CISO Sacrifice

How to Hire a CISO

In my experience, the hiring of a CISO is one of the last things on the minds of the overwhelming majority of Board of Directors (BoD). Well, maybe more accurately; it’s the last role they want to hire. Who wants to spend money on security? Where’s the ROI? While there is often significant kudos for corporate responsibility, its effects on the bottom line are invariably lost in translation.

I’ve written more than enough blogs on why cybersecurity is so essential to every organisation. Even tried to spell out some of its many benefits, but 180 subscribers will hardly change the course of a multi-billion £/€/$/¥ industry.

However, I will count this blog a HUGE success if I succeed in one, and especially both of the following:

  1. An organisation hires the exact right person for their cybersecurity needs; and/or
    o
  2. A prospective CISO asks all the right questions and gets the right job for them.

By far the biggest challenge for organisations in hiring a CISO is doing it for the right reason(s). Unfortunately the reason, 99 times out of 100, is necessity. From landing a big contract, to regulatory compliance, to post-breach PR, the CISO role is often nothing more than an empty suit. Compound this with the BoD having no idea of the right questions to ask the prospective candidates, the whole thing likely started out with little idea of what they were actually trying to achieve.

Security is not about technical requirements, it is a business process, and until the BoD see it as such no CISO job description (JD) will ever land the right candidates. In security, if you’re not an expert, never ask for what you want, find someone  who can fully detail the things you need. You’d be amazed how often these things are very different.

Steps to Hiring the Perfect CISO

But first, we need to stop thinking about the CISO as a person, CISO is a function. Or rather, a series of projects that culminates in a function. Security begins with a plan, then evolves through several phases into a coherent cycle of business enabling processes. I’ve never met a single individual with either the skill-set, or even the interest, to perform all of these phases. I for one would rather chew tinfoil than babysit something that does not require fixing.

Second, I am going to assume that the hiring of the CISO is going to be managed by the BoD, if not, none of these steps make sense.

Finally, I am going to use the types of CISO I defined in The 3 Types of CISO: Know Which You Need to illustrate my point.

Step 1: BoD must finalise three things: 1) their Mission Statement, 2) their Value Statement(s), and 3) their short / medium / long-term business goals.

Step 2: BoD uses all resources at their disposal to find the right resource(s) to turn the Mission/Values/Goals into an appropriate security strategy.

Step 3: Hire a p-CISO (Planner) for Phase 1 – skill-set prerequisites must include:

  • drafting Governance charters and policy sets;
  • standardising and performing initial risk assessments;
  • controls gap analysis;
  • developing business impact analyses (BIA);
  • defining a basic set of minimum security controls; and
  • chairing a Governance Committee meeting (this is a requirement across all 3 CISO types).

[Once Phase 1 tasking is roughly 75% complete, Phase 2 can begin. the p-CISO will be expected to fine-tune the draft JD for the e-CISO and hand over all relevant knowledge / duties.]

Step 4: Hire an e-CISO (Executor) for Phase 2 – skill-set prerequisites must include:

  • matching Policy Set with both business goals and the prevailing corporate culture;
  • socialisation and distribution of procedure and standard document coordination to relevant SMEs;
  • integration and centralisation of security control output into a unified incident response capability;
  • assignment and formalisation of all security responsibilities; and
  • implementation of disaster recovery (DR) and business continuity planning (BCP).

[Once Phase 2 tasking is roughly 75% complete, Phase 2 can begin. the o-CISO will be expected to fine-tune the draft JD for the o-CISO and hand over all relevant knowledge / duties.]

Step 5: Hire an o-CISO (Optimiser) for Phase 3 – skill-set prerequisites must include:

  • performing an objective review of all security controls including policies (with Internal Audit if available);
  • maintain their aspect of the company-wide Risk Register in-line with the security strategy and business goals;
  • formalise management information and security/risk metrics into a BoD-level reporting process; and
  • implement a cyclical program for continuous improvement.

