The single most important thing you can do is to start building the relationships and political capital you’ll need to run your security program. Here’s how.
In any new job, it’s important to assess the lay of the land. But when you start a new CISO role — whether it’s your first or fifth — there’s more to it than getting to know new co-workers. You need to appraise the political landscape of the organization.
Why did this organization need a new CISO? Did the last person simply move on, or was there an incident? Often, CISOs are asked to move on in the event of a serious breach. In these cases, whoever is next in line typically has a lot more license to make changes than they would in an organization that had not recently been breached.
Alternatively, were you promoted from within? If so, you should already understand how things work, but you’ll need to quickly accustom yourself with the political realities of being a security leader.
Once you understand your starting point, there are four key questions you’ll need to answer during your first 30 days on the job:
Question 1: How does the organization view the CISO role? Are you part of the executive team, or is it a less senior, more operational role? The amount of “power” associated with your position will have a big impact on your ability to make changes.
Question 2: Who does the role answer to? Is your boss the CEO, or an executive who answers to the CEO? If so, you’ll have a lot more political sway than if you’re reporting to somebody lower down the food chain.
Question 3: What is the organization’s tolerance for risk? Find this out by speaking with your boss and/or the CEO, members of the board, and even your predecessor, if possible. Have there been any recent security or privacy incidents, or negative media attention? Are any regulatory bodies involved? Understanding the organization’s risk tolerance — both culturally and what’s needed to satisfy compliance — will help you determine the foundation of your security program’s risk management and investment strategy.
Question 4: What is the organization’s appetite for change? This will determine how ambitious you can be with your plans to improve the security program. Keep in mind that most organizations don’t have much appetite for change, even if it’s fashionable to claim “innovation” and “reactiveness” are part of the organization’s DNA. Ironically, a quirk of the CISO role is that life is often easier if your organization has recently been breached, especially if it was publicized in the media. Why? Because the appetite for change in an organization that has suffered a breach is typically much higher than in an organization that hasn’t.
Assessing the Current State of Security
Before you can think about improvements, you will need to assess the maturity of your security program. This should be done with a recognized industry framework in mind, for two reasons:
- Ultimately linking to a framework people know will give your assessment credibility; and,
- Even if done only at a high level, linking to a framework helps to compare your maturity with other comparable organizations and/or industries.
The framework you choose will depend on your industry and geography. Since many frameworks are “control” focused, your maturity assessment may need to extend beyond just the bounds of those controls and include elements that are more strategic. For example, how you align to the business or your ability to get funding and resources allocated across the organization to improve controls outlined in the chosen framework.
Ideally, you should have your program assessed by an external organization. Having an external assessor makes life much easier politically when issues are raised versus “the newbie” pointing out problems. If, for a variety of reasons, external assessments aren’t possible due to a lack of resources or a company’s predisposition against external assessments, you’ll need to arrange for an assessment to be completed internally.
If an assessment was completed before you were hired, you will need to consider:
- What was the purpose of the assessment?
- Was it internal or external?
- Can you rate the quality of the assessors?
- Was it comprehensive and in line with an industry framework?
- Is there any discernible bias to the results?
Whatever happens, you’ll also want to conduct your own private assessment. So long as the formal assessment matches approximately with your own, you should be in a good position to move forward.
Building Relationships and Political Capital
The single most important thing you can do as a new CISO is start building the relationships and political capital you’ll need to run your security program. This is going to require a lot of your time — particularly if this is your first CISO role — and the first month is critical.
Speak with key players in the business — members of the executive team, in particular — to understand how security is perceived and what you can do to ensure your program is seen to enable the business instead of holding it back. The CISO who is perceived as a business enabler will instill confidence in his or her leadership and program within the organization.
Your ability to make these connections will depend on your standing. If you are a C-level executive (or your boss is) it will be much easier to arrange the meetings you need to introduce yourself and start building key relationships. Lower down in the hierarchy, you may need to look for other ways to make contact — for example, by setting up a risk committee that includes senior members of each department.
This article was originally featured in Dark Reading.
As a refresher, what is the problem in a nutshell?
Security risks now have board-level attention and CISOs struggle to present information about their security program in ways decision-makers can understand.
They need a single solution that allows them to programmatically plan, execute and measure their programs, and the means to show their boards and executive peers the relevant metrics to justify plans and investments.
The challenge, however, has always been creating a centralized view and providing meaningful information that non-technical professionals, such as business leaders and boards of directors, find meaningful.
What is the solution?
The solution is to have a central place for all the relevant data, including plans, priorities, maturity metrics, risks and more. From there you can get a comprehensive view of the whole security program or target individual areas to present just the information of interest to the organization’s leaders.
