Security Leader Insider – September 2024

Written by Laurent Dupont

Security Leader Insider Newsletter

September 2024 Edition

We’re excited to announce that we’re rebranding our ‘CISO Insider‘ newsletter to ‘Security Leader Insider‘ to better reflect our evolving audience and the broader scope of the content we provide. While our original focus was tailored specifically for Chief Information Security Officers, the cybersecurity landscape has expanded, and so has the interest and involvement of various roles within the security ecosystem. 

By transitioning to ‘Security Leader Insider,’ we aim to deliver valuable insights, updates, and resources that cater to a wider range of professionals who are passionate about cybersecurity, including IT leaders, risk managers, and security practitioners at all levels and even business professionals with an interest in the topic. 

This change allows us to provide more inclusive and comprehensive coverage of the ever-changing security challenges and solutions that impact organizations today.

So let’s deep dive into the content of this edition:

Read our previous newsletters
Security Leader Insider

Welcome!

Security Leader Insider

We’re excited to announce that we’re rebranding our ‘CISO Insider‘ newsletter to ‘Security Leader Insider‘ to better reflect our evolving audience and the broader scope of the content we provide. While our original focus was tailored specifically for Chief Information Security Officers, the cybersecurity landscape has expanded, and so has the interest and involvement of various roles within the security ecosystem. 

By transitioning to ‘Security Leader Insider,’ we aim to deliver valuable insights, updates, and resources that cater to a wider range of professionals who are passionate about cybersecurity, including IT leaders, risk managers, and security practitioners at all levels and even business professionals with an interest in the topic. 

This change allows us to provide more inclusive and comprehensive coverage of the ever-changing security challenges and solutions that impact organizations today.

So let’s deep dive into the content of this edition:

Read our previous newsletters

On this edition

Guest article
Are you as CISO doing enough today to mitigate your third-party security risks? By Marc Vael

Curated content
Foster a collaborative security culture to avoid becoming the ‘chief incident scapegoat officer’, by Nick Lines

Curated content
The Death of the CISO: A Eulogy & Reincarnation, by The GRC Pundit

Toreon insights
Navigating the compliance maze as a CISO, by Eric De Smedt

The Stay Tuned Security Leader & CISOs
A valuable training opportunity at Data Protection Institute

Upcoming Trainings

GUEST ARTICLE

Are you as CISO doing enough today to mitigate your third-party security risks?

By Marc Vael

In today’s complex cybersecurity landscape, one of the critical responsibilities of a modern CISO is to manage third-party security risks effectively. As organizations increasingly rely on third parties for business and IT operations, the exposure to potential security threats from these external partners has risen dramatically. This trend is evident from recent high-profile incidents, such as the CrowdStrike software patch crisis on July 19th, 2024, which led to a Blue Screen of Death (BSOD) causing widespread disruptions across multiple industries worldwide including airports and airlines, supermarkets, media companies, banks, etc.

Outsourcing cybersecurity functions to third parties has become a common practice nowadays, with these external providers often selected as experts in their field. However, while these partnerships can bring significant benefits, they also introduce a series of new risks. Managing these risks effectively requires a robust Third-Party Risk Management (TPRM) process that goes beyond mere compliance with legal, regulatory, and global standards.

TPRM Explained

TPRM is the process your organization uses to manage the strategic, tactical, operational, financial, logistical, and reputational risks associated with using third parties and to verify that they comply with specific laws, regulations, and global standards to avoid negatively impacting your organization.

Here are some key security risks associated with third-party relationships:

1. Security accountability

If a third party fails to comply with security laws, regulations, or global security standards, your organization could face severe consequences, including fines and penalties, operational disruptions, and reputational damage.

2. Reliance on external security

Outsourcing security functions can be cost-effective, but it also means that a security incident at a third party—or even one of their suppliers—can directly impact your operations and data security.

3. Dependence on external IT Disaster Recovery and Business Continuity Plans

If a third party experiences an outage, your entire business could be disrupted. Bugs, human errors, infrastructure failures, or cyberattacks can have a cascading effect on your productivity, and resolving these issues is often beyond your control. Maybe it is wise not to “put all your eggs in one basket”?

