CISO Sacrifice

How to Hire a CISO

In my experience, the hiring of a CISO is one of the last things on the minds of the overwhelming majority of Board of Directors (BoD). Well, maybe more accurately; it’s the last role they want to hire. Who wants to spend money on security? Where’s the ROI? While there is often significant kudos for corporate responsibility, its effects on the bottom line are invariably lost in translation.

I’ve written more than enough blogs on why cybersecurity is so essential to every organisation. Even tried to spell out some of its many benefits, but 180 subscribers will hardly change the course of a multi-billion £/€/$/¥ industry.

However, I will count this blog a HUGE success if I succeed in one, and especially both of the following:

  1. An organisation hires the exact right person for their cybersecurity needs; and/or
    o
  2. A prospective CISO asks all the right questions and gets the right job for them.

By far the biggest challenge for organisations in hiring a CISO is doing it for the right reason(s). Unfortunately the reason, 99 times out of 100, is necessity. From landing a big contract, to regulatory compliance, to post-breach PR, the CISO role is often nothing more than an empty suit. Compound this with the BoD having no idea of the right questions to ask the prospective candidates, the whole thing likely started out with little idea of what they were actually trying to achieve.

Security is not about technical requirements, it is a business process, and until the BoD see it as such no CISO job description (JD) will ever land the right candidates. In security, if you’re not an expert, never ask for what you want, find someone  who can fully detail the things you need. You’d be amazed how often these things are very different.

Steps to Hiring the Perfect CISO

But first, we need to stop thinking about the CISO as a person, CISO is a function. Or rather, a series of projects that culminates in a function. Security begins with a plan, then evolves through several phases into a coherent cycle of business enabling processes. I’ve never met a single individual with either the skill-set, or even the interest, to perform all of these phases. I for one would rather chew tinfoil than babysit something that does not require fixing.

Second, I am going to assume that the hiring of the CISO is going to be managed by the BoD, if not, none of these steps make sense.

Finally, I am going to use the types of CISO I defined in The 3 Types of CISO: Know Which You Need to illustrate my point.

Step 1: BoD must finalise three things: 1) their Mission Statement, 2) their Value Statement(s), and 3) their short / medium / long-term business goals.

Step 2: BoD uses all resources at their disposal to find the right resource(s) to turn the Mission/Values/Goals into an appropriate security strategy.

Step 3: Hire a p-CISO (Planner) for Phase 1 – skill-set prerequisites must include:

  • drafting Governance charters and policy sets;
  • standardising and performing initial risk assessments;
  • controls gap analysis;
  • developing business impact analyses (BIA);
  • defining a basic set of minimum security controls; and
  • chairing a Governance Committee meeting (this is a requirement across all 3 CISO types).

[Once Phase 1 tasking is roughly 75% complete, Phase 2 can begin. the p-CISO will be expected to fine-tune the draft JD for the e-CISO and hand over all relevant knowledge / duties.]

Step 4: Hire an e-CISO (Executor) for Phase 2 – skill-set prerequisites must include:

  • matching Policy Set with both business goals and the prevailing corporate culture;
  • socialisation and distribution of procedure and standard document coordination to relevant SMEs;
  • integration and centralisation of security control output into a unified incident response capability;
  • assignment and formalisation of all security responsibilities; and
  • implementation of disaster recovery (DR) and business continuity planning (BCP).

[Once Phase 2 tasking is roughly 75% complete, Phase 2 can begin. the e-CISO will be expected to fine-tune the draft JD for the o-CISO and hand over all relevant knowledge / duties.]

Step 5: Hire an o-CISO (Optimiser) for Phase 3 – skill-set prerequisites must include:

  • performing an objective review of all security controls including policies (with Internal Audit if available);
  • maintain their aspect of the company-wide Risk Register in-line with the security strategy and business goals;
  • formalise management information and security/risk metrics into a BoD-level reporting process; and
  • implement a cyclical program for continuous improvement.