This would provide the platform for CISOs to track investments, measure and articulate risk, track progress, and translate comprehensive technical information into something that is meaningful and actionable by business leaders.
What does Secure Blueprint look like?
Secure Blueprint is a unique SaaS solution that utilizes the most common maturity and control frameworks and provides the technical depth to manage that goes above and beyond traditional executive cyber reporting.
The software has been designed to give the user a one-of-a-kind experience, delivering business-focused analytics, initiative tracking and dashboards that keep track of your defined key performance indicators. With just a click, you’ll have all the information you need to assess risk, potential risk, set maturity and goals for all aspects of your program.
Secure Blueprint is a way for CISOs to drive continuous improvement with the end goal of being able to clearly communicate business-focused priorities and outcomes. The platform automatically generates dashboards to track specifics and used during presentations to boards and committees to show your program state and goal. We are able to clearly show the past, present, and future of your program maturity based on control frameworks. This includes analytics integrated with cyber business maturity benchmarking to ensure the CISO can not only identify program gaps but also guide investments.
No more manually created charts, no more multi-tabbed Excel sheets, Secure Blueprint is intuitive and easy to use so that you can be confident in showing your program to the board.
What are some key attributes to the program?
According to Gartner, CISOs need dashboards that cover a wide range of aspects. Secure Blueprint is a comprehensive program management platform that includes dashboards. It provides easy visibility into program maturity, program roadmap, initiatives management, investment management, cybersecurity program component heatmap and component management dashboards. Currently, CISOs are forced to build those out manually. Secure Blueprint does all this for them.
The integrated dashboards allow visualization of all these aspects and more. With just a click of the mouse, they can see every relevant detail in a manner that is easy for anyone in the organization to understand, therefore justifying the costs associated with their cyber program.
What else should we know about Secure Blueprint?
You can learn more about Secure Blueprint by clicking here.
Interview by Maxfield Barker, Sr Marketing Coordinator, Kudelski Security
Pressures facing security leaders continue to increase. More frequently industry leaders are focusing on the role of CISO as a risk management business executive, not solely a security leader. CISOs need to drive and communicate on a program that is aligned with the overarching business objectives and risk appetite. With the myriad, ever-evolving elements of a comprehensive security program and associated risks, this is a tall order. Modern CISOs need new software to facilitate these challenges. Thus, the invention of Secure Blueprint, a cyber business management platform for cyber leadership.
The following discussion with John Hellickson, vice president of US services at Kudelski Security, describes the driving need and rationale for this new category of security product.
What is Secure Blueprint and where did the idea come from?
Secure Blueprint is a new innovative approach to designing comprehensive, agile, and business-aligned security programs by Kudelski Security. It includes software that enables the CISO’s plan, execute and improve programs, keeping alignment with business objectives. It delivers metrics that demonstrate program maturity, areas of priority and risk, so smarter investment decisions can be made, and creates dashboards to enable risk-based story-telling conversations with boards and executive peers.
It’s a well-known fact that boards are being asked to know more about cyber issues, while CISOs are challenged discussing those needs with the board in a way that instills confidence in their security program.
CISOs must now think more like a CEO than ever before, as cybersecurity treated as another IT function has proven to be limiting when combating today’s advanced threat landscape. Cybersecurity is a critical concern for business and executive leaders at the highest level of all organizations and governments, therefore, bridging the gap between business objectives and prioritizing security investments is essential.
Recently, C-suite and boards are expecting more of their cyber leadership in communicating the value of selected security investments by progress improvements and reduction in business risk as outcomes. This trend is indicative of the desire by the C-suite to learn and increase support for the CISO role to prevent a cyber attack. Therefore, CISOs need to develop executive presence, change their mindset and approach, demonstrate decisiveness and agility and speak in a language that C-suite understands.
What is the biggest challenge you are addressing?
It’s hard to effectively plan, budget and justify investments if you can’t measure the maturity of your programs and the progress made. And if you don’t have this knowledge, how can you gain the necessary visibility for achieving your strategic goals? And with no ability to understand where ongoing gaps exist and demonstrate progress, how can you instill confidence in your security program and strategy with business leaders?
What does the board need to know?
Well, let’s start with what they don’t need to know. Overly detailed answers that delve into day-to-day security operations may overwhelm or frustrate the board. Unfortunately, this is what CISOs have traditionally provided due to technical backgrounds.
What boards actually need, is for the CISO to articulate relevant security threats to the organization and industry. Boards want a clear sense of cyber program target maturity and how the CISO is closing the gap. In order for CISOs to deliver this kind of information, they need to convey and be ready to communicate the following information:
- State of cyber program maturity and roadmap
- Top Industry Threats & Trending
- Priority 1 Initiatives & business outcomes
- High-Level Business Oriented Cyber Risks
- Timely related incidents and organization impact
…which is exactly what our Secure Blueprint platform provides
So, Secure Blueprint goes beyond just board reporting to helping the CISO with a structurally different approach to building and executing their security agenda.