Sample Phased Approach

That’s it, 5 simple steps. Very difficult and potentially expensive steps, yes, but simple nonetheless. Clearly these steps are VERY high level, and there is a lot more detail involved than that. This process could also take many months or even years. But the hiring of a CISO is not about finding people, it’s about committing to an idea and doing whatever it takes to bring that idea to life.

For that to happen, the BoD must stay involved. For the CISO roles as defined above to succeed the BoD needs to use as much of its influence as necessary to fully support them. A dotted line reporting structure directly to the BoD works best.

In my experience, if you’re looking to hire a CISO to sort out your security, you’ve already started down the wrong path. It’s the CISO who usually ends up paying the price.

If you’ve made it this far, you are probably thinking that the title of the blog should have been: How to Implement a Security Program. And you’d be right, it should, but the people wanting to hire a CISO probably wouldn’t have read it.

[If you liked this article, please share! Want more like it, subscribe!]

CISO Lifespan

Why CSOs / CISOs Only Have a 2 Year Lifespan

In previous blogs I expanded upon two main reasons why CISOs seem to have such a limited lifespan, and why the role is currently one of the most difficult senior leadership roles to both fulfil, and stay in long-term.

In Make the CSO Role a Board Appointment, or Don’t Bother Having One I touched upon the fact that so few CSOs; 1) are hired by the right people or for the right reasons, 2) report to the correct hierarchy, and 3) have the necessary support from the people from whom they need it most.

In The 3 Types of CISO: Know Which You Need I tried to explain why there is effectively no such thing as an ‘all-rounder’ CISO, so expectations are already completely out of line with reality.

I’ve now come up with a 3rd; Expecting the CISO alone to fix everything.

While this may be a byproduct of the first two, it is nevertheless important enough to be addressed by itself. And for once, I can’t actually blame the CEO entirely for this issue, the CISO is every bit as culpable.

Consider this scenario; An organisation, for whatever reason, decides it needs a security expert in senior management. Even if the BoD does get involved from the beginning, the organisation will end up writing a job description of some sort. This is no different from going to the Doctor’s, diagnosing yourself, and writing your own prescription.

This description will then be advertised in some fashion, guaranteeing that the only people who respond are the ones wholly unqualified to fill it. In the same way that anyone who wants to be in politics should be stopped from doing so, anyone who responds to a CISO role that they didn’t draft themselves has no idea what they are doing.

There is only one exception to this, and that’s if the organisation has already put the basics of a security program in place and need someone to optimise it. Everything before this is a series of consulting gigs, the aim of which is to prepare the organisation’s security program to the point a CISO can come in and run with it.

So, whether you’re an organisation looking for a long-term CISO, or a CISO looking for a long-term gig, what do you do?

A Security Program in 10 Difficult-as-Hell Steps

o

Clearly there are many steps in between these, as none of this appropriately addresses two of the most important aspects of any security program; 1) Senior Leadership’s role in changing the corporate culture, and 2) a Knowledge Management program personified by documented processes and procedures.

But in no way do I wish to downplay the CISO role to one of a babysitter, it is still one of the most difficult roles imaginable. However, I have never met a CISO who joined an organisation at Step 1, and was still the CISO a year or so later. Because the CISO role is perceived by many security professionals as the pinnacle of their career, too few ask the hard questions before committing;

  1. Has the organisation followed the 10 steps? – If no, where are they in the process?. If yes;
  2. Am I right for the job? – If no, can I help them find someone who is. If yes;
  3. Do I really want the job? – Go in with your eyes wide open, or again, walk away.

As long as both the organisation and the prospective CISO are fully aware of these issues, there is no reason a CISO can’t go the distance. That said, there is no reason a security program can’t be put on track without one…

[If you liked this article, please share! Want more like it, subscribe!]

The Types of CISO

The 3 Types of CISO: Know Which You Need

In “What’s the CEO Equivalent of The Peter Principle?” I posited that there are 3 kinds of CEO:

  1. Those good at starting a company;
  2. Those good at building start-ups to the point they can go public, or be acquired; and
  3. Those good at leading a company for the long-haul.

…with the theory being that unless the CEO knows which s/he is, s/he’ll eventually run a company into the ground. No CEO is really good at more than one, and I’ve met too many who aren’t good at any of them.

