by Ernie Anderson | Oct 13, 2021 | CISO
Ernie Anderson, Head of Professional Services at Kudelski Security, knows a thing or two about enabling the CISO to fulfil their mission. Being one of the most difficult jobs in the cybersecurity industry, a CISO needs lieutenants to have an effective security team. With lack of funding in companies’ security programs and rampant attacks around the globe, it takes more than just industry knowledge to excel as a deputy CISO. Ernie recently sat down with Security Magazine to talk about the importance of a deputy CISO. Read his interview in Security Magazine’s 5 Minute CISO Q&A below.
Security: What is your background, current role and responsibilities?
Anderson: I have nearly 20 years of professional experience in cybersecurity consulting, including extensive work with CISOs and CIOs across multiple industries to define cybersecurity strategies and establish risk-driven cybersecurity programs. Before joining Kudelski Security, I was the North America practice lead for IBM’s Data and Application Security Services and have worked at Booz Allen Hamilton and Ernst & Young.
Currently, I lead Kudelski Security’s portfolio of professional and consulting services, including our CISO advisory consulting, technology and staff augmentation. Our services teams partner with CISO clients to help them define and execute a more strategic approach to their cybersecurity business. That includes project engagements and long-term support agreements that help define security strategies, deploy and optimize technologies, and provide skilled subject matter expertise.
Security: CISOs can have (arguably) the most challenging jobs on the organizational chart. Why is this the case, in your opinion?
Anderson: There are a variety of trends that have done the job of CISO, one of the most difficult within a business. Companies have finally started putting more investment into security and risk management programs, so CISOs have a wider range of responsibilities, including being part of the executive team and more frequent reporting on progress to other leaders and the board (and taking the heat if sufficient progress is not made). There is increased pressure on CISOs to protect companies against increasing cyberattacks and risks, particularly when ensuring the remote or hybrid workforce is to access company networks securely. And many CISOs still lack the resources they need, whether it’s security tools or people.
Security: Why is a deputy CISO critical to addressing security risk management?
Anderson: Given all the challenges CISOs face and increasing responsibilities on their plate, having lieutenants or deputy CISOs is critical for an effective security team. Not preparing people to be able to take on the role of deputy CISO has created a virtuous cycle – there’s no one to take the CISOs place when they leave an organization, and the organization must then look to hire someone with experience from outside the organization, thus taking a CISO from another company. This is especially critical given the short tenure of CISOs – an average of two years. CISOs need to prioritize finding and training security deputies from within their organization and start early – it can take up to four years for someone to be fully trained to take on the role.
Security: What skills/qualities should a deputy CISO have?
Anderson: As the role of the CISO evolves, so too do the skills they need to succeed. Modern CISOs need business acumen to understand business processes and their organization’s goals, as well as the soft skills of relationship management and communication to effectively communicate risks and the importance of security to executive leaders and other key organizational stakeholders. Many CISOs are also more visible internally and externally, so they need the ability to lead people with a diverse group of skillsets, coaching skills to train and mentor deputies, and continually developing their skills to stay on top of the latest security management practices and tools.
Someone moving into the role of a deputy CISO needs to understand all the skills and qualifications required of a CISO to support them. That starts with understanding the domains typically overseen by CISOs – from security operations and identity management to risk and governance and regulatory and compliance issues.
Think of a deputy CISO like an understudy in a play – they must develop the skills to take on the CISO role when needed. For example, while a CISO is responsible for managing risk at the highest level of an organization by overseeing people, strategy and technology, a deputy could be expected to support that by managing risk across different security domains.
by Jason Hicks | May 28, 2021 | CISO
No matter how good a CISO is, there aren’t enough hours in the day to handle the myriad of new responsibilities that have been thrown at them. To be effective and ensure a strong security posture, CISOs need a lieutenant to head up each domain that falls within their scope.
Given all the challenges CISOs are likely to face moving into the new year – from supporting a permanent remote workforce and accelerating digital transformation to preparing for an expanded threat landscape – it is more critical than ever that they bring on strong deputy CISOs.