Sample Phased Approach

That’s it, 5 simple steps. Very difficult and potentially expensive steps, yes, but simple nonetheless. Clearly these steps are VERY high level, and there is a lot more detail involved than that. This process could also take many months or even years. But the hiring of a CISO is not about finding people, it’s about committing to an idea and doing whatever it takes to bring that idea to life.

For that to happen, the BoD must stay involved. For the CISO roles as defined above to succeed the BoD needs to use as much of its influence as necessary to fully support them. A dotted line reporting structure directly to the BoD works best.

In my experience, if you’re looking to hire a CISO to sort out your security, you’ve already started down the wrong path. It’s the CISO who usually ends up paying the price.

If you’ve made it this far, you are probably thinking that the title of the blog should have been: How to Implement a Security Program. And you’d be right, it should, but the people wanting to hire a CISO probably wouldn’t have read it.

[If you liked this article, please share! Want more like it, subscribe!]

Peerlyst: Essentials of Cybersecurity

PEERLYST e-book: “Essentials of Cybersecurity”

In almost 4 years, and over 250 blogs, I have only promoted something  – other than myself of course – once: The Analogies Project.

I find myself doing the same thing for PEERLYST for much the same reasons; 1) it’s purpose is to educate, not sell, 2) it’s members are incredibly generous with their time, and 3) it’s free. I recommend that anyone already in, or WANTS to be in the field of cybersecurity, to not only join, but actively participate.

To me, an important measure of any of these forums is the output. I’m not looking to promote myself or my business – that’s LinkedIn, I’m not looking to vent – that’s Facebook, and I’m not looking to be as pointless as Donald Trump – that’s Twitter. Therefore, a forum that allows me to share my knowledge to anyone desperate enough to listen, as well as support me in the countless instances where I need guidance, will get my attention.

As for output, PEERLYST recently published a new e-book – their second – free to all members; “Essentials of Cybersecurity[The link will only work if you’re already a member]. It consisted of 10 Chapters, the first of which I was given the honour of writing:

  1. Starting at the Beginning: Why You Should Have a Security Program by me
  2. Understanding the Underlying Theories of Cybersecurity by Dean Webb
  3. Driving Effective Security with Metrics by Anthony Noblett
  4. A Security Compromise Lexicon by Nicole Lamoureux
  5. Building a Corporate Security Culture by Dawid Balut
  6. Why People Are Your Most Important Security Asset by Darrell Drystek
  7. Basic Security Hygiene Controls and Mitigations by Joe Gray
  8. Understanding Central Areas of Enterprise Defense by Brad Voris
  9. Telecom Security 101: What You Need to Know by Eric Klein
  10. Strengthen Your Security Arsenal by Fine-Tuning Enterprise Tools by Puneet Mehta

Some of these folks not only donated significant amounts of their time on this e-book, but have already signed themselves up for one of the THREE new e-books already in the works! THIS is the kind of forum with which I want to be associated.

Go take a look, hope to see you there.

[If you liked this article, please share! Want more like it, subscribe!]

Don't say no

In Cybersecurity? Remove “No” From Your Vocabulary!

In the vast majority of organisations for whom I’ve provided guidance, the security departments are seen as something to work around, not alongside. In not one of those organisations was security actually seen the critical and intrinsic-to-the-business asset is can, and should be.

While I have written incessantly about this all being the CEO’s fault for not creating the necessary culture, the fact remains that most security professionals do themselves no favours. However good intentioned our actions may be, most of us completely miss the point. Like it or not, our entire existence is predicated on achieving the following:

“To provide the business with all the information, and as much context, as we can to enable them to make the best decision they can.”

Yes, that may include decisions that we in security would consider completely unacceptable, and would likely never make ourselves. It also may even include decisions that turn out to be really bad ones, but that’s just as much our failure as theirs.

The bottom line is that if we cannot speak the business’s language, if we are unable to convince them of the risks, we have failed them. There is no room for towering egos or hubris in security, it does not matter what we want, it only what the business needs. This will never be our decision, and we should never expect the business to speak our language.

