The single most important thing you can do is to start building the relationships and political capital you’ll need to run your security program. Here’s how.
In any new job, it’s important to assess the lay of the land. But when you start a new CISO role — whether it’s your first or fifth — there’s more to it than getting to know new co-workers. You need to appraise the political landscape of the organization.
Why did this organization need a new CISO? Did the last person simply move on, or was there an incident? Often, CISOs are asked to move on in the event of a serious breach. In these cases, whoever is next in line typically has a lot more license to make changes than they would in an organization that had not recently been breached.
Alternatively, were you promoted from within? If so, you should already understand how things work, but you’ll need to quickly accustom yourself with the political realities of being a security leader.
Once you understand your starting point, there are four key questions you’ll need to answer during your first 30 days on the job:
Question 1: How does the organization view the CISO role? Are you part of the executive team, or is it a less senior, more operational role? The amount of “power” associated with your position will have a big impact on your ability to make changes.
Question 2: Who does the role answer to? Is your boss the CEO, or an executive who answers to the CEO? If so, you’ll have a lot more political sway than if you’re reporting to somebody lower down the food chain.
Question 3: What is the organization’s tolerance for risk? Find this out by speaking with your boss and/or the CEO, members of the board, and even your predecessor, if possible. Have there been any recent security or privacy incidents, or negative media attention? Are any regulatory bodies involved? Understanding the organization’s risk tolerance — both culturally and what’s needed to satisfy compliance — will help you determine the foundation of your security program’s risk management and investment strategy.
Question 4: What is the organization’s appetite for change? This will determine how ambitious you can be with your plans to improve the security program. Keep in mind that most organizations don’t have much appetite for change, even if it’s fashionable to claim “innovation” and “reactiveness” are part of the organization’s DNA. Ironically, a quirk of the CISO role is that life is often easier if your organization has recently been breached, especially if it was publicized in the media. Why? Because the appetite for change in an organization that has suffered a breach is typically much higher than in an organization that hasn’t.
Assessing the Current State of Security
Before you can think about improvements, you will need to assess the maturity of your security program. This should be done with a recognized industry framework in mind, for two reasons:
Ultimately linking to a framework people know will give your assessment credibility; and,
Even if done only at a high level, linking to a framework helps to compare your maturity with other comparable organizations and/or industries.
The framework you choose will depend on your industry and geography. Since many frameworks are “control” focused, your maturity assessment may need to extend beyond just the bounds of those controls and include elements that are more strategic. For example, how you align to the business or your ability to get funding and resources allocated across the organization to improve controls outlined in the chosen framework.
Ideally, you should have your program assessed by an external organization. Having an external assessor makes life much easier politically when issues are raised versus “the newbie” pointing out problems. If, for a variety of reasons, external assessments aren’t possible due to a lack of resources or a company’s predisposition against external assessments, you’ll need to arrange for an assessment to be completed internally.
If an assessment was completed before you were hired, you will need to consider:
What was the purpose of the assessment?
Was it internal or external?
Can you rate the quality of the assessors?
Was it comprehensive and in line with an industry framework?
Is there any discernible bias to the results?
Whatever happens, you’ll also want to conduct your own private assessment. So long as the formal assessment matches approximately with your own, you should be in a good position to move forward.
Building Relationships and Political Capital
The single most important thing you can do as a new CISO is start building the relationships and political capital you’ll need to run your security program. This is going to require a lot of your time — particularly if this is your first CISO role — and the first month is critical.
Speak with key players in the business — members of the executive team, in particular — to understand how security is perceived and what you can do to ensure your program is seen to enable the business instead of holding it back. The CISO who is perceived as a business enabler will instill confidence in his or her leadership and program within the organization.
Your ability to make these connections will depend on your standing. If you are a C-level executive (or your boss is) it will be much easier to arrange the meetings you need to introduce yourself and start building key relationships. Lower down in the hierarchy, you may need to look for other ways to make contact — for example, by setting up a risk committee that includes senior members of each department.
Kudelski Security recently carried out research with its Client Advisory Council on CISO communication with the board of directors. The full report – complete with advice from seasoned security leaders – can be found here, but in this blog, I’m going to cover some extra points that we weren’t able to include in the final document, relating to one of the top, most challenging questions that CISOs face when communicating with the C-Suite.