2021: The year of the security lieutenant
Every year we talk about the shortage of cybersecurity personnel, but it is a challenge that continues to put pressure on companies generally and CISOs specifically. One of the biggest reasons for that challenge in the security industry is the lack of effective grooming for future leaders. When organizations need to hire a CISO, they generally have to look outside for a candidate with prior experience in the role. If this trend continues, the industry will be hard-pressed to ever overcome the shortage of qualified security leaders.
This year, the skills gap will be especially acute for small and medium-sized businesses who cannot afford to hire nor retain the right candidate. That is why finding and training security lieutenants from within needs to be a priority, both for CISOs to be successful in their role and to ensure their organization has qualified individuals who can take the reigns as CISOs of the future. Further, that training needs to start early since it can take an average of three to four years.
Mastering the lieutenant role
Deputy CISOs serve as the second in command, helping CISOs identify, track and respond to current security risks and oversee the implementation of new processes and strategy.
There are eight vital competencies that every security lieutenant – junior or otherwise – needs to master:
- Understand the business. Security is different for every company. It is about mitigating risk, and if a lieutenant doesn’t fully understand the business’ crown jewels, they’ll waste a lot of time chasing down the wrong perceived risks. Lieutenants should spend at least a few weeks working on the front lines of the business to ensure they have a good understanding of how the organization’s systems are used in the real world.
- Support the CISO in managing risk across security domains. This should be a given – managing risk is a huge part of security, and deputies should be heavily involved in this function.
- Maintain lines of communication across regions and business units. For a long time, the security team has been siloed and kept separate from other company departments. It is time to break down those silos. Collaboration between the security team and the rest of the organization is a must, both to advance security objectives and to improve the overall health of the organization.
- Oversee the implementation of security controls and policies. Every security deputy should have the technical knowledge and experience to identify and oversee the implementation of suitable security controls and policies starting with basic hygiene. Identity and access management (IAM) plays an important role, and lieutenants need to take the lead to ensure assets – from people to data – are kept safe.
- Listen to business needs and look for ways to support them. Security should never be seen as a ‘blocker,’ but more as a business enabler. Security leaders and deputies should promote security by proactively building relationships across the organization and being able to explain how stronger security also supports business objectives.
- Always be ready to embrace change. Change is a constant theme in security, and professionals should never shy away from it. They should drive cultural change based on risks and employee behavior and promote security throughout the organization.
- Understand technology, risk, security and organizational context. Most security professionals are highly technical; however, far fewer have a deep understanding of how security fits into a wider business context. Even fewer have first-hand experience measuring, tracking and managing security risk in an evolving business environment.
This mixture of skills, knowledge and experience is critical. CISOs should choose deputies who actively work to develop these areas throughout their careers.
- Educate the organization on cyber risk and readiness. Breaches from human error have cost companies $3.50M in 2019 alone, which can be at least partially attributed to the majority of employees’ lack of understanding about security and how their actions affect the security of the organization. Creating an enterprise-wide security culture is something all security professionals should strive to achieve, and it’s particularly important for security leaders.
Security isn’t something that can be achieved by the CISO alone. It requires the support of the full security team and the whole business. Through 2021, we will see how organizations and security leaders will start to include in their plans how to reduce the talent gap and leverage internal talent to train security lieutenants.
The next generation of security leaders will need to take every opportunity to educate their colleagues about security best practices and cyber risks, as well as how security is an enabler for achieving business outcomes to help grow their own skills and ultimately protect all the entry points to their organization.
This article was originally featured in Cybersecurity Magazine.
by Jason Hicks | Mar 30, 2021 | CISO
No matter how good a CISO is, there aren’t enough hours in the day to handle the myriad of new responsibilities that have been thrown at them. To be effective and ensure a strong security posture, CISOs need a lieutenant to head up each domain that falls within their scope.