I’m not saying that if you’re a cybersecurity professional that you have to say yes all the time, but you should avoid saying no whenever possible. Frankly, it’s not your job to do so. And as much as we would love to believe that as security experts we’re here to help, and that we have the best interests of our clients at heart, we will never be anything more than enablers. What’s more, if we’re anything less than that, there’s little point in having us around.

In the movie Office Space, one of the most cringe-worthy moments was when Bill Lumber reveals the “Is this good for the Company” banner. I remember laughing at the ridiculousness of the message, and laughing again when our hero tears it down. Almost 18 years later, here I am expounding the exact same message as that banner.

Why?

Because in security, we rarely have enough knowledge of the company’s big picture to put our guidance and recommendations into the right context. Even if we know that the company’s long-term goals are, unless we sit on the board we are in no position to appropriately address the risk appetite. A Sword of Damocles scenario to us, may well be a necessary gamble to keep the business competitive.

That leaves us only 2 things to do:

o

  1. Explain risk in the format they respond to best; detail the impact of not doing what we suggest; provide suitable alternatives; and
    o
  2. Cover your arse by having THEM sign-off on the residual risk.

The business does not need our approval to proceed with even the most egregious risks, but that does not mean we have to like it. Legal have far more power than we’ll ever have, but even they have to compromise. That said, we are fully entitled to document our objections as part of the final sign-off, but we should never take this personally.

As a corollary to the last paragraph, never, EVER say “I told you so”! Given that it’s likely partially your fault that senior leadership didn’t make the right decision, your only focus should be to help mitigate the negative impact. Take the high road, you’ll be employed longer.

In the simplest terms, map everything on your Risk Register to the business’s goals, and only worry about the things that impact them. Doing the right thing in security is rarely, if ever, measured by security metrics, it’s measured by the company’s success.

[If you liked this article, please share! Want more like it, subscribe!]

CISO Lifespan

Why CSOs / CISOs Only Have a 2 Year Lifespan

In previous blogs I expanded upon two main reasons why CISOs seem to have such a limited lifespan, and why the role is currently one of the most difficult senior leadership roles to both fulfil, and stay in long-term.

In Make the CSO Role a Board Appointment, or Don’t Bother Having One I touched upon the fact that so few CSOs; 1) are hired by the right people or for the right reasons, 2) report to the correct hierarchy, and 3) have the necessary support from the people from whom they need it most.

In The 3 Types of CISO: Know Which You Need I tried to explain why there is effectively no such thing as an ‘all-rounder’ CISO, so expectations are already completely out of line with reality.

I’ve now come up with a 3rd; Expecting the CISO alone to fix everything.

While this may be a byproduct of the first two, it is nevertheless important enough to be addressed by itself. And for once, I can’t actually blame the CEO entirely for this issue, the CISO is every bit as culpable.

Consider this scenario; An organisation, for whatever reason, decides it needs a security expert in senior management. Even if the BoD does get involved from the beginning, the organisation will end up writing a job description of some sort. This is no different from going to the Doctor’s, diagnosing yourself, and writing your own prescription.

This description will then be advertised in some fashion, guaranteeing that the only people who respond are the ones wholly unqualified to fill it. In the same way that anyone who wants to be in politics should be stopped from doing so, anyone who responds to a CISO role that they didn’t draft themselves has no idea what they are doing.

There is only one exception to this, and that’s if the organisation has already put the basics of a security program in place and need someone to optimise it. Everything before this is a series of consulting gigs, the aim of which is to prepare the organisation’s security program to the point a CISO can come in and run with it.

So, whether you’re an organisation looking for a long-term CISO, or a CISO looking for a long-term gig, what do you do?

A Security Program in 10 Difficult-as-Hell Steps

o

Clearly there are many steps in between these, as none of this appropriately addresses two of the most important aspects of any security program; 1) Senior Leadership’s role in changing the corporate culture, and 2) a Knowledge Management program personified by documented processes and procedures.

