Note: Cybersecurity strategy is an important topic, but it can also be highly sensitive. To allow this CISO to be completely open about their work, we’ve opted not to identify them in this post.
Since joining a restaurant chain more than three years ago, this Chief Information Security Officer (CISO) has been a driving force behind its ability to stay ahead of the security curve.
Here, they share why they’re focusing on securing third-party access, customer identity and access management, security awareness training, software assurance, and situational awareness and response for the foreseeable future.
Securing third-party access
In the last couple of months, there's been a considerable rise in the number of attacks at call centers to try to either phish or insert ransomware through call center agents. As a result, this CISO is rejigging their 2022 plans to secure third-party access in their environment.
The CISO explains: "I've got some things that I need to put in place, and I have a plan, but businesses are all very reactive right now, and that causes change. For example, we're currently reassessing how we do call centers, who does call centers for us, how much work is farmed out, etc., which is telling me I have to bring forward some technologies. In this case, it's specifically around browser isolation and how I provide secure access for third parties into my environment, recognizing that I don't have control over their endpoint. This wasn't originally part of my 2022 plan, but now that I'm finding certain business units are moving fast on this, I'm going to have to find room for it. I'm likely going to have to reassess, and some other things will probably get pushed out to 2023 to make room for it."
Customer Identity and Access Management (CIAM)
This CISO and their team are planning to make significant investments to securely capture and manage customer identity and profile data, and control access to their organization's applications and services.
"It's really bringing together your employee and customer identity space into a single platform. Most organizations handle those separately, but that's a pretty big issue in retail or anything with a digital or eCommerce consumer play. They've been approached very differently in the past, so that's going to come together and is an area we'll continue making investments, probably for the next three years."
Security awareness training
This CISO is keen to reimagine and increase security awareness training within their organization to help its employees avoid falling victim to an information security attack.
"We are trying to do more security training in the moment but also satisfy legacy controls around role-based training. One of the areas we’ll be looking at soon is the type of training that individuals get, and part of that will be virtual simulations or wargaming for security professionals on my team."
Software assurance is a broader theme this CISO is investing in to screen their organization’s software for security vulnerabilities, particularly in relation to continuous delivery and integrations.
"It will be everything from how we automate software assurance to how we validate software products, not only the ones that we're building but the ones that we're buying or the elements that we're buying, as well as open-source packages - all of it - so, that's an area we'll probably be investing in for the next two years."
Situational awareness and response
As their organization continues to push more technologies into its restaurants, this CISO wants to increase their team's efficiency when it comes to managing and responding to what is going on internally and externally via its IoT devices.
"One of our big investments this year is around the security of the identification and security posture of IoT devices within our environments. Blenders, refrigerators, and chairs that yesterday weren't part of the digital landscape are now Internet-connected and managed assets on my network that I have to protect. I didn't start this job thinking I would be protecting chairs, and security wasn't top of mind for those building these chairs, but now, it's one more digital asset in my ecosystem, which means there's potential for it to be compromised and for somebody to use that to get to other devices or assets in the network. As I'm trying to get my head around them, I need to lay down a platform that gives me the visibility and the ability to manage and secure those devices, and I might not even know what all of them are yet."
Many CISOs' multi-year strategic roadmaps were turned on their head in 2019 due to COVID-19. Through conversations with peers, this CISO suspects that there is still a little uncertainty around what to prioritize.
For more cybersecurity forecasting, head over to this previous blog post.