Just after the new year I was catching up with a CISO over lunch in Pike Place Market in Seattle. We were reminiscing about how tough it is to get a security program up and running in the beginning. Pausing to dip his taco in the excellent house salsa, he commented, “Y’know, if I had to do it all over again…” and he proceeded to tell me a story. My brain twitched with possibilities—here was a great question to ask CISOs and share with the community.
Over the months, I spoke to a dozen different CISOs and began publishing the most interesting quotes on F5 Labs. This prompted more security leaders to come forward and share their past failures and lessons learned. All had at least a decade of experience in both management and security, but there was no particular industry, background, or specialty represented. Still, the lessons began to line up along some basic themes.
The first theme CISOs talked about was regretting they hadn’t built a strategic plan for their new security programs early on. They noted that they could have saved themselves a lot of extra work and gone a lot faster if they had spent the time to flesh out a roadmap. Without a plan from the beginning, security programs devolved into a jumbled patchwork of security controls and duplicated efforts. It’s easy to say you’ll have a plan, but a lot of companies, especially tech companies, move pretty fast and it’s easy to get lost in compliance requirements, security frameworks, and technology stacks. This is why they stressed keeping the plan simple but focused on the business goals.
Along these lines, many expressed that being a CISO involved lots of project management, mostly around making sure controls are fully rolled out to mitigate risks and ensure compliance. Like a lot of things in security, the economics always win. So, resources need to be managed, which means keeping an eye on cost estimates, deadlines, and bureaucratic slowdowns. If you’re in over your head, a security leader shouldn’t hesitate to get help, either from inside or outside the organization.
Building a security program is like growing a garden, one CISO stressed. It takes time and daily commitment to nurture what you’ve sown. Security controls don’t live in a single point in time, they have a lifecycle that needs to be managed from inception, to integration, to upgrade. Quite a few CISOs regretted the stress they inflicted on themselves by being too impatient or taking on too much at once. Move at the pace of the organization, they stressed, and keep improving every day.
When it comes to rolling out their programs, many interviewed CISOs kicked themselves for not understanding the human factor early enough in their careers. As they say, culture eats strategy for breakfast, and that includes security strategy. Quite a few CISOs said if they could do things over, they’d spend more time studying politics and organizational influence techniques. Nowhere was this more emphasized than when working with senior executives. A common flub for CISOs was to be too technical and not business focused enough when talking to the higher-ups.
Another big theme was lamenting not double-checking assumptions or what they were told. Many CISOs fell into the gap between what was reported and what was actually happening. System and data inventories were revealed to be incomplete, defenses that everyone assumed were deployed turned out to be half-configured, and logging was not set up for key operations.
Time again, CISOs learned the hard way that you can’t fix what you don’t know about. The CISOs warned that people will often tell you what they think you want to hear, not the truth, especially in you’re in management. Don’t assume, check to make sure you know the ground truth as soon as possible.
Speaking of understanding what’s going on, the blind spot for many CISOs was looking beyond IT security. Many CISOs got their start in technology, so they naturally forgot there’s a physical world out there. Physical security and disaster recovery are two big physical threats that CISOs ended up playing catch-up on. And like the previous areas of security, this was also one area where CISOs coulda-woulda-shoulda asked for help but didn’t.
Overall, it was a great exercise to talk to CISOs about what they would do over. Stories continue to come in. Maybe this is a worthwhile question to ask yourself, and maybe you’d like to share it with me and pass on what you’ve learned as well.