Given all the challenges CISOs are likely to face moving into the new year – from supporting a permanent remote workforce and accelerating digital transformation to preparing for an expanded threat landscape – it is more critical than ever that they bring on strong deputy CISOs.
2021: The Year Of The Security Lieutenant
Every year we talk about the shortage of cybersecurity personnel, but it is a challenge that continues to put pressure on companies generally and CISOs specifically. One of the biggest reasons for that challenge in the security industry is the lack of effective grooming for future leaders. When organizations need to hire a CISO, they generally have to look outside for a candidate with prior experience in the role. If this trend continues, the industry will be hard-pressed to ever overcome the shortage of qualified security leaders.
This year, the skills gap will be especially acute for small and medium-sized businesses who cannot afford to hire nor retain the right candidate. That is why finding and training security lieutenants from within needs to be a priority, both for CISOs to be successful in their role and to ensure their organization has qualified individuals who can take the reigns as CISOs of the future. Further, that training needs to start early since it can take an average of three to four years.
Mastering The Lieutenant Role
Deputy CISOs serve as the second in command, helping CISOs identify, track and respond to current security risks and oversee the implementation of new processes and strategy.
There are eight vital competencies that every security lieutenant – junior or otherwise – needs to master:
- Understand the business. Security is different for every company. It is about mitigating risk, and if a lieutenant doesn’t fully understand the business’ crown jewels, they’ll waste a lot of time chasing down the wrong perceived risks. Lieutenants should spend at least a few weeks working on the front lines of the business to ensure they have a good understanding of how the organization’s systems are used in the real world.
- Support the CISO in managing risk across security domains. This should be a given – managing risk is a huge part of security, and deputies should be heavily involved in this function.
- Maintain lines of communication across regions and business units. For a long time, the security team has been siloed and kept separate from other company departments. It is time to break down those silos. Collaboration between the security team and the rest of the organization is a must, both to advance security objectives and to improve the overall health of the organization.
- Oversee the implementation of security controls and policies. Every security deputy should have the technical knowledge and experience to identify and oversee the implementation of suitable security controls and policies starting with basic hygiene. Identity and access management (IAM) plays an important role, and lieutenants need to take the lead to ensure assets – from people to data – are kept safe.
- Listen to business needs and look for ways to support them. Security should never be seen as a ‘blocker,’ but more as a business enabler. Security leaders and deputies should promote security by proactively building relationships across the organization and being able to explain how stronger security also supports business objectives.
- Always be ready to embrace change. Change is a constant theme in security, and professionals should never shy away from it. They should drive cultural change based on risks and employee behavior and promote security throughout the organization.
- Understand technology, risk, security and organizational context. Most security professionals are highly technical; however, far fewer have a deep understanding of how security fits into a wider business context. Even fewer have first-hand experience measuring, tracking and managing security risk in an evolving business environment.
This mixture of skills, knowledge and experience is critical. CISOs should choose deputies who actively work to develop these areas throughout their careers.
- Educate the organization on cyber risk and readiness. Breaches from human error have cost companies $3.50M in 2019 alone, which can be at least partially attributed to the majority of employees’ lack of understanding about security and how their actions affect the security of the organization. Creating an enterprise-wide security culture is something all security professionals should strive to achieve, and it’s particularly important for security leaders.
Security isn’t something that can be achieved by the CISO alone. It requires the support of the full security team and the whole business. Through 2021, we will see how organizations and security leaders will start to include in their plans how to reduce the talent gap and leverage internal talent to train security lieutenants.
The next generation of security leaders will need to take every opportunity to educate their colleagues about security best practices and cyber risks, as well as how security is an enabler for achieving business outcomes to help grow their own skills and ultimately protect all the entry points to their organization.
This article originally appeared in Cyber Security Magazine as The CISO Legacy: Security Lieutenants. For additional CISO tips and strategies for closing the cybersecurity skills gap and preparing future security leaders, download Kudelski Security’s Executive Research Addressing the Security Leadership Talent Gap.
by Andrew Howard | Mar 9, 2021 | CISO, Cybersecurity
The security industry has faced a variety of challenges throughout 2020. The pandemic put pressure on security and IT operations and shone a spotlight on underlying issues many organizations were facing in terms of their digital transformation and security posture. If that wasn’t enough, the threat landscape also shifted and is now more volatile than ever.
