Home Sponsored Announcements RSA: Ten essential tips to reduce business risk

RSA: Ten essential tips to reduce business risk

In our previous article in the series, we introduced three security leaders who in the last twelve months have impressed us with the way they have navigated through their own challenges to improve productivity and skills in their teams and achieve positive outcomes within their organisations.

These security leaders, in particular CISOs, have enabled transformation within their organisations through the practice of reducing risk in accordance to the overall appetite of the business, re-organised and enabled their teams.

In this third and final instalment, we want to revisit two critical lessons we have learned collectively from these three CISOs. Before we do that,it is worth reminding ourselves of some fundamental truths that organisations today are facing:

1.    Relentless cyber threat attacks against global market brands - the threats we face are real, the adversaries are determined and skilled, and the failures are far too common (for e.g., the failure of running a basic hygiene task of applying security patches)

2.    Limited visibility is deterring rapid response – The failures do not only reside in the technical process but also in the workflow and execution of remediation measures to mitigate the risks.

3.    Breaking through the silos - Security is no longer just a technology issue. While many organisations can claim they have board members now understanding and discussing security and risk, it is still a long journey for many.

4.    Overcoming FUD - CISOs are inundated with widespread industry scare tactics and influx of information. Like in a game of Buzzword Bingo– a CISO could easily spend thousands of dollars in extra budget and for every point scored in the Bingo game they could probably employ an extra security specialist every year. What then to prioritise, which risks to overcome first, which assets are more critical to protect?

The CISOs highlighted in our stories have shared successes in seeing through the FUD. Being able to clearly identify and articulate to board members about what is most important to protect within the organisation is what a business driven security approach is all about.

So, what made these CISOs exemplars to follow?  The answer is that they have each pivoted their own security programmes to enable transformation in the business through:

- The adoption of new technologies and workplace transformation
- The development of new service delivery capabilities
- Changing how their organisations measure their risk profile and appetite
Therein, lies the two critical lessons - The importance of filtering out the FUD and be driven by facts; and, the ability to enable positive transformation by reducing business risk impacts.

As we close out this series, we would like to offer our Top TEN suggestions based on the learnings of the CISOs:

1.    Know exactly what is happening in your environment. We don’t mean do a pen-test once a year, we don’t mean collect log data from your preventative controls, and we don’t mean install a magic AI-enabled black box machine that learns by itself and emits a chirpy ‘ping’ and whorls some lovely 3D graphics in the event of a perceived anomaly. We mean - to collect and analyse as much logging data as you can on your network and have an accurate inventory of all your endpoints, applications, and (network connected) non-IT devices. Gain the visibility and the ability to dive deep into all three information collection domains and investigate anomalous behaviour using the skills and behavioural analysis of a human analyst.

2.    Have a mechanism to collect and analyse evidence and the trail of breadcrumbs that show not just what happened, but when and how and what may happen next.

3.    Have a defined and agreed matrix of ownership; who is responsible for all aspects of BAU and break-fix operations.

4.    Have an agreed and tested risk register and an agreed level of risk appetite that is signed off by the business stakeholders.

5.    Know the process for investigating, resolving and learning from a breach. Include all areas of business impact like technical operations, business operations, law enforcement, regulations and policies, supply chain parties. Test the process!

6.    Know what the top business development priority is for your CEO, be ready with a gap analysis of the current and future risk state and be able to articulate your plan based on priorities of risk impacts.

7.    Identify and groom your replacement and nurture the next batch of talent.

8.    Gain a thorough understanding of the operations in your organisation - where each supply chain contributes (positively or negatively) to your own risk posture and collaborate both upstream and downstream in the supply chain to help each other.

9.    Intelligence sharing and learning - contribute to the greater good and network, network, network. Go to every industry conference you attend with the personal goal of meeting ten to fifteen new peers and learning from them, teaching them whatever you can and staying in touch.

10.    Hire new graduates and mentor them so that we help resolve the ongoing skills shortages in our country.

Always remember – we are all connected in the hyper connected world. What each individual does, will make a difference. In his book, we are all leaders – Leadership is not a position, it’s a mindset. Fredrik Arnander suggests that everyone is a leader regardless of their station in life, title on business card or position in family or community. For this to be true, we all need lean in and lead for a better and safer digital world.

Find out how to boost your security team, doing more with the team you have – Download RSA’s free ebook “5 Tools to Boost Your Security Team’s Impact”


Simon Perry,  Threat Detection and Response Business Manager, RSA
Andrew Bonehill, Threat Detection and Response Snr Technology Consultant, RSA


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service