll be clear and no one will blame you if an intrusion occurs on your watch.

In light of the explosion of cyber threats, our Chief Cybersecurity Officer, Karim Ganame, published an open letter in the Journal de Montréal to raise awareness among senior executives about the urgency of securing organizations. You can share this letter with your management. If you have the support of senior management, then its time to define a plan of attack, our rule 3.

Rule 3: Define your plan of attack

You constantly hear about hacks and ransomware in the media. So you might be tempted to spread yourselves thin to take control of the network security and quickly plug all potential security holes. This is a mistake.

You need to define a clear plan of attack with specific activities and steps. This plan will serve as your cybersecurity compass and will help you ensure you’re putting effort and budget in the right places. Not sure how to proceed? Good news, we have created a document to help you define your priorities.

Rule 4: Deploy detection and response capabilities

You can't protect against what you can't see. All the points in your network where you don't have visibility are blind spots that can be exploited by hackers to get into your network. The same applies for your staff: if they are not sufficiently aware of cybersecurity, you risk having cases of phishing and social engineering.

To effectively manage your network security, you need to have full (360-degree) visibility into your internal, cloud, and email IT environment. To do this, you need to (non-exhaustive list):

  • Monitor your network security 24/7. Most cyber-attacks today are launched by bots that scan the Internet 24/7 looking for targets and it is important that your network is continuously monitored. Be sure to include your email solution (e.g., O365) in the monitoring scope. If you don't have in-house expertise to monitor your network security, StreamScan's Managed Detection and Response (MDR) is the right solution for you.
  • Regularly educate your users about cybersecurity risks, especially phishing. With the explosion of cyber threats, once yearly training is not enough. Educate your users on a more frequent basis, for example once a month or quarterly.

Rule 5: Get help if you need it

Whether you're defining your cybersecurity priorities or deploying your strategy, you should never improvise. You might be tempted to create one's own security policies based on standards such as ISO 27001/27002 or NIST, but this is a bad idea because you might not focus on the most essential threats.

You need to protect your organization from the security risks that really target you and not only based on current cybersecurity best practices. To do this, you need to have a clear idea of your reality, as well as the detection/response capabilities in place in your organization. Here is a guide to help you perform your cybersecurity risk analysis.

If you don’t have the required expertise, ask for the help of an external firm specialized in cybersecurity such as StreamScan. They will be able to help you define a clear and precise plan to adequately enhance your network.

Rule 6: Prepare for the worst and practice dealing with it

With the explosion of cyberthreats, no organization is immune to being hacked. At some point, your organization will be the target of a cyberattack. You must accept this fact and prepare yourself in advance to react quickly and aggressively in case of an attack.

To do this, you need to define a security incident response plan that clearly identifies who does what when handling an incident, as well as the actions to be taken to manage the incident. You can use the NIST 800-61 guide as a guide for defining your incident response plan.

Once the plan is created, you should test it regularly (at least once a year), to ensure that it is working properly. The more prepared you are, the more effectively you will be able to manage incidents, which will ultimately limit the impact on your organization.

If you don’t have the required expertise, StreamScan can help you define your incident response plan.

Rule 7: Make allies during quiet times

Cyber-attacks are exploding and it is important for you to identify upstream cybersecurity firms that can help you in case of emergencies and security incidents (e.g., ransomware). You can have agreements and negotiate preferential rates with guaranteed SLAs. Therefore, when an incident occurs in your organization, the firm reacts quickly and helps you manage the incident. For example, StreamScan guarantees an effective handling of security incidents in 4 hours maximum (our interventions are done faster in reality). We come to your premises to help you manage the incidents that impact you.

This prep work should be done up front, while you aren’t under attack. Because when an incident does occur, you need to keep your focus on resolving it, and that's not necessarily the time to shop around for a partner.

Rule 8: Have fun

Cybersecurity is a very dynamic field and you will never be bored. Be curious, don't stop reading up and keeping up with cybersecurity news. The more you know about cybersecurity, the more you will help your organization enhance its security.

For those who want to push their knowledge in cybersecurity, there are various training courses in the academic field, short courses (3 to 5 days), certifying or not. You are spoilt for choice.

Two members of StreamScan are university professors (Ecole Polytechnique de Montréal and École de Technologie Supérieure / ETS). If you need help in choosing which courses are appropriate for you, please contact us.

Need Help with Cybersecurity? StreamScan is Here.

Whether you need help conducting a security diagnostic, developing a security plan, or want to implement an MDR (Managed Detection and Response solution),, StreamScan has experts with years of experience in cybersecurity who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.

CTA Newsletter