Board reporting is crucial, though, and can be one of the most difficult aspects to master, for any CISO. But more importantly, you need to both run your cybersecurity program as a business and articulate this in the framework and language that business leaders understand.
Gartner summarizes it nicely in this article, by stating: “Organizations need to develop a strategic planning capability that enables the organization to develop and refine a roadmap of investments that recognizes a continuous change in the business, technology and threat environments.”
Cybersecurity is still a relatively young field, where evolving threats keep best practices fluid; where the intense pressure to deliver grows constantly and where company culture and industry context matter greatly. With so many variables, how can cyber leaders chart a path to success in today’s CISO role?
The solution is to run cyber programs like you run a business. Think of your cyber portfolio more as a business portfolio. Your board will want to know if your cybersecurity initiatives align with the enterprise’s objectives. The CISO needs to measure cyber security program’s success. You can do this by blending and measuring qualitative and quantitative risk along with program maturity. The CISO also needs to know what the best investments are that make the most of the cybersecurity program. These are some of the things that every CISO should have on their mind and be able to communicate on a regular basis.
Put simply, the outcome should be the ability to present a cybersecurity program strategy and progress status to C-suite in a communication method that resonates with an executive audience.
So, what does that solution look like?
Stay tuned for part two to find out!
Are you on the “Team of No”? How do you know? Do you often get pulled into a project late in the process, where security wasn’t even considered or notified until 3 days before the ‘go live’ date? Do you have business executives agreeing to any and all security policy exceptions without even understanding the full details? Do you often find the business or IT going around security processes that you control? If so, you might just be on the Team of No!
At many corporations across the globe, the security department is often seen as a hindrance to the business, a necessary evil who has these strict security policies written so no one can do their job. Sadly, many Cyber Security Leaders take a risk avoidance approach where they themselves feel they ‘own’ cybersecurity risks for the organization, who must protect the business from itself. Making it difficult for the business to adapt quick enough to disruptive innovations, among others, is a key reason why many security leaders don’t get invited to the C-Suite table.
One of the key elements of a highly effective security organization is to establish a security risk committee (or several), with executive participation from key departments and with leaders across the business who truly own the risk. Often times, standardizing on a consistent risk assessment methodology across the company, and bringing key risks to this security risk committee will allow the security executive to share the burden of balancing risk with business objectives. When done effectively, the security risk committee will often drive appropriate behaviors within the various parts of the organization, improving the support for security processes and practices.
One of the key outcomes of a security risk committee is to empower the risk committee members through education and collaboration on cyber security. It is worth reiterating that the security organization doesn’t own cybersecurity risk, rather, it enables the information owners to better understand and manage the risk. Additionally, the risk committee needs to understand that the security organization cannot prevent data breaches, however, it helps to protect information, monitoring for attacks and anomalies, and responding quickly when an incident does occur.
While a security risk committee is now common practice, it is also important for you as a security leader, and for the security department, to find a way to “Get to Yes”. This doesn’t mean that you say yes to everything that comes your way, but instead, collaborate with the business to come up with alternatives which ultimately satisfy the business need that aligns to the risk appetite of the organization.
Here are a few recommendations to be a better business partner, and get to yes:
- Understand the other person’s position, and their needs
- If an ask is too risky, start with ‘why’, and share details in relation to the business impact
- Separate the people from the problem
- Focus on interests, not positions
- Be less rigid, and more agile
- Work together to create options that will satisfy both parties
- Get out of your office, and be visible
As you set the security strategy for the organization and do your best to manage risk, keep in mind that 99 percent of your success as a leader depends on relationships with people from other parts of the business.
Our second CISO Fresh Thinking webinar, “Getting to Yes C-Suite Strategies for the CISO,” explores this and other key attributes in greater depth.
You can download the webinar now to hear Don Kleoppel, CISO at Cerner, discuss with Kudelski Security’s John Hellickson, Managing Director of Strategy & Governance Advisory Services, how this particular shift in mindset can help you enable the business to achieve its strategic objectives.
October is Cybersecurity Awareness Month, a time traditionally focused on empowering individuals and organizations to adopt more safer practices online. But October should also provide a moment for honest reflection among the professional security community about what is – and isn’t – working in our security arsenals. The security executive role is evolving. Kudelski Security’s new suite of CxO Performance Solutions provides new tools, programs and methodologies for the security leader in your organization. Find out more about CxO Performance Solutions here.