What CISOs should focus on when deciding on a strategy
The effectiveness of an organization’s security strategy and implementation can sometimes be difficult to assess. Michael Hamilton, President and CISO of CI Security, says looking at a number of key performance indicators can help.
Most of these a CISO wants to witness trending down:
- The incidents/time
- The cost/incident
- The time to incident detection
- The time to incident close
- The number and severity of compliance audit findings (if there are no legal compliance requirements, audits can be made with a framework such as the NIST Cybersecurity Framework or CIS Critical Controls in mind)
- The number of risk management and compliance audit corrective actions.
In fact, the only thing a CISO should want to see trending up is accuracy in budgeting.
Deciding on a strategy
CISOs whose organization is in the middle of a major digital transformation effort and want to make the transition as smooth as possible should do everything they can to achieve a successful collaboration with the CIO.
One reasonable strategy that won’t break the bank is starting with policy that is applied consistently across the organization regarding standards and oversight for the technology procurement process.
“‘Sell’ that to governance as a way to transfer the cost of security to technology vendors by creating procurement requirements that address security – upgrade paths, time to patch release, no unchangeable factory defaults, etc. Vendors will (ultimately) respond,” Hamilton counsels.
“Focus then on managing the impact of technology compromise through a focus on detection and response – admitting that all this new junk is increasing the attack surface and it has to be watched, and small fires put out before they burn down the house.”
And for that day when a security breach becomes reality and the CISO has to explain (i.e., justify) to the board their investment strategy, he advises them to explain that all controls in place were based on measured risk, that regulatory compliance status was reported and known, that there were audit artifacts to support that, that there is insurance to cover losses, and that all funding was to cover those activities and other areas of focus (consultants, managed services, maintenance payments on security technologies, training/conferences for staff, etc.).
“I would point out that (as they have undoubtedly explained to executive management), a security event is expected given the range of threats to which the organization is exposed, and that, with their focus on detection and response, they are as prepared as possible to minimize the impact of the event as they execute on their response plan,” he notes.
To become a CISO, one needs to have an advanced degree (preferably part technical and part business), but the job also requires budgeting, people management, strategy, audit survival, executive influence and communication skills that one can really only learn by working through them in real life, Hamilton opines.
“The best qualification is experience in as many of those skills as possible, as evidenced by the number of roles a person has held along their information security journey,” he says.
Another must is making an effort to get to know and understand the people in the various leadership positions.
“Most organizations are federated into departments or agencies, which have different business functions, cost centers, and assets to protect. Meeting the leadership and learning as much of the detail around each of those business units, departments, or agencies tends to smooth the governance process and improve your influence when making business or regulatory cases for controls. Leading your staff is most effective if you’ve been in their seats and have authentic empathy for the tribulations of their roles,” he maintains.
CISOs are facing a variety of challenges. Among them is a pronounced problem affecting the whole infosec industry: the dearth of security professionals who are good, long-term full-time employees.
This employee gap can be closed with the help of full-service (consulting and managed) security service providers and, as a result, CISOs may end up managing a far more virtual team than accustomed to, Hamilton points out.
“I also believe that given the current threat environment and the potential to become collateral damage in a nation-state act requires a different type of planning than that to which we are accustomed. Public policy (including military policy) will become more important to business and should be watched closely. Finally, privacy is now a main driver of information security, and the increasing expectations of consumers, shareholders, and international regulators will be added to the pile of concerns,” he concludes.