As security leaders prepare to handle what lies ahead in 2021 and beyond, there are three key trends they should pay special attention to: the increase in adoption of policy-based security models, new ransomware threats and greater utilization of artificial intelligence.
Adoption of policy-based security models
The prospect of moving an onsite workforce to a remote setting had a huge impact on many organizations, as they realized they weren’t ready for such a dramatic shift. Moving to remote work due to COVID-19 exacerbated the shortcomings of the traditional enterprise perimeter security model. This led to more organizations choosing policy-based security models, such as Zero Trust, to ensure the protection of their employees while remote work continues to be a norm.
As remote work becomes more normalized – beyond the pandemic -, rather than equating trust to a corporate network location, a Zero Trust model analyzes information about the user, data, applications and devices to contextualize security risks and dynamically adapt access rights. Successful adoption will depend on organizations fully integrating various tools within their environment, from authentication systems and network security appliances to endpoint detection and response.
Increase in data breaches and ransomware attacks
Attackers are constantly changing their methods, resulting in new and evolving risks. It is important for companies to be prepared and aware of new threats to stay ahead of them and protect their data from any potential compromise.
Looking ahead, companies should expect to see an increase in ransomware, with bad actors increasingly threatening to expose encrypted files if they refuse to pay a ransom.Organizations have begun to do a good job in building, testing and operationalizing their office backup strategies to mitigate the risk of ransomware. Unfortunately, most of these organizations have failed to mitigate the actual risks, if data has been compromised before – whether directly from the company or through third parties – threat actors will still be able to gain a foothold into the company’s assets. The focus moving forward should fall into ensuring they have robust backup and data recovery strategies that can help address the systemic weaknesses attackers are exploiting.
We’re also going to see a considerable increase in the use of illicit Auth 2.0 grants to compromise accounts. In general, organizations have created better phishing awareness programs, increased multifactor authentication, and created rules to detect anomalous logons; however, attackers have shifted to trick users into Illicit Oauth 2.0 grants. To prepare, companies should limit which applications can request OAuth 2.0 grants from end users or disallow specific OAuth 2.0 scopes from ever being granted.
Utilization of Artificial Intelligence
We will see an increased utilization of AI particularly within the IoT and OT industries, given the technology’s ability to help automate many tasks to reduce costs and improve productivity. However, as security leaders decide to adopt AI, they will need to prioritize the integrity of the data and make sure basic cyber hygiene protocols are in place.
Utilizing AI without the basics – from asset and patch management to user awareness – will only exacerbate the number of breaches we will see, as simpler exploits will be able to leverage any weak spots.
Looking ahead to 2021 and beyond, organizations need to be prepared to secure their resources no matter where they are accessed from. Leaders will need to make sure they add security-based policies to their business continuity plans as well as understand all the threats’ shifts and how to adopt new technologies to mitigate potential risks.
This blog was originally featured in VMblog.com
by Jason Hicks | Sep 15, 2020 | CISO
Today’s top CISOs come from many different backgrounds: some have held more technical roles and decided to switch gears and learn the art of business, while others came from a strong compliance and policy background and were inspired by the machinations of security.
Whatever their origin, each CISO has its own blend of qualifications, experience, and hard-won skills. As a result, there’s no strictly defined career path for aspiring CISOs.
Where to start? Understanding the CISO Role
If you plan to ascend the ranks of security leadership, everything starts with understanding what new responsibilities you will have to undertake and your willingness to step up even before landing the job. Be proactive in finding solutions to the problems your organization is currently facing. Security practitioners that take on additional responsibility will demonstrate their added value, and in return, will gain skills and experience that are essential in a security leader.
