Panel of Global 1000 CISOs Share Advice for Implementing Strategic Security Programs, Gaining Stakeholder Support and Measuring Results
CyberArk, the company that protects organisations from cyber attacks that have made their way inside the network perimeter, has launched a new industry initiative and report to mine cyber security insight and peer-to-peer guidance from a panel of Chief Information Security Officers (CISOs) from Global 1000 enterprises. The CISO View industry initiative is based on independent research, sponsored by CyberArk.
The CISO View panel’s collective expertise in managing large enterprise security deployments is featured in a new report, “The Balancing Act: The CISO View on Improving Privileged Access Controls.” CISOs from ANZ, Carlson Wagonlit Travel, CIBC, CSX Corporation, ING Bank, Lockheed Martin, Manulife, McKesson, Monsanto Company, News UK, Rockwell Automation and Starbucks provide real-world advice for getting organisational buy-in, implementing sustainable privileged account security programs and measuring effectiveness of the controls.
Making Privileged Account Security an Organisational Priority
One of the goals of the CISO View industry initiative is to provide a forum for the CISO community to share best practices and tangible guidance for building effective cyber security programs.
In the report, the CISO panelists focus on concerns about the potential for compromised privileged credentials, which are the common denominator in nearly all cyber attacks. According to the report, the rise in awareness about advanced threats is prompting many organisations to proactively shore up privileged access controls in order to help mitigate risks.
“If you don’t have good practices in privileged account management, you’re making it very easy for adversaries to traverse your whole network,” said Jim Connelly, VP and CISO, Lockheed Martin. “If they (attackers) get a hold of an over-privileged account, they’ll run through the environment like a brushfire.”
Based on a soon-to-be-released global survey from CyberArk, privileged account security has become a top organisational priority. Survey respondents (primarily IT security professionals) ranked privileged account security second only to endpoint security as the priority for their security programs.
CISO Views – Business Value and Establishing the Right Metrics
Featuring practical first-hand guidance not available anywhere else, the report leverages panelists’ hard-won experiences. It describes what it takes to deploy comprehensive programs that improve privileged access controls at large enterprises, encompassing people, process and technology. The report offers peer advice in three key areas:
- The strategic decisions that CISOs and their teams will need to make, including how to prioritise based not only on risk but also on business opportunities
- The conversations CISOs need to drive across the organization, such as how to negotiate with and influence stakeholders
- The essential components of a successful program, including how to develop metrics to measure security and business results The panelists describe specific ways to ensure that security and business objectives are aligned including:
- Establish Business Value: Determine the line between “sufficiently secure” and “overly restrictive”
- Focus on Metrics that Matter: Use metrics to steer course corrections, measure control efficiency, and assess the impact of controls on system availability and application performance
- Make Milestones Count: Set early goals in conjunction with business partners, define phases to minimise business disruption, and capitalise on initial successes by creating blueprints for repeatable processes
“We believe the CISO View is an important industry initiative to help organisations that are trying to make informed, pragmatic decisions as they work to improve privileged access controls,” said John Worrall, Chief Marketing Officer, CyberArk. “Peer advice can be an invaluable resource to CISOs as they work to get ahead of the ever-changing cyber threats facing their organisations. We are grateful to the members of the panel for helping the larger community address business-critical security issues.”
For more information about “The Balancing Act: The CISO View on Improving Privileged Access Controls,” visit http://www.cyberark.com/cisoview/. This report is part of the CISO View, an industry initiative sponsored by CyberArk. The report was developed by an independent research firm, Robinson Insight.
About the CISO View Panel
The CISO View panel participants are: Rob Bening, Chief Information Security Officer, ING Bank; David Bruyea, SVP and CISO, Enterprise Architecture and Information Security, CIBC; Jim Connelly, Vice President & Chief Information Security Officer, Lockheed Martin; Dave Estlick, Information Security Chief, Starbucks; Steve Glynn, Global Head of Information Security, ANZ; Mark Grant, Chief Information Security Officer, CSX Corporation; Gary Harbison, Chief Information Security Officer, Monsanto Company; Jim Motes, Vice President and Chief Information Security Officer, Rockwell Automation; Kathy Orner, Vice President & Chief Information Security Officer, Carlson Wagonlit Travel; John Schramm, Vice President Global Information Risk Management & CIRO, Manulife; Munawar Valiji, Head of Information Security, News UK; and Mike Wilson, Vice President & Chief Information Security Officer, McKesson.
CyberArk is the only security company focused on eliminating the most advanced cyber threats; those that use insider privileges to attack the heart of the enterprise. Dedicated to stopping attacks before they stop business, CyberArk proactively secures against cyber threats before attacks can escalate and do irreparable damage. The company is trusted by the world’s leading companies – including 40 percent of the Fortune 100 and 17 of the world’s top 20 banks – to protect their highest value information assets, infrastructure and applications. A global company, CyberArk is headquartered in Petach Tikvah, Israel, with U.S. headquarters located in Newton, Mass. The company also has offices throughout EMEA and Asia-Pacific. To learn more about CyberArk, visit www.cyberark.com, read the company blog, follow on Twitter @CyberArk or Facebook.