Peers are a great source of information for the CISO because they are tackling the same security problems in different ways. Taking note of what they are doing is useful for replicating their successes in your own organization.
We recently sifted through dozens of interviews with, and reports about, CISOs, to uncover several knowledge gems. The emphasis highly effective CISOs place on the less tangible aspects of the job – leadership, culture and business savvy for example – is readily apparent.
What follows below is a roundup of useful comments, facts, and statistics – big cybersecurity ideas – for the CISO by CISOs.
1) Businesses do not exist to provide information security
It’s all too easy for security leaders to forget that the business of their business isn’t security – it’s to fulfill customer-demand for products or services:
“It is very easy to fall into a myopic view and focus strictly on information security without taking into consideration what is it ultimately that the organization is trying to accomplish strategically. So, keeping that front and center for our teams helps not only enable the business but keeps us all grounded because we, as a company, we exist because we sell toothpaste and tennis shoes and all of those things that customers count on us to provide. At the end of the day, we’re not in the information security business. So, the day that information security makes that prohibitively difficult, there is really no reason for us to be here, so we have to keep that organizational mission front and center.”
– Jerry Geisler, SVP & Global CISO, Walmart; source: Walmart’s Jerry Geisler on the CISO position, retail challenges by Kathleen Richards.
2) Understanding how IT supports the business
More than just understanding the IT infrastructure, security leaders need to understand how that infrastructure supports the business. While this comment stems from a healthcare security leader, it has broader applicability for any vertical market:
“CISOs need to know the entire architecture of a healthcare organization’s IT environment and how it supports each line of business. They need to fully understand the environment’s technological composition and nature of all the data contained therein, the process for storage and transmission, as well as the process of all critical and sensitive data and the complete flow of data in and out of the organization.”
– Mark Beckmeyer, Director of IT Security, Binary Fountain; source: Securing healthcare organizations: The challenges CISOs face by Zeljka Zorz.
3) Articulating the value of cybersecurity to the business
In business, cybersecurity is often seen as a cost. Yet one security leader found his experiences in government helped him translate the value of security in business:
“Cybersecurity is all about the management of enterprise risk. The value a CISO and security department provides to the company is the continuous management of this risk so the business units that directly generate revenue can focus on being innovative and helping the company meet its strategic objectives. So my value is risk management as a service: We support the business units so they can focus on what the business needs, and together we are all successful.”
– Gary Hayslip, CISO, Webroot; source: A Career CISO’s 7 Observations on Public vs. Private Sectorvia TechWire
Note: Mr. Hayslip co-authored a two-volume CISO Desk Reference Guide.
4) Managing security to your organization’s tolerance for risk
Experts say cybersecurity boils down to an exercise in risk management – the probability of an event – combined with the severity of impact. Investors might add another factor in tolerance, which is why this commentary from a CISO at a big investment bank is so relevant:
“To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.
We are in the business of information and technology risk management, so the ‘Are we secure?’ question is somewhat misguided. The question should be: ‘Are we managing risk according to our risk profile?’ To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.”
– Israel Bryski, Vice President, technology risk, Goldman Sachs; source: 8 Tough Questions Every CISO Should Be Ready to Answer by Joan Goodchild.
5) Translating security risk into business decisions
Some researchers say the best CISOs learn to lead without authority. It’s a nod to the idea that ultimately, successful security leaders identify and articulate the risks to business leaders so they can make the right decisions:
“It’s very important that the CISO take the time to translate the enterprise security/risk/compliance needs into what executives can assimilate and make the decision.”
– Rebecca Wynn, Head of Information Security and DPO, Matrix Medical Network; source: Leading Cyber Security Execs Describe CISO ‘Toolkits’ by Dan Gunderman.
6) Security leaders and technology leaders need leadership parity
Business wants to innovate – to deliver a service or make a product better and faster. Yet faster comes with risks and someone needs to examine those risks and pump the brakes when the risk exceeds the business’ tolerance level:
“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play.”