The typical CISO oversees four main security pillars that include security architecture and engineering, operations, cyber resilience, and regulatory and IT compliance. However, they are increasingly taking ownership of other tasks such as risk and governance, business continuity, identity and access management (IAM), fraud prevention, and more.
Being a CISO isn’t just about being responsible for security functions A recent study by Kudelski Security discussed the need for modern CISOs to display a broad range of skills and expertise that go beyond technology. A CISO needs to guide the organization towards a proactive approach to security, manage risk tolerance, and advise the board on cyber risks while providing a security strategy.
In addition, today’s CISO has to be well-versed in business acumen and promote security as a business enabler with a clear return on investment (ROI). They will have to build relationships with other key stakeholders across the organization to identify opportunities to add value. A CISO also has to act as an educator, coaching, and empowering both technology teams to understand the business goals and business leaders to understand the value of security.
The Pathway to Becoming a CISO
While the career progression to become a CISO is far from linear, there are some steps that help create your own path. Among CISOs, CIOs, and security recruiters, there’s a clear consensus on the steps prospective security leaders should take to ready themselves for the role:
- Get a mentor: A mentor will be critical in helping develop the skills and experience you need. Ideally, you will rely on your current CISO. If they are not suitable, your first step is to identify possible mentors outside the organization.
- Build your skillset: Seek out opportunities to develop yourself, in both technical and ‘soft’ skills. Take advantage of any opportunity to expose yourself to a new aspect of security and leadership. Don’t wait to be asked, proactively seek ways to get involved in new projects within your team and others that might interest you.
- Get education and certifications: Your organization should provide some support, but don’t rely on that exclusively. Ask your mentor and peers for advice on the best training to pursue and invest in yourself. Certifications might not be a requirement for some organizations, but they showcase the technical level of a candidate.
- Work on your soft skills: The biggest differentiator between security practitioners and leaders is their ability to build relationships across the organization. Take every opportunity to develop your soft skills and expose yourself to situations that demand skills like communication, relationship building, and public speaking.
- Get involved in the industry: The saying goes that ‘it’s not what you know, it’s who you know’. In this case, it’s both. Building your network and becoming known in the security industry is a great way to open opportunities for yourself and learn from the people that have gone through the same experience.
- Boost your visibility with executives: Look for opportunities to assume responsibilities associated with a more senior role than you are currently in. The more exposure you have to senior-level business and executives, the more comfortable you’ll be in that environment.
At all stages of your path, express your career objectives clearly to your leaders, and ask them for development opportunities. If you do this consistently, you’ll gain the experience you need much more quickly than if you sit back and wait for a chance.
Building the Future of Security Leadership
The security field is growing rapidly, and CISOs are taking on an increasingly wide range of responsibilities. As cybercrime continues to grow, and organizations rely even more heavily on their digital infrastructure, strong leadership will be critical to ensuring the effective management of cyber risk.
The next generation of modern CISOs will have to face new challenges. Identifying and nurturing their hard and soft skills will be paramount as both their knowledge of security and the business will help them navigate a constantly evolving security landscape and become the bridge between technologists and business executives.
This article was originally featured in Infosecurity Magazine.
by Jason Hicks | Aug 21, 2020 | CISO
It is no secret that finding and recruiting strong Chief Information Security Officer (CISO) candidates is far from easy. Many CISOs typically stay in a role for a few years and subsequently are not able to dedicate adequate time to the development of junior leaders who could become the next wave of security leaders.
Most organizations are forced to look externally for the experience they require. However, looking for outside hires also contributes to the shortage of potential internal leaders, as skilled professionals are often overlooked. For the security industry to thrive, this needs to change, and it starts with grooming the next generation of leaders.
The Role of the Security Lieutenant
A CISO needs a strong bench of lieutenants to take control of the different security areas within the company. These leaders will play a critical role in the success of the security team, as well as the organization as a whole. The strongest of these leaders are ideal candidates to be groomed into future CISOs.