The CISO role is no different, and if you’re looking for one, you had better ask the right questions of your candidates. However, if you are a CISO or want to be one, then you must know which kind you are or you’re setting yourself up for failure.

What Are The 3 Types of CISO?

o

  1. The Planner: – The p-CISO comes in at the beginning of an engagement, before an organisation even knows what it actually needs. Their job is to design a security program that does the only thing it’s supposed to; support / enable the company’s business goals. The p-CISO must also write the Governance Charter, get the CEO to sign it, then implement the Governance Committee. 99% of all security programs fail at this stage, so this is perhaps the most difficult task of all.
    o
    Of the 3 types, this is the most creative, but also the least detailed oriented, which is why they probably should not try to run the program long-term.
    o
  2. The Executor: e-CISOs get things done. They take the hand-off from the p-CISO and put the agreed plan into action. While this may seem more like project management, there is a lot more to it than that. Putting a security program in place takes a shift in an organisation’s entire culture. Installing a firewall is easy, getting the CEO to accept full accountability for the ISMS is a Herculean task.
    o
    This type has the rare ability to focus on enormous amounts of detail, but is political enough to bring the people components together.
    o
  3. The Optimiser: o-CISOs are in it for the long-haul. These are the folks that take the still raw security program, and make sure it get fully instilled in the company culture and business as usual processes. They will also likely Chair or Co-Chair the Governance committee.
    o
    The most political of the 3 types, and it is the o-CISO’s incredibly difficult task to ensure that IT, IT Security, AND the business side all do their part. The depth and breadth of the position makes it one of the most difficult jobs imaginable.

Ignorance of these 3 types certainly goes a long way to explain why CISOs last less than 2 years on average. Organisations ask the wrong questions, and prospective CISOs have little concept of their own limitations.

I’m not saying that there is no overlap in these roles, there is. I’m also not saying that a single individual can’t be fairly good at more than one, they can. What I am saying is that, in practice, the skill-set required to be REALLY good at these roles is mutually exclusive. e.g. I have never met someone who thrives on creating something from scratch (p-CISO), have any interest whatsoever in baby-sitting something for the long-haul (o-CISO).

And that’s OK, you don’t just have one kind of doctor, or lawyer, why should a CISO be any different?

Unfortunately, too often the CISO role is seen as the ultimate goal in the career of a cybersecurity expert. But the fact remains that this role suits very few people long-term. Both p- and eCISOs are senior level consultants, only the o-CISO is a long-term employee.

And let’s not forget; Make the CSO Role a Board Appointment, or Don’t Bother Having One, the CISO is no different.

I’d be very interested to hear what actual CISOs think of this theory?

[If you liked this article, please share! Want more like it, subscribe!]

Can Governance Replace the CISO?

Perform research on IT Governance models and you’ll eventually come across the concept of People, Process, & Technology (The Golden Triangle). Yet another concept whose origination has been lost in time (it was not Bruce Schneirer), but one whose evolution has polarised the security industry.

On the one side you have the technology-first advocates. Even a security icon like Bruce Schneier says; “We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.“. Oddly enough you’ll find most of the security product vendors in this camp too. I know, weird huh?

Then you have the side that I’m on, that says all the technology in the world can’t fix stupid. The enormous benefits that can be derived from technology are only achievable if the people put the processes in place to make the technologies effective.

In cybersecurity, technology can only enhance, it cannot fix.

Yes, of course technology is critical, why do you think I rage against PCI’s ‘daily review’ of logfiles so much? No, I do not believe that an organisation can ever achieve good security without the automation that only technology can bring, but putting technology first is the definitive cart before the horse.

In cybersecurity, technology can only enhance something that already works, it cannot replace it entirely.

So, to me, the job of the CISO is to get the three aspect of the golden triangle into line with the only things that matters; the business goals. In the digital age, technology is the ultimate enabler, and the CSO/CISOs the ultimate facilitators of that technology. The IT security function gets involved in everything from M&A to compliance, from incident response to internal audit, it’s the CISO’s role to bring it all together into a sustainable program. One that that is only ever appropriate to the business’s needs and no more.

