The CIO/CISO of 2016 needs to understand business objectives more than they ever have before. They need to focus on identifying areas of cyber risk for the organization, potential ways to remediate the risks, and be able to explain the options to the rest of the C-suite so the chosen solution can be aligned with the business strategy.
An outside security firm can play a critical role in assisting the CIO/CISO with identification of risks associated with emerging and ever-changing threats, new cyber security requirements related to compliance regulations such as HIPAA, PCI or ISO, and can be an objective third-party when assessing the technologies and practices that are currently in place and where improvements can be made. It’s often a written report by an outside expert that convinces the rest of the C-suite that changes MUST be made (even if the same recommendation has been made internally). It can also be helpful to ensure that new policies to improve cyber security are enforced at every level. If the CEO has access to the most critical data and insists on never changing their password that they also use personally on accounts that may be compromised, they put the entire organization at risk.
CIO/CISOs will need to take a more proactive approach than ever before. This includes ongoing security testing of systems, staff (through social engineering) and monitoring networks not just for known threat signatures, but also incorporating business rules specific to the environment that can flag anomalies in real-time. Last but not least, Incident Response should not be left as a reactive measure, but rather planned out before a cyber incident occurs with mock tests that involve all departments to confirm that everyone knows their role and that no steps are missing from the plan. This will prove invaluable when the inevitable time comes that your organization is faced with malware, an actual breach of sensitive data, or a disgruntled employee with access to your network.