|
CISO do’s and don’ts: Lessons learned
Keeping a business safe from cyber threats while allowing it to thrive is every
CISO’s goal.
The task is not easy: a
CISO has to keep many balls in the air while being buffeted by an
increasingly complex and always shifting threat landscape. Consequently, the
importance of a good CISO should not be underestimated.
Mistakes to avoid, practices to implement
Francesco Cipollone, CISO and director at UK-based cybersecurity consultancy
NSC42, says that he has seen his fair share of CISOs who believe they know it
all, who focus on only one specific aspect of cybersecurity, who keep the
security team segregated from the engineering team and the rest of the
organization, and who don’t empathize with the business side.
No CISO is infallible, he says – the important thing is to fail fast and to
recover even faster.
Also, the CISO and the security team need to
understand that the organization is there to deliver products and services
as fast as possible, and they must find a way to make their work easier while,
at the same time, keeping the business safe.
The goal to shoot for is a happy medium between a secure product and acceptable
time frames. Also: bring the Sec into DevOps by introducing pragmatic security
as soon as possible in the lifecycle of an application.
Nobody likes to be told “No”
“As a security professional, I learned quickly to stop saying ‘No’ and started
replying with options. That is if one of my key advice to CISOs,” Cipollone
advises.
At the same time, a CISO should find a way to not get frustrated if the board of
directors keeps saying “No”.
“As security professionals we are tasked to ensure the company is protected to
the best of our ability. If those abilities are undermined or limited, we need
to communicate this sufficiently well to the board so that they are aware of the
risks they are taking by saying ‘no’ to some things. Ultimately, they are
accountable to the shareholders for the performance and security of an
organization,” he explains.
Finding a way to get your security message across to the board and the
business’s leaders is a must: the message must be clear, it must appeal to their
emotions, and must clearly quantify each security risk.
“The best way I’ve managed to make the case for specific
security improvements has been to relate them to financial loss. The simple
formula is: how many applications could an attack potentially take down?
Estimate a likely time span. How much does an application generate? And then
present to the board how much you can save, in terms of hours lost and money, by
displaying how much a security control would protect the total value of the
application,” he explains.
“In order to calculate the total monetary loss for a day, aggregate the loss
factor of each application. This leads the board to consider business risk
(money) against security risk (also money), and effectively allows them to
compare apples to apples.”
But sometimes logic and numbers are not the best strategy to the board’s heart.
“Sometimes security professionals need to be clever and play with the board’s
emotions by using the media. If a CISO is
struggling to get funding for a specific improvement, they should consider
using the industry/global news stream and identify key news that could help them
make the case. The communication team and marketing team are, generally
speaking, their best friend and allies in this,” he says.
CISOs should also use business storytelling and analogies when making the case
for a specific control or security improvement program. An expert communication
team can help proofread the pitch and simplify the case they are trying to make.
They should always be prepared with information about the cost and the latest
statistics. “Data is king. Hard facts are difficult to argue with, while
opinions are always personal, and hence, debatable,” he points out.
He’s also not adverse to advising CISOs to quit if they can’t find a common
language with the board and key stakeholders. A constantly failing collaboration
is not good for the company nor for the appointed CISO.
Leadership lessons
As noted before, business empathy and strong communication skills are a must.
But CISOs also have to have empathy when dealing with the engineering side.
Regardless of the country in which the company operates and the product it
develops, every company is an engineering and data company these days, so the
CISO role needs to be close to the engineers, Cipollone opines.
“In the USA I’ve seen CISOs positioned closer to the engineering mindset and to
products and delivery. Despite the fact that third-party management and
governance are an important role of the CISO, a USA-centered CISO is generally
more affected by engineering problems,” he told Help Net Security.
“Some organizations in countries across Europe might be driven more by
regulation and by etiquette, so the CISO needs to be closer to vendor management
and governance rather than the product side.”
Other key leadership lessons he has learned during his career include:
● Mentoring – key to forming the next
generation of information security professionals
● Open-source collaboration – helps drive
the next generation of products and helps shape the industry
● Collaboration – the closer the
collaboration is with similar industry partners, the more reliable the
information is.
Taking care of your team
It’s no secret that
security teams are overworked. They are expected to keep a constant,
watchful eye over everything that’s happening in an organization and to know
everything there is to know about security. That’s a lot of pressure to put on
an individual and on a team.
To alleviate it, Cipollone advises maintaining a dynamic, ever-expanding and
contracting team.
“We need to consistently add new members to the team from another part of the
organization or by using graduate schemes or mentorships. We have to promote
cultural and gender diversity and open-mindedness. This enables the team to keep
a critical mindset and maintain a fresh view on security problems,” he says.
At the same time, team members must enabled to focus and relax: team building
activities, research and industry-wide gatherings should be used and encouraged.
“We need to keep security teams interested by encouraging research (during work
hours) and participation in industry events like Cloud Security Alliance, OWASP,
ISSA meetups,” he advises.
“We should also encourage giving back. Speaking at conferences and meetups will
allow this, and participating in these events helps the team keep up-to-date on
the situation in the industry without expensive training. It also allows the
team to be ‘injected’ with new ideas.”
Article originally published on
helpnetsecurity.com
|
