CISO do’s and don’ts: Lessons learned
Keeping a business safe from cyber threats while allowing it to thrive is every CISO’s goal.
The task is not easy: a CISO has to keep many balls in the air while being buffeted by an increasingly complex and always shifting threat landscape. Consequently, the importance of a good CISO should not be underestimated.
Mistakes to avoid, practices to implement
Francesco Cipollone, CISO and director at UK-based cybersecurity consultancy NSC42, says that he has seen his fair share of CISOs who believe they know it all, who focus on only one specific aspect of cybersecurity, who keep the security team segregated from the engineering team and the rest of the organization, and who don’t empathize with the business side.
No CISO is infallible, he says – the important thing is to fail fast and to recover even faster.
Also, the CISO and the security team need to understand that the organization is there to deliver products and services as fast as possible, and they must find a way to make their work easier while, at the same time, keeping the business safe.
The goal to shoot for is a happy medium between a secure product and acceptable time frames. Also: bring the Sec into DevOps by introducing pragmatic security as soon as possible in the lifecycle of an application.
Nobody likes to be told “No”
“As a security professional, I learned quickly to stop saying ‘No’ and started replying with options. That is if one of my key advice to CISOs,” Cipollone advises.
At the same time, a CISO should find a way to not get frustrated if the board of directors keeps saying “No”.
“As security professionals we are tasked to ensure the company is protected to the best of our ability. If those abilities are undermined or limited, we need to communicate this sufficiently well to the board so that they are aware of the risks they are taking by saying ‘no’ to some things. Ultimately, they are accountable to the shareholders for the performance and security of an organization,” he explains.
Finding a way to get your security message across to the board and the business’s leaders is a must: the message must be clear, it must appeal to their emotions, and must clearly quantify each security risk.
“The best way I’ve managed to make the case for specific security improvements has been to relate them to financial loss. The simple formula is: how many applications could an attack potentially take down? Estimate a likely time span. How much does an application generate? And then present to the board how much you can save, in terms of hours lost and money, by displaying how much a security control would protect the total value of the application,” he explains.
“In order to calculate the total monetary loss for a day, aggregate the loss factor of each application. This leads the board to consider business risk (money) against security risk (also money), and effectively allows them to compare apples to apples.”
But sometimes logic and numbers are not the best strategy to the board’s heart.
“Sometimes security professionals need to be clever and play with the board’s emotions by using the media. If a CISO is struggling to get funding for a specific improvement, they should consider using the industry/global news stream and identify key news that could help them make the case. The communication team and marketing team are, generally speaking, their best friend and allies in this,” he says.
CISOs should also use business storytelling and analogies when making the case for a specific control or security improvement program. An expert communication team can help proofread the pitch and simplify the case they are trying to make.
They should always be prepared with information about the cost and the latest statistics. “Data is king. Hard facts are difficult to argue with, while opinions are always personal, and hence, debatable,” he points out.
He’s also not adverse to advising CISOs to quit if they can’t find a common language with the board and key stakeholders. A constantly failing collaboration is not good for the company nor for the appointed CISO.
As noted before, business empathy and strong communication skills are a must. But CISOs also have to have empathy when dealing with the engineering side.
Regardless of the country in which the company operates and the product it develops, every company is an engineering and data company these days, so the CISO role needs to be close to the engineers, Cipollone opines.
“In the USA I’ve seen CISOs positioned closer to the engineering mindset and to products and delivery. Despite the fact that third-party management and governance are an important role of the CISO, a USA-centered CISO is generally more affected by engineering problems,” he told Help Net Security.
“Some organizations in countries across Europe might be driven more by regulation and by etiquette, so the CISO needs to be closer to vendor management and governance rather than the product side.”
Other key leadership lessons he has learned during his career include:
- Mentoring – key to forming the next generation of information security professionals
- Open-source collaboration – helps drive the next generation of products and helps shape the industry
- Collaboration – the closer the collaboration is with similar industry partners, the more reliable the information is.
Taking care of your team
It’s no secret that security teams are overworked. They are expected to keep a constant, watchful eye over everything that’s happening in an organization and to know everything there is to know about security. That’s a lot of pressure to put on an individual and on a team.
To alleviate it, Cipollone advises maintaining a dynamic, ever-expanding and contracting team.
“We need to consistently add new members to the team from another part of the organization or by using graduate schemes or mentorships. We have to promote cultural and gender diversity and open-mindedness. This enables the team to keep a critical mindset and maintain a fresh view on security problems,” he says.
At the same time, team members must enabled to focus and relax: team building activities, research and industry-wide gatherings should be used and encouraged.
“We need to keep security teams interested by encouraging research (during work hours) and participation in industry events like Cloud Security Alliance, OWASP, ISSA meetups,” he advises.
“We should also encourage giving back. Speaking at conferences and meetups will allow this, and participating in these events helps the team keep up-to-date on the situation in the industry without expensive training. It also allows the team to be ‘injected’ with new ideas.”