How CISOs can tackle challenges

Risk management and monitoring across the extended and remote enterprise may prove to be beneficial, as Adam Palmer, Chief Cybersecurity Strategist from Tenable, lists five best practices that CISOs can follow.

The pandemic has changed the world, perhaps forever. Employees are working at home using personal, and often unsecured, devices and networks. For a Chief Information Security Officer (CISO), used to believing that for the corporate network perimeter “inside is safe, outside is unsafe,” now nearly everything is outside and there is no perimeter. New risks and vulnerabilities seem to be arising everywhere on many new types of devices. The threat landscape has expanded — a worrying position for any security leader.

Despite these risks, organizations expect business continuity and a way forward. CISOs must attempt to bring normalcy and predictable functionality to this unprecedented situation. Below are five ways that CISOs can do this successfully – reduce risk based on sound advice and progress through a systematic checklist:

#1 If everything is important, then nothing is important

During a crisis, resources are short and everyone is overloaded with demands. Everything can feel like a priority. For the CISO, the first task is to identify what is only innocent smoke from what is actually a fire. By combining tools like threat intelligence, vulnerability research, and probability risk, CISOs can begin to prioritize the most critical vulnerabilities that are now distributed across the expanded enterprise perimeter. Prioritization focuses resources to the right area, in the right amount, and in the right sequence.

#2 Avoid box ticking exercises

In these complex times, CISOs cannot afford to use a generic checklist to scan their extended network, which has now changed beyond earlier recognition. Work at home has meant that employees are now connecting to the network using whatever device is at hand that gets the task done — whether it’s to participate or host a video call; instant chat message with a colleague; access a cloud application; or any other daily task. In short, convenience has overtaken risk as workers struggle to deliver from home. For the CISO in this environment, a risk-based management approach that focuses on actual risks being exploited, not generic lists of potential risks, is most effective. This also avoids overrun of the operating expense (Opex) budget.

#3 You cannot protect what is unknown

One of the biggest challenges for a CISO today is visibility into what is happening in their remote work environment. The organization’s workers may have had to relocate from their normal home, or even their geo-location. Staff are connecting from multiple private and public networks, using multiple known and unknown devices, and at predictable but also unpredictable hours. The CISO needs to understand this

activity pattern is now the new normal. To gain complete visibility of the extended enterprise network, CISOs should utilise authenticated agent scans that register and profile all assets being used. This will help the CISO build a unified and complete list of the vulnerabilities that have been created by distributed and remote work at home practices.

#4 The Board wants risk details

The Board of Directors will want to know what risks the organization is exposed to, and what is being done to reduce/address them. By adopting a risk-based approach, CISOs can accurately assess, quantifiably, the level of risk exposure in terms that the Board can understand.

Using a risk-based approach, the CISO can profile the distributed risk across the extended enterprise on the basis of large-scale assets, geolocation, business units, and device groups, etc. The Board will be able to evaluate the business impact if any mission-critical areas are exposed compared to the cost to implement controls that reduce the risk.

#5 The trap of instant gratification

In this time of crisis, and under pressure from management to deliver security, CISOs might be tempted to purchase additional tools, hoping that a single purchase order may be the key to alleviate the overall risk levels of the organization to deliver quick results. Unfortunately, a magic bullet simply does not exist. What is more meaningful is to better understand the risk environment and systematically demonstrate reduction of risks based on the prioritization of vulnerabilities. CISOs could also consider using managed service providers to reduce their day-to-day overheads of monitoring risks and vulnerabilities. They can also consider bringing in professional services to boost the skills capability of their internal teams to use existing tools and be more effective.

CISOs will find that implementing these basic best practices can go a long way towards reducing the risk levels of their organization in challenging circumstances, including this pandemic.

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

OneLink

Product Spotlight – Gallagher’s OneLink

Gallagher Security presents, OneLink – the product that is elevating remote security through the power of the cloud 
Pinaccle systems

Pinnacle Systems further supports Installers and System Integrators

Pinnacle Systems has launched the Pinnacle Partner Programme, a new initiative designed to provide enhanced support for installers…
Stephen Tickle

Comelit-PAC Appoints Stephen Tickle as Regional Sales Manager

Comelit-PAC has appointed Stephen Tickle as its new Regional Sales Manager.  Stephen will focus on supporting PAC’s access control…
Intersec Saudi

Intersec Saudi Arabia returns with record exhibition space

Intersec Saudi Arabia, the premier industry platform for security, safety and fire protection, will return to the Riyadh…
Abloy UK

Abloy Academy breaks attendance records

Abloy UK has achieved record breaking attendance at its Academy, with more professionals than ever attending its…
Hikvision

Hikvision Introduces X-ray Baggage Inspection System

Hikvision India has recently introduced X-ray Baggage Inspection System with AI- enabled Intelligent Recognition Capabilities…
GBV

IFPO Column: The Quiet Signals of Danger

Yoyo Hamblen of IFPO and Gary Simpson, Nonverbal and Behavioural specialist discuss the important topic of Gender-Based Violence..
Doorbird Carousel

Product Spotlight – Door Communication for the “Neue Wallufer”

 A customised solution case study for a residential complex is presented by DoorBird and CompuNet Systems GmbH 
suprema

Suprema Achieves EN 60839 Certification

Suprema, a global provider of AI-powered access control and security solutions, has achieved EN 60839-11-1:2013 Grade 3 certification
Gallagher

Gallagher Security cultivates key partnerships in Riyadh

Organised in partnership with the New Zealand Embassy, Gallagher Security hosted an event in Riyadh to explore business…
Scroll to Top