But in no way do I wish to downplay the CISO role to one of a babysitter, it is still one of the most difficult roles imaginable. However, I have never met a CISO who joined an organisation at Step 1, and was still the CISO a year or so later. Because the CISO role is perceived by many security professionals as the pinnacle of their career, too few ask the hard questions before committing;

  1. Has the organisation followed the 10 steps? – If no, where are they in the process?. If yes;
  2. Am I right for the job? – If no, can I help them find someone who is. If yes;
  3. Do I really want the job? – Go in with your eyes wide open, or again, walk away.

As long as both the organisation and the prospective CISO are fully aware of these issues, there is no reason a CISO can’t go the distance. That said, there is no reason a security program can’t be put on track without one…

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Professional

So You Want to be a Cybersecurity Professional?

Like almost everything else in my life (e.g. marriage, fatherhood), I became a cybersecurity professional with little to no planning. I was happily plodding along with zero direction, and even less qualifications, when an employer required me to get an MCSE in Windows NT.

In a very short time I realised that if I was looking at a computer my boss thought I was working, so being lazy, IT was the career for me! However, I did get bored, so when I received a call about my resume on Monster.com from a start-up cybersecurity company, I jumped at the chance. A little homework showed that security was the place to be in IT, even then, especially when the company consisted almost entirely of incredibly smart ex-NSA types.

This was in 2000.

In the 16 subsequent years I have gone from firewall admin, to managed service manager, to consultant, to manager of consultants, to self-employed. I have loved [almost] every minute of it. The funny thing is though, I have no passion for security per se, I just love helping others fix broken stuff. Especially processes.

There is a LOT of work out there.

So my first piece of advice; decide why you want to be a cybersecurity professional in the first place. If it’s just for the money, move on to something else, you’re not welcome here. Having performed the Keirsey Temperament test on 30-odd security consultants across the globe, it was clear that certain characteristics are dominant in their type (ESTJ). Bottom line; they actually care, and they are:

  • Highly social and community minded;
  • Generous with their time and energy;
  • Hard working; and
  • Friendly and talk easily to others.

That’s not to say others can’t do well (I’m an INTJ for example), but you have to know yourself before you know what aspect of security would suit you best. Follow the money, or choose something for which you are not suited, and you will likely fail.

Then Bear These Things in Mind…

  1. Qualifications: A degree in cybersecurity should not be seen as a pre-requisite, as certifications are almost as much good, and neither of these things can trump experience. Regardless of your qualifications, you will start at the bottom, and there is no better place to learn. Make the most of it.
    o
  2. Specialise or Generalise: You’ll need to decide very quickly which you’re going to be; Specialist, or Generalist. You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.
    o
  3. Learn the Basics: Jumping straight into a career in User and Entity Behavior Analytics (UEBA) or Intelligence-Driven Security Operations Center Orchestration Solutions (whatever the hell that is) may be tempting, but you are not doing your career, or more importantly, your clients, any favours. From Confidentiality, Integrity & Availability, to Risk Assessment, Asset Management, to Policy & Procedure, the basics have never, and will never change. Whenever you find yourself stuck, only the basics can give you a clear way forward.
    o
  4. Choose a Camp: Unfortunately most cybersecurity professionals tend to fall into one of two camps; 1) those focused primarily on Technology, and 2) those focused primarily on People and Process. These are two distinct skill-sets, so know which you are, and make sure you pair up with a counterpart.
    o
  5. Ask for Help: I got where I am without a mentor as such, but I most certainly didn’t get here without a LOT of help. Nor would I be able to stay here without the constant support of my peers. If there’s one thing I love about cybersecurity professionals it’s their generosity and desire to help. So join your local chapter of ISC2, ISACA and / or ISSA and start talking to people.
    Use mentors too if you can, as while I have few regrets in my career path, not having mentor is one of them.

Without question, a career in cybersecurity can be very rewarding, both in personal achievement and financial terms. It can also chew you up and spit you out if you’re not careful.

In the end, cybersecurity will give as much back as you put in, there are no shortcuts.

[If you liked this article, please share! Want more like it, subscribe!]