Selecting one of your leaders for grooming starts with those who are already the head of a primary security function such as operations, engineering and architecture, or IT compliance. But the CISO role is larger than those areas and a lieutenant should be able to handle duties that can range from supporting risk management across security domains to understanding business and technology needs, as well as supporting education on cyber risks.
Potential future CISOs also need a set of ‘soft’ skills that can be further developed in-role. Candidates should have the ability to manage relationships and communicate with leaders outside of the security function. An understanding of how security fits into wider business objectives is also important, and it helps if a candidate has already displayed non-technical leadership ability and a desire to take on additional responsibilities.
Security is a constantly evolving field, so above all, lieutenants must have the drive to continually develop their skills and gain experience from all interactions, both inside and outside their own department. An understanding of financial concepts and portfolio management are also essential skills to develop.
Challenges Recruiting Security Deputies
Recruiting for security roles is never easy. The challenge stems from an evolving threat landscape that increases pressure from internal stakeholders, outside parties and customers. In order to meet new industry requirements, security programs are growing in scope and the leadership roles have to spread over multiple domains such as fraud, privacy, risk and physical security.
While recruiting for lieutenant roles, expect to come up against at least four challenges:
- Recruitment Timeline: On average, it takes seven months to recruit the right security leader. During that time, the team will have to manage the same amount of work and responsibilities with less support.
- Recruitment Costs: For years there has been a continual upward trend in the cost of recruiting and retaining security roles. Strong candidates are in high demand, and organizations are willing to pay the market price for strong expertise. If you want to attract and retain the best talent, it’s important to be competitive and understand what other companies offer in terms of benefits and on the job perks.
- Finding the Right Skill Mix: Being an effective leader requires a fine balance of technical expertise, soft skills, business acumen and the ability to remain calm in stressful situations. Unsurprisingly, few candidates possess this balance. Successful candidates will need to develop those skills and current leaders will need to provide situational training and exposure to upper management. This experience is critical in their development and isn’t widely available to prospective security leaders.
- Cultural Match: It is also important to recruit candidates that are a good cultural fit for your organization. To help ensure this, include HR and other internal experts in the evaluation process. It’s important that all levels of the CISO organization are represented in the interview process. Just having a candidate meet with the management team does not provide a sufficient picture of how they will fit with the full team. For the same reason, it’s also a good idea to have them interview with business customers.
Internal vs. External Recruitment
There’s an age-old argument about whether internal or external recruitment is a better source of security talent. And generally, it comes down to the preferences of the incumbent CISO. However, the availability of internal resources, the type of expertise, and/or experience needed for the role also plays an important role. The Cyber Business Executive Research: Building the Future of Security Leadership report, lays down some of the main traits CISOs and some of the top security leadership recruiters in the industry believe may help identify and recruit strong security deputies:
- For internal recruitment:
- It is critical to always hire candidates with solid technical competencies.
- Look for candidates with the ‘soft’ skills needed for leadership and a readiness to be trained.
- Identify likely successors to your current security leadership and create a plan for their development.
- Identify potential deputies early to allow them time for growth. It can take years to prepare a promising candidate for even junior leadership roles.
- For external recruitment:
- Use your current CISO’s network to identify candidates. It helps if your CISO has an established following in the industry.
- Maintain a continuous pipeline of potential candidates, as security roles turn over frequently.
- Proactively hunt for candidates. Many organizations have aspiring candidates, but no leadership positions for them to fill.
- Build relationships with career advisors that provide continuous cybersecurity education, they have constant access to experienced applicants.
Building the Future of Security Leadership
The security field is growing rapidly, and CISOs are taking on an increasingly wide range of responsibilities. As cybercrime continues to grow, and organizations rely even more heavily on their digital infrastructure, strong leadership will be critical to ensuring the effective management of cyber risks. Finding, recruiting, and developing the next generation of modern CISOs is not an easy task, but will pay dividends if done right.
Kudelski Security’s client advisory council recently released a report devoted to finding the next generation of security leaders. Download the report today if you’re looking to take that next step in your career.
This article was originally featured in Security Magazine.
