CISO Sacrifice

How to Hire a CISO

In my experience, the hiring of a CISO is one of the last things on the minds of the overwhelming majority of Board of Directors (BoD). Well, maybe more accurately; it’s the last role they want to hire. Who wants to spend money on security? Where’s the ROI? While there is often significant kudos for corporate responsibility, its effects on the bottom line are invariably lost in translation.

I’ve written more than enough blogs on why cybersecurity is so essential to every organisation. Even tried to spell out some of its many benefits, but 180 subscribers will hardly change the course of a multi-billion £/€/$/¥ industry.

However, I will count this blog a HUGE success if I succeed in one, and especially both of the following:

  1. An organisation hires the exact right person for their cybersecurity needs; and/or
    o
  2. A prospective CISO asks all the right questions and gets the right job for them.

By far the biggest challenge for organisations in hiring a CISO is doing it for the right reason(s). Unfortunately the reason, 99 times out of 100, is necessity. From landing a big contract, to regulatory compliance, to post-breach PR, the CISO role is often nothing more than an empty suit. Compound this with the BoD having no idea of the right questions to ask the prospective candidates, the whole thing likely started out with little idea of what they were actually trying to achieve.

Security is not about technical requirements, it is a business process, and until the BoD see it as such no CISO job description (JD) will ever land the right candidates. In security, if you’re not an expert, never ask for what you want, find someone  who can fully detail the things you need. You’d be amazed how often these things are very different.

Steps to Hiring the Perfect CISO

But first, we need to stop thinking about the CISO as a person, CISO is a function. Or rather, a series of projects that culminates in a function. Security begins with a plan, then evolves through several phases into a coherent cycle of business enabling processes. I’ve never met a single individual with either the skill-set, or even the interest, to perform all of these phases. I for one would rather chew tinfoil than babysit something that does not require fixing.

Second, I am going to assume that the hiring of the CISO is going to be managed by the BoD, if not, none of these steps make sense.

Finally, I am going to use the types of CISO I defined in The 3 Types of CISO: Know Which You Need to illustrate my point.

Step 1: BoD must finalise three things: 1) their Mission Statement, 2) their Value Statement(s), and 3) their short / medium / long-term business goals.

Step 2: BoD uses all resources at their disposal to find the right resource(s) to turn the Mission/Values/Goals into an appropriate security strategy.

Step 3: Hire a p-CISO (Planner) for Phase 1 – skill-set prerequisites must include:

  • drafting Governance charters and policy sets;
  • standardising and performing initial risk assessments;
  • controls gap analysis;
  • developing business impact analyses (BIA);
  • defining a basic set of minimum security controls; and
  • chairing a Governance Committee meeting (this is a requirement across all 3 CISO types).

[Once Phase 1 tasking is roughly 75% complete, Phase 2 can begin. the p-CISO will be expected to fine-tune the draft JD for the e-CISO and hand over all relevant knowledge / duties.]

Step 4: Hire an e-CISO (Executor) for Phase 2 – skill-set prerequisites must include:

  • matching Policy Set with both business goals and the prevailing corporate culture;
  • socialisation and distribution of procedure and standard document coordination to relevant SMEs;
  • integration and centralisation of security control output into a unified incident response capability;
  • assignment and formalisation of all security responsibilities; and
  • implementation of disaster recovery (DR) and business continuity planning (BCP).

[Once Phase 2 tasking is roughly 75% complete, Phase 3 can begin. the e-CISO will be expected to fine-tune the draft JD for the o-CISO and hand over all relevant knowledge / duties.]

Step 5: Hire an o-CISO (Optimiser) for Phase 3 – skill-set prerequisites must include:

  • performing an objective review of all security controls including policies (with Internal Audit if available);
  • maintain their aspect of the company-wide Risk Register in-line with the security strategy and business goals;
  • formalise management information and security/risk metrics into a BoD-level reporting process; and
  • implement a cyclical program for continuous improvement.

Sample Phased Approach

That’s it, 5 simple steps. Very difficult and potentially expensive steps, yes, but simple nonetheless. Clearly these steps are VERY high level, and there is a lot more detail involved than that. This process could also take many months or even years. But the hiring of a CISO is not about finding people, it’s about committing to an idea and doing whatever it takes to bring that idea to life.

For that to happen, the BoD must stay involved. For the CISO roles as defined above to succeed the BoD needs to use as much of its influence as necessary to fully support them. A dotted line reporting structure directly to the BoD works best.

In my experience, if you’re looking to hire a CISO to sort out your security, you’ve already started down the wrong path. It’s the CISO who usually ends up paying the price.

If you’ve made it this far, you are probably thinking that the title of the blog should have been: How to Implement a Security Program. And you’d be right, it should, but the people wanting to hire a CISO probably wouldn’t have read it.

[If you liked this article, please share! Want more like it, subscribe!]

Can Governance Replace the CISO?

Perform research on IT Governance models and you’ll eventually come across the concept of People, Process, & Technology (The Golden Triangle). Yet another concept whose origination has been lost in time (it was not Bruce Schneirer), but one whose evolution has polarised the security industry.

On the one side you have the technology-first advocates. Even a security icon like Bruce Schneier says; “We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.“. Oddly enough you’ll find most of the security product vendors in this camp too. I know, weird huh?

Then you have the side that I’m on, that says all the technology in the world can’t fix stupid. The enormous benefits that can be derived from technology are only achievable if the people put the processes in place to make the technologies effective.

In cybersecurity, technology can only enhance, it cannot fix.