But none of this is possible without Governance. The CISO, as a facilitator, is only a bridge between the business goals and the means to get there. It’s the Governance function that gets the job done.

Also, not every organisation can afford a CISO, and frankly nor should they even contemplate one if there is no discernible return on investment. This is where the Virtual CISO can come into play, and from my perspective, the only reason to consider one. It’s the v-CISO’s job to train the governance committee (or whatever it’s called) to do what CISOs do.

Too many organisations are instantly turned off by the word ‘Governance’. At best it’s seen as unnecessary bureaucracy, at worst it’s perceived as some kind of dystopian ‘Big Brother’. Nothing could be further from the truth; it’s not a department, it’s not an institution, it’s a function, one designed to help keep a business IN business.

EVERY organisation needs governance, regardless of size, region, or industry sector. The governance charter, membership, responsibilities, and operation will vary considerably, but all need to be appropriate, and of measurable benefit.

Only someone with the skill-set of a true CISO can put this in place in such a way as to be sustainable without them. But only a Governance function can keep it going.

[If you liked this article, please share! Want more like it, subscribe!]

 

Make the CSO Role a Board Appointment, or Don’t Bother Having One

I’ve been reading a lot recently about how Boards of Directors (BoD) are starting to take cyber security more seriously. While I applaud this, and believe the trend can only be a good thing, in practice this is little more than lip-service.

Example scenario – Let’s assume a scenario where the CEO is not actually on the BoD:

Step 1: The Chairman, after receiving the requisite vote, will task the CEO with establishing a CSO position;

Step 2: The CEO tasks the senior IT person in the company (usually the CTO) with finding a suitable candidate, and;

Step 3: The CTO hires someone who ends up reporting directly to them.

Any one of these step by itself is a mistake, but all three combined will result in the CSO role being nothing more than smoke and mirrors, or an empty suit. Having a CSO in this scenario may look good on paper, but they will be utterly ineffectual.

Per Steps 1 & 2 – Instead, if the BoD make themselves accountable for the CSO role, they will have no choice but to do some homework. They won’t know the right questions to ask, so they have to find someone(s) who can. Few people I have seen who make it to the BoD level don’t have significant networks and/or support teams to tap into. They should use them.

The added benefit of having the BoD take such an active role in the CSO selection is they will have a much better understanding of what the person filling the role will actually be doing! Watching CSOs ask for budget from BoDs is a painful experience at best, and with just a little background the BoD can begin to speak the same language. The right CSO will already be familiar with the conversation in the other direction.

Per Step 3 – Having a CSO report to a CTO is as much use as hubcaps on a tractor, even reporting to the CEO has it’s limitations. While there is no way the BoD would/should take an active day-to-day role in the running of the company, having the CSO dotted-line into them gives the CSO the authority to perform their function properly. Anyone who can be fired out of hand for saying things the CEO doesn’t like will likely say very little. And let’s be clear, an ‘open seat’ CSO will have a LOT to say.

In effect, the CSO role is very similar to Internal Audit. They are certainly answerable to the CEO for the majority of their function, but their jobs are not [necessarily] at risk if the findings are not what the CEO wants to hear. The dotted-line into the BoD makes all the difference in the world.

All that said, the CSO role is a very attractive one for most security professionals. It’s often seen as the ultimate goal, which is why new CSOs have a VERY short life expectancy in their first few gigs; THEY don’t ask the right questions.

As things currently exist, there are only 3 questions a good CSO can ask before joining an organisation:

  1. Can I talk to the CEO? – [If No, walk away.]
  2. To whom will I be reporting? – [If anyone lower than the CEO, walk away.]
  3. Does IT Security have its own budget? – [If No you’ll likely spend most of your time begging for resources. Proceed at your own peril.]

Much like the CTO, a good CSO can be one of an organisation’s ultimate enablers, assuming they have not been hamstrung before they’ve even started.

[If you liked this article, please share! Want more like it, subscribe!]