– Anthony Belfiore, CSO, Aon PLC; source: Companies Unleash CISOs from Ties to Tech Chiefs by Kate Fazzini
7) A “security first” culture is a path to business efficacy
A “security first” approach is derived from culture and a security-conscious culture may enable a business to favor efficacy over stronger prohibitions and rigid policies:
“We’re not a blocker unless it’s absolutely essential. What I’m aiming for is when security does ‘say no’, the people take it seriously, because it’s so rare that they know it’s a serious occurrence.”
– Kevin Fielder, CISO, Just Eat; source: Just Eat’s first CISO is building security in from the ground up by Tom Allen.
8) Best-of-breed tools may help ward off future threats
The security tools fielded yesterday were designed to defend against yesterday’s threats. That’s why cybersecurity inherently involves economics. It’s may also part of the case for best of breed tools aimed at modern threats:
“As the threat landscape changes, some of the things that we think are a priority today may have a different priority tomorrow. And that’s part of the reason why when we have a vendor come in and do our security operations center, we will have the best-of-breed tools that will allow us to evolve in the next five years to deal with the current threats.”
– Marcelo Peredo, CISO, City of San José; source: San Jose’s first CISO braces for ubiquitous connectivity by Colin Wood.
9) The toughest questions a CISO must answer
Security leaders are often faced with difficult questions. A group of CISOs narrowed down what is surely a long list to the top five – as compiled by Kudelski Security:
> “Are we secure?”
> “How do we know if we have been breached?”
> “How does our security program compare to peers within the same industry?”
> “Do we have enough resources for our cybersecurity program?”
> “How effective is our security program, and is our current investment strategy aligned to it properly?”
– Survey of CISOs; source: The 5 most challenging questions CISOs face and how to answer themby Macy Bayern.
10) The 4 “Tribes” of CISOs
Personality tests strive to group people into categories based on characteristics, habits and communication style. Doing so is intended to provide insight into our preferences and weak spots so we can improve. A research project by Synopsys did something similar for the CISO “based on factors related to workforce, governance, and security controls.” The research found CISOs can be used to grouped into one of four tribes:
> Tribe 1: Security as an Enabler;
> Tribe 2: Security as Technology;
> Tribe 3: Security as Compliance; and
> Tribe 4: Security as a Cost Center.
– CISO research project; source: Which CISO ‘Tribe’ Do You Belong To? by Kelly Sheridan
11) What CISOs think makes CISOs successful
New York University Professor Nasir Memon once observed that security isn’t just a technical problem, but a legal problem, a policy problem and perhaps most importantly, a human behavior problem. CISOs it seems, agree with that assessment, according to a survey of CISOs by the Enterprise Strategy Group and ISSA. The top skills CISOs say influence the success of a CISO are as follows:
> 54% say leadership skills;
> 49% say communications skills;
> 44% say strong relationships with executives;
> 33% say management skills; and
> 21% say upon technical skills.
– Survey of CISO; source: What makes CISOs successful? by Jon Oltsik
12) Individual consequences for getting phished?
While attacks have grown more sophisticated, many being with the same initiation stage: phishing emails. The organization can pay a heavy price when an individual gets phished and some say the risk and consequences should be shared:
“Someone who fails every single phishing campaign in the world should not be holding a TS SCI with the federal government. You have clearly demonstrated that you are not responsible enough to responsibly handle that information.”
– Paul Beckman, CISO, U.S. Department of Homeland Security; source: DHS infosec chief: We should pull clearance of feds who fail phish test by Sean Gallagher.
13) One upside to a breach: a learning moment
Once a breach has occurred, the dynamics between security and business may change. A breach is a learning moment, that makes conveying the message about the importance of security easier.
“One of the things that I really love about being a CISO in a post-breach environment is it gives you such an immense opportunity to drive fundamental, meaningful change in a very short timeframe. I felt like I did good things when I was at Los Alamos or at NASA, but it takes so frickin’ long to push some of this stuff. The barriers you face at any company not post-breach is you’re always fighting for budget, you’re always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you’re in a post-breach environment, everyone already knows that it’s critically important.”
– Jamil Farshchi, CISO, Equifax; source: Equifax’s Security Overhaul, a Year After Its Epic Breach by Lily Hay Newman.