I submitted a short blurb to an effort to gather advice from CISO’s. I believe many CISO’s (especially new ones) will focus primarily on advanced security controls and miss the admittedly boring “blocking and tackling” like patch and configuration management…
While we (as CISO’s) certainly need to deploy protective technology to help defend our brands, we must also ensure we stay laser-focused on helping our friends in IT with the monumental task of properly configuring and expediently patching endpoints, servers, and applications. No matter how good your EDR or XDR systems may be you will be helpless to stop attackers if systems are not properly configured and maintained.
The submission asked for additional information so I decided to expand (very slightly) on my earlier point – but the fact that governance alone has not and most likely will never work.
The information security product ecosystem has certainly produced some excellent detective and preventative controls to thwart would-be attackers. However, time and time again systems and applications are compromised due to shoddy administrative practices and slow update cycles. We (as CISO’s) need to that our IT sisters and brothers are empowered to invest in solutions to solve these issues – sheer governance has not been enough so we have to think outside the box on how to enable IT to be successful for the company and achieve better security outcomes.