4. Lack of strategic security alignment

Third parties have their own business priorities, which may not always align with your organization’s security goals. This misalignment can leave you unprepared for potential security gaps.

Not every third-party relationship requires a comprehensive risk assessment, but all should be documented in your third-party register. Ultimately, your organization’s board and executive leadership are accountable for approving the TPRM policy and setting the “tone at the top”. As CISO, the challenge of protecting your organization from third-party security threats falls squarely on your shoulders since everyone else expects you to keep the business secure in terms of confidentiality, integrity, and availability.

For critical third-party relationships, there are at least five areas you must focus on: 

1. Assessing the real cybersecurity controls in place

Do you fully understand the cybersecurity controls in place at your critical third parties? You can start by reviewing their most recent compliance reports, gathering relevant client references, assessing liability and insurance, and conducting thorough background checks. SOC 2 reports, independent third-party risk assessments, and dynamic security questionnaires are crucial tools in this process. But remember, your third-party risk assessment is as effective as the information it relies on.

2. Ensuring the right number of qualified personnel in place

The current job market is volatile, with security personnel frequently changing roles. Do you know if your critical third parties have enough qualified personnel to deliver the services your organization relies on? Relying on a single “magic bullet” expert at a third party is “very high risk”.

3. Validating fourth & fifth parties

Do you know who your third parties rely on to deliver their services? Even though you may not have direct contracts with fourth or fifth parties, their actions can still impact your organization’s security posture. Ensure you have visibility into these relationships. This is not just relevant for privacy controls (sub-processors), but also for security risk assessment. 

4. Testing Incident Handling and Continuity Plan

How recently have your critical third parties tested their incident escalation, IT disaster recovery, and business continuity plans?  Independent audits and regular tests are essential to ensure these plans are effective. Critical third parties should disclose breaches to you (often within 12 to 24 hours).

5. Managing the offboarding process

What happens when your relationship with a third party ends? The “end game” of any contract will happen and is often conveniently “forgotten”, but is especially important for you as CISO. Ensuring a secure and complete offboarding process is crucial to prevent unauthorized access or misuse of your data after the contract ends.

To stay ahead, leverage CISO networking communities where you can confidentially share and gather experiences amongst peers with specific third parties. Additionally, consider using tools that automate third-party risk management tasks, such as monitoring open-source intelligence feeds, assessing control implementation, and continuously tracking vulnerabilities and cybersecurity incidents that happened at the third party.

TPRM is not a one-time task but an ongoing process of assessment, mitigation, monitoring, and reassessment. The risk profiles of your critical third parties will evolve over time due to changes within their organizations, market conditions, geopolitical issues, and regulatory developments. Regularly updating these risk profiles is essential to maintaining a strong security posture. Getting alerts on time is key for a CISO before getting questions from executives or board members.

As CISO, your role is to ensure that third parties meet their obligations to your organization and to provide informed recommendations to your board and executive leadership. If a critical third party is underperforming, you as CISO must be prepared to suggest alternatives before the situation escalates into a crisis and thus before the board of directors, executive management, and business leaders will come and look to you for answers.

Third-party vulnerabilities are becoming more widespread in modern business, even for established well respected (security) service providers working with the largest multinationals in the world. Each organization has its unique risk tolerance, and what is acceptable for one might not be for another. While managing third-party risk is a collective responsibility, as CISO, you must lead the security risk review and ensure that risks remain within acceptable levels.

The last thing you want to be is the CISO who dropped the ball on addressing a specific third-party security risk that became a major security crisis impacting your entire organization.

CURATED CONTENT

Handpicked for you

Foster a collaborative security culture to avoid becoming the ‘chief incident scapegoat officer’

The Death of the CISO: A Eulogy & Reincarnation

Navigating the compliance maze as a CISO

The role of Chief Information Security Officers (CISOs) has expanded due to new regulations and an evolving threat landscape. With laws like the EU’s DORA and U.S. SEC rules, CISOs now face greater accountability for breaches. This blog highlights the need for a companywide approach to cybersecurity, promoting shared responsibility and a positive security culture to better protect against threats.