Yes, of course technology is critical, why do you think I rage against PCI’s ‘daily review’ of logfiles so much? No, I do not believe that an organisation can ever achieve good security without the automation that only technology can bring, but putting technology first is the definitive cart before the horse.

In cybersecurity, technology can only enhance something that already works, it cannot replace it entirely.

So, to me, the job of the CISO is to get the three aspect of the golden triangle into line with the only things that matters; the business goals. In the digital age, technology is the ultimate enabler, and the CSO/CISOs the ultimate facilitators of that technology. The IT security function gets involved in everything from M&A to compliance, from incident response to internal audit, it’s the CISO’s role to bring it all together into a sustainable program. One that that is only ever appropriate to the business’s needs and no more.

But none of this is possible without Governance. The CISO, as a facilitator, is only a bridge between the business goals and the means to get there. It’s the Governance function that gets the job done.

Also, not every organisation can afford a CISO, and frankly nor should they even contemplate one if there is no discernible return on investment. This is where the Virtual CISO can come into play, and from my perspective, the only reason to consider one. It’s the v-CISO’s job to train the governance committee (or whatever it’s called) to do what CISOs do.

Too many organisations are instantly turned off by the word ‘Governance’. At best it’s seen as unnecessary bureaucracy, at worst it’s perceived as some kind of dystopian ‘Big Brother’. Nothing could be further from the truth; it’s not a department, it’s not an institution, it’s a function, one designed to help keep a business IN business.

EVERY organisation needs governance, regardless of size, region, or industry sector. The governance charter, membership, responsibilities, and operation will vary considerably, but all need to be appropriate, and of measurable benefit.

Only someone with the skill-set of a true CISO can put this in place in such a way as to be sustainable without them. But only a Governance function can keep it going.

[If you liked this article, please share! Want more like it, subscribe!]

 

Virtual CISO

Are ‘Virtual CISOs’ a Good Idea?

Type “virtual CISO” into Google and you’ll get ~240,000 hits, with the top 10 being mostly vendors who offer this as a service. I have no doubt much of the remaining pages are the same.

In other words, just about every security vendor out there is seeing a need, and they want to be the ones to fill it. As a corollary, if organisations weren’t crying out for the service, no-one would be offering it.

I am no different, in that I too see a massive gap in senior leadership security expertise that no one in-house can fill. Due to price constraints, it is quite often inappropriate to fill such a senior and specialised role on a full-time basis. Where I differ is the length and function of the v-CISO, as I cannot see how an indefinite ‘outsourcing’ is in my client’s best interest.

Let’s face it, once you outsource the function of something, it is a very small step to try and outsource the responsibility for it too. And finally, if you got away with that, an attempt at shirking the accountability is never far behind. This is where both organisations asking for help, and v-CISOs alike, make their biggest mistake.

The v-CISO should never be a long-term proposition, which is why I call my service an ‘Interim Security Chief’. While this may seem like semantics, it’s the difference between doing the work for you, and enabling you to do it for yourselves.

First and foremost, a v-CISO should be a teacher and a mentor, not [necessarily] a ‘doer’. Yes, they can design big-picture processes, from secure architecture to governance charters, but they had better not be expected to own them. A good v-CISO is nothing more than an consultant at the senior management level, and any deliverables must be sustainable long after they have moved on.

That said, I see nothing wrong with a v-CISO remaining part of ‘steering committees’, providing ongoing security awareness training, or even taking part in incident response testing. But, once the CISO functions have been absorbed internally, the v-CISO becomes part of the cycle for continuous improvement only. They stay around to provide strategic input on industry trends and the changing threat landscape, they don’t dictate the enterprise goals.

What You Should  Expect From a v-CISO

These are the three main things you should expect from a v-CISO, take particular note of the transience of each deliverable.

  1. Governance Charter Development – There is no security program without Governance, and there is no better platform onto which the v-CISO can pass on their operational function. This committee can in fact replace the v-CISO in due course, but may bring them back in as a trusted advisor or SME. The members of the governance committee will share the CISO function amongst themselves based on individual capability, and their meetings will bring it all together.
    o
  2. Policies & Security Awareness Training – Along with governance, policies are intrinsic to a security program, and along with the formation of that committee, represent the most important part of a v-CISO’s role. Unless the polices are in place, and all employees appropriately trained, nothing else they try to do will work effectively.
    o
  3. Process Development – Security programs consist of a number of critical processes, all of which must be developed, tested, tested again, and take their place in the never-ending cycle of improvement and business as usual. These are the big ones:o
    • Risk Management – Includes the enterprise-wide risk assessment and risk treatment procedures.
    • Vulnerability Management – Keeping up with the threat landscape.
    • Vendor Due Diligence & RFPs – Significant aspects of the security program will likely be outsourced to skilled providers, so the right questions must be asked.
    • Event Management & Incident Response – Bringing all the controls together into a business saving process.
    • Disaster Recovery & Business Continuity – What to do if everything goes completely pear-shaped.

Anything else the v-CISO does will depend on the organisation’s needs and the v-CISO’s skill-set.

But what about Strategic Advice, Board Level Interface, Regulatory Compliance Lead and a whole host of other fancy names / clichés? Yes, these are all important, but are utterly meaningless until the basics are in place.

Any security program put in place by a v-CISO must be in-line with the business’s goals, appropriate to their needs, and sustainable in their absence. So if you’re on the market for a v-CISO, you had better know what you need, or you’ll get what a salesperson thinks you asked for.

[If you liked this article, please share! Want more like it, subscribe!]
o