There is no escaping the fact that information security incidents can serious damage a company or even put it out of business. As organizations recognize the need to connect business risks with IT strategy, they are increasingly focusing on one person: their Chief Information Security Officer (CISO). The idea of having a person responsible for IT security is not new, but many organizations have only recently established a CISO position on the executive team.
While some organizations, particularly those in finance or defense, look for a CISO who is well versed in the practice of risk management, many companies choose to promote their smartest engineer or analyst, the one who knows “this stuff,” and let them figure it out. This perception that the CISO role is just about dealing with technical issues can be a huge roadblock to success: The role is about managing expectations, maintaining communications and building relationships as much as it is about understanding technology and planning for adequate security controls.
If you’re a technical guru who’s been promoted into a CISO position, here are the three areas I urge you to focus on in your first weeks in the job: observe and assess, establish relationships, and recruit your extended team.
Observe and Assess
Many models and frameworks have been developed to help people make decisions in different industries and life situations, from the military to medicine to business. They all have one thing in common: The very first verb you see is “observe,” “assess,” “identify,” “diagnose” or some synonym.
IT security is no exception. Your first task as a CISO is to understand where you are. Don’t rush to fix the very first issue you uncover; take time to look around and you will likely find more. The length of this initial observation period will depend on the size and complexity of the business. You need to put aside any assumptions and take enough time to learn about the following key things:
What’s in your tool bag?
It’s often said that security is about people, processes and tools — in this exact order. We will talk about people in a few minutes, but let’s first explore the latter two.
Even if the CISO position is new for the organization, it did not appear from nowhere. The business was functioning before your promotion and was somehow making it. There are always at least some processes and controls in place to reduce risk, even if they are not formally documented. Take time to identify and document these existing processes before you start changing anything.
As for the tools, it’s a safe bet to assume your company already owns at least some security technology. Start your inventory by looking for thing like endpoint protection and network firewalls, but recognize you probably have far more than just that. Understanding what you already have, who owns these tools and whether they are being fully utilized can save you time and budget later.
What’s in the environment?
You cannot secure what you don’t know about. If your organization is good at maintaining asset inventories, creating data flow diagrams and performing data classification — my sincerest congratulations, you are a rare lucky one! Most freshmen CISOs have to invest time and energy into getting a good grasp of what they are supposed to secure.
A word of caution here: Don’t try to take it all in one bite. For example, there is no need to start by commanding a full-scale data classification program! But you need to talk to different parts of the organizations to understand what they do, what applications they rely on and what types of data may be flowing around.
Where are the risks?
Your first weeks on the job are also the time to take the mental step from seeing security as a technical problem to identifying the underlying business risks. Try to identify the business processes and prioritize them from a risk perspective. Which process interruptions would have the most impact on the company’s well-being? Understand you cannot do this on your own; you need to get quality input from the executive team (more on this in the next section).
Next, work with your technical team to map each business process to the specific assets that enable the process. For example, your sales team needs to be online to find opportunities and close deals. What technologies do they need to succeed in their job? The list probably includes your phone system, email service and CRM application. Are these tools on premises or SaaS? Which servers and databases must be up and running to support them?
Obviously, this is not a one-time exercise. You need the first pass to get started, but both the business and the technology keep evolving. Make risk assessment an ongoing process.
Build Relationships with the C-Suite
I realize “know your risks” is easier said than done. This is where your deep technical expertise won’t help much; it’s time to put your communication skills at work. You need executive-level allies to propagate a strong security culture in the organization — go find them.
If your organization has a formal Chief Risk Officer position, spend as much time with that person as you can. If not, try to have conversations with the CEO and the CFO. Ask them if they can introduce you to the board members, who will often be willing to share their views on the company’s risks.
The main questions in all of these conversations should be: What’s your biggest fear? What keeps you awake at night? And why is this so important?
If you work for a public company, also be sure to read the last 10K filing and ask questions about each of the risks to make sure you understand the underlying concerns.
I expect two-fold results from this effort:
- It gives you the context for all of your future decisions. Security is most likely not the main business of your company. Your job is to build and implement adequate security program that is suitable for what actually is the main business.
- It is equally (if not more) important that these conversations help you build trust with the executive team. Your willingness to take a deep dive into their world shows them that you care. You’re making the effort to understand what matters to them. This is crucial for success of the security program you’re creating for the organization.
Recruit an Extended Team
Whether you are a team of one or have dozens of people reporting to you, there’s one thing you can count on: You will never have enough staff to stay on top of every single possible risk. Therefore, you need to recruit security champions across as many departments as you can. These are people you can rely on to propagate security culture, drive adoption of new technology and controls, and get sincere and timely feedback about what’s working and what’s not.
How can you identify them and get in touch? Here are a few ideas:
- Ask the business leaders of each department if they have someone who “gets it.” Chances are, they will point you in the right direction.
- Consider some optional interactions, like “lunch and learn” sessions on security hygiene. Who shows up? What is their motivation? How actively do they participate? Maybe you’ll find few good extended team members this way.
- I was about to suggest good old watercooler conversations, but these may be difficult in the current circumstances. Even if you are not working in the office, you can find ways to approach people from different parts of the organization and interview them about the current state and existing practices. You could ask them which of their colleagues really understand the issues and risks or are willing to support others when it comes to new technology.
It is important to stay connected with these people “on the ground” to understand the reality and details of most critical business processes, sanity-check any new ideas, and stay aware of any grass-root initiatives.
What Do You Think?
Since I’m not a CISO myself, I can only speculate about what would work best. I tried to tell you where I’d focus for at least the first month if I were to become a CISO: observing and learning, establishing good communication with the other executives, and identifying security champions that can become an extension of my team. None of this makes the organization more secure on its own, but in my view, it is not possible to actually plan and do much without these critical initial steps.
What do you think? What’s your experience? I am very keen to learn, so please let me know!
And best of luck in your new role!