New Format for CISOs
Every year, cybersecurity vendors each publish a version of this article, and even though they’re predictable and repetitive, I must admit that I read them anyway.
Circumstances are changing so fast in the cyber realm that unless you’re glued to the periodicals, you can blink and fall behind, and this end of year ritual helps us verify that we really do have our fingers on the cyber-pulse and haven’t missed any major trends.
For this utilitarian purpose, and some CYA, these “Trends for the New Year” lists are obligatory for cybersecurity professionals, so much, in fact, this year I’m going to write one myself.
Many yearly trend reports are so dull that you’re forced to skim them – which has become a security risk in itself. To ameliorate this risk and avoid the predictable monotony of an annual Cybersecurity Trends article, I propose this modest seasonal variation:
Santa’s 2024 List for CISOs
Everyone knows about Santa’s List, a global list of all human assets (aka, all little boys and girls) and their comprehensive annual status with the Claus organization. Santa’s List was a key component of a highly successful global marketing campaign for general goods and food products during the 60’s and 70’s, going global in the 80’s, and finally fizzling out with the rise of Dora the Explorer in the late 90’s.
Operated out of the USA, but apparently HQ’d in northern Canada, Santa’s List shocked the world by using an unorthodox reverse mailing campaign to achieve huge revenue gains. The success of Santa’s List was attributed to the lofty ambition of monitoring a large population of otherwise unreachable, diverse, and untrained workforce of (mostly) people under ten years of age.
For many generations, Santa’s List also achieved a very high level of hygiene among its adherents: countless beds were made, millions of teeth brushed, and tons of spinach consumed, all thanks to The List. There is little doubt that Santa’s List is a proven and cost-effective algorithm that could be applied in areas other than consumerism and mind control; areas such as cybersecurity are being investigated.
Particularly in this age of cybersecurity skill shortages, we should be open-minded about program methodologies. In this article, I suggest that Cybersecurity Program Designers borrow a portion of Santa’s List and re-implement an updated version of the Naughty/Nice paradigm to see if it works better than the current round of hackneyed, mundane, and toothless corporate mandates.
What better way to motivate CISO’s than to set them on Santa’s lap and point out exactly why they won’t be getting the annual bonus: via the “Santa/CISO List, release 1.1” (and accompanying framework). CISOs have so much on their plate, how can they accomplish or even prioritize all of the programs they are responsible for? Santa can help return them to the fundamentals of good and obedient behavior that inspired them when they were young and add fresh rigor to any cybersecurity program.
Historically, Santa’s List is a simple list of statuses: all human assets are either a member of the Nice Security Group or a member of the Naughty Security Group. No other data was officially tracked in the original database. However, adjacent documentation does include physical location of assets, desired bonus item(s), and chimney accessibility details. The proposed updated Naughty/Nice Framework will (for the first time) include detailed compliance standards so that Naughty Assets can improve their Cyber Profile and migrate into the Nice Security Group. Santa will personally continue to conduct the audits as well as all delivery services, however, CISO assets are now afforded a self-service portal to monitor their posture and track their chances of receiving an EOY bonus.
So, CISOs, listen up. Working with the marketing staff at Stefanini, in concert with the Northern Cyber Workshop, we have commandeered Santa’s List, enriched the data set, and applied it to cybersecurity with the following adjunct framework. In this framework, asset status on the Santa/CISO List is dynamic, and manageable by the CISOs through the NICE Compliance Framework and the use of Controls.
Adherence to the various controls adds credits to the CISO’s account status and eventually advances the CISO’s standing in or toward the NICE Security Group, however a single Naughty event can change group membership. CISOs are encouraged to advance their control adherence during the entire year, but unfortunately, most attempts at compliance are conducted in the first three weeks of December. Culminating at the annual award ceremony on 12/25 where the entire workforce learns which CISOs will parade on brand new shiny red bikes and which CISOs will be deposited a lump of coal.
Nice/Naughty Cybersecurity Framework
This framework is intended to assist CISOs achieve a favorable rating on the Annual Cybersecurity Santa’s List, through the use of Controls and Measures. The Controls are the security function that is recommended to be implemented and the Measures are the indication that the Control is in place and functioning as Santa intended. All 10 NICE Controls must be accomplished to guarantee NICE Security Group Membership, and the presence of a single NAUGHTY event can be grounds for removal from the Nice Security Group. Leniency can be applied at the discretion of the local “residential” manager. How “good” the control is implemented is a matter of debate, but when in doubt, framework organizers recommend being good for goodness’ sake.
Top Ten NICE Compliance Controls for 2024
- Capture or improve inventory of all corporate assets: HW, SW, People, OT, …
- Establish, verify, and enhance data protection technologies: DLP, CASB, Security Groups, …
- Evolve identity access manage platforms to include MFA, PAM
- Move vulnerability management program from periodic to continuous.
- Invest in awareness training for workforce and training/conferences for cybersecurity staff.
- Choose a partner for outsourcing cost-effective cybersecurity services, particularly SOC services.
- Conduct a cybersecurity maturity assessment
- Based on results of cybersecurity maturity assessment, enhance security profile.
- Get a seat on the corporate board and voice cyber concerns to top shareholders.
- Compensate your cybersecurity staff very well.
Naughty “Disqualifiers”
- Did not conduct extensive inventories of assets: HW, SW, Cloud, OT, …
- Did not properly identify opportunities for AI/ML/Automation.
- Did not perform your yearly update to your CSIRP.
- Did not reassess your cybersecurity profile.
- Did not launch Zero-Trust program.
- Did not pick a cybersecurity framework to start working toward.
- Did not maintain the vulnerability management campaign, including patching.
- Did not hold cybersecurity training sessions for employees.
Audits
- The Santa/CISO List will be checked twice.
Coming Soon
- Will Santa continue to maintain residence outside of the town or is it finally time for …?
- How to make CISO New Year’s Resolutions Last Beyond February
- Santa Org Invests in AI and Block-chain for Annual Logistics
- CISO Groundhog’s Day