Read more

The traditional Chief Information Security Officer (CISO) role is becoming outdated as organizations face broader IT risks, leading to the rise of the Digital Risk & Resilience Officer (DRRO). This role goes beyond security to focus on IT resilience, business continuity, and operational risk, ensuring organizations can protect themselves and recover from disruptions.

Read more

Written by Toreonite Eric De Smedt, this piece explores the evolving role of the Chief Information Security Officer (CISO) as regulations like GDPR and DORA expand their responsibilities. While this increases visibility, it also presents compliance challenges. Key principles such as risk-based approaches and resilience are vital, and leveraging existing frameworks will be essential for CISOs to navigate these demands effectively.

Read more

Foster a collaborative security culture to avoid becoming the ‘chief incident scapegoat officer’

The role of Chief Information Security Officers (CISOs) has expanded due to new regulations and an evolving threat landscape. With laws like the EU’s DORA and U.S. SEC rules, CISOs now face greater accountability for breaches. This blog highlights the need for a companywide approach to cybersecurity, promoting shared responsibility and a positive security culture to better protect against threats.

Read more

The Death of the CISO: A Eulogy & Reincarnation

The traditional Chief Information Security Officer (CISO) role is becoming outdated as organizations face broader IT risks, leading to the rise of the Digital Risk & Resilience Officer (DRRO). This role goes beyond security to focus on IT resilience, business continuity, and operational risk, ensuring organizations can protect themselves and recover from disruptions.

Read more

Navigating the compliance maze as a CISO

Written by Toreonite Eric De Smedt, this piece explores the evolving role of the Chief Information Security Officer (CISO) as regulations like GDPR and DORA expand their responsibilities. While this increases visibility, it also presents compliance challenges. Key principles such as risk-based approaches and resilience are vital, and leveraging existing frameworks will be essential for CISOs to navigate these demands effectively.

Read more

Join the Stay Tuned Security Leader & CISOs sessions!

This quarter’s focus (on 8 October in Novotel Brussels City Center) is on a key theme: Stakeholder Management & Effective Communication. It’s an ideal chance to refine your communication skills as a security leader and dive deeper into engaging stakeholders within your organization.

What can you expect from the session?
You will gain exclusive access to the expertise of Iwona Muchin and Katrien Van Geystelen, both experts in their respective fields. The day is split into two parts:

  • Morning Program – Table Top Exercise led by Iwona Muchin: In this interactive exercise, you’ll work through realistic cases to define security metrics and develop a powerful presentation for the board of directors.
  • Afternoon Program – Presentation Skills by Katrien Van Geystelen: Learn storytelling techniques and practical tips on how to present your security strategy convincingly and effectively.

Why participate?

  • Gain insight into how to engage your stakeholders in your security strategy.
  • Develop effective communication skills to present your plans and needs clearly to senior management.
  • Receive practical advice on strengthening your team in a competitive talent market.

Interested in participating?

sign up

Upcoming trainings & events

Book a seat in our upcoming trainings

All in-person events, hosted by the Data Protection Institute

Security Governance and Compliance

Next training date:
19-20 September 2024

Security Operations

Next training date:
25-26 September 2024

Security Architecture

Next training date:
15-16 October 2024

Book your spot
Book your spot
Book your spot

Security Governance and Compliance

Next training date:
19-20 September 2024

Book your spot

Security Operations

Next training date:
25-26 September 2024

Book your spot

Security Architecture

Next training date:
15-16 October 2024

Book your spot

Threat & Vulnerability Management

Next training date:
23-24 October 2024

Secure System Acquisition and Development

Next training dates:
25-26 November 2024

Leadership

Next training date: 
3-4 December 2024

Book your spot
Book your spot
Book your spot

Threat & Vulnerability Management

Next training date:
23-24 October 2024

Book your spot

Secure System Acquisition and Development

Next training dates:
25-26 November 2024

Book your spot

Leadership

Next training date: 
3-4 December 2024

Book your spot

CISO Full Certification Track Module 1-7

Book your spot

Start typing and press Enter to search

Shopping Cart