The issue in question is “How do we compare with our peers?” As with nailing all these questions, the starting point is to understand what the board wants to know.
According to a majority of Council members, it boils to investment and whether the organization is spending enough on security compared to peers. Interestingly, and as an aside, the boards indicated that they want to be equitable or even higher than peers within their industry but do not want to overspend in areas with diminishing returns on investment.
The response from Council members falls into 3 broad strategies.
Strategy number 1: Benchmark using an industry standard framework
Most of the CISOs we talked to suggest using this strategy:
CISOs should communicate how the framework was selected and why they think the framework fits their company.
Then CISOs should demonstrate how the company’s security program is measured against this framework, highlighting specifically where the start point was, and the progress made to the target state of maturity.
One piece of advice from one CISO to another “Always check whether investments are worthwhile from a risk reduction point of view”. One of our Council CISOs from a Fortune 1000 company told us he was asked by his board what it takes to increase maturity score from a 2.4 to a 3.2 in one area of their security program. In this case, they recommended that before taking any action, it needed to be determined whether taking that step was worth it in terms of investment and risk reduction.
Strategy number 2: Compare security spend with peers
A high number of our Members also pointed to this as a key strategy. Obviously, the key problem here is the fact data sharing on these matters is highly sensitive and confidential.
So where do CISOs need to look to find what their peers are spending on security?
One CISO from the technology industry recommends first looking at research firms that can provide information related to verticals, such as Gartner, Forrester, 451 group, etc. “Start with the average security spend for a vertical, and then tweak the number based on the organization size and innovation, knowing that firms that are innovative will typically spend more on security than traditional firms.”
Another valuable source of information is peer CISOs– some of the CISOs we interviewed meet their CISO peers regularly to discuss security and maturity, staff and budget topics. The general recommendation is “make friends with peers in cyber and do not try to be competitive when it comes to security.”
Participate in forums and share information within peer groups – one CISO from the media and entertainment industry obtains their benchmarking information from an industry-specific cyber community. They meet monthly to get updates on industry cyber trends, compare cyber programs and maturity, and share the latest incidents that have impacted them.
Strategy number 3: compare maturity of individual program components
The third strategy focuses on a maturity comparison.
Look at what functional or capability outcomes your peers are trying to achieve, what gaps they are trying to close and the steps they have taken to do so. This recommendation came from one Fortune 500 CISO, based on his experience that his peers gain a good idea about industry norms from the maturity assessments they run.
As a general note, if you cannot answer don’t guess. Instead, use strategy number 1: pivot your answer to a framework, as this is something you can control and justify.
In the cybersecurity industry, the focus of every managed security service provider is to reduce the time to detect a breach and remediate it. According to the last McAfee Incident Response survey, only 29% of respondents report a remediation time of two to seven days while the others report much larger delays. When we ask them what could be the biggest impediment to incident response efforts, 65% of the respondents mention the lack of skilled and well-managed personnel.
There are a ton of hipster management methods around that promise great results in terms of motivation and performance. I tried some. There are also good certification businesses behind all that stuff. At the end of the day, while you can still extract a lot of interesting things from them, you can’t learn how to deal with social complexity using a locked framework. The good news is that you can find all the answers you need just by questioning yourself and by honestly taking care of the people and the system around you.
I identified five interesting management practices and tricks that helped us, at Kudelski Security, handling social complexity while providing high end results. Most of them are inspired by agile methodologies like Scrum, Management 3.0, Systemic Organizations, plus common sense. The purpose of this article is to share those practices, encourage you to test them, and get your feedback on the topic.
Hire the right people
We mentioned it’s hard to find skilled experts around. Our field is in perpetual evolution and the needed skill set also. We all know the hiring process is critical and mistakes in this process could cost you your business. So, what do you want to do to reduce this risk? From my point of view, as soon as a candidate is truly interested by your business, has the basic required knowledge, and, most important, has a positive energy with a can-do attitude that will fit your team in place in terms of personality, you could be in front of your future ideal colleague. The other points are just bonuses.
Also, don’t let toxic players stay too long in your team if they don’t want to play the game in place. Not everyone can fit your culture and as a leader it’s your role to take this kind of decision to preserve the people and the system around you.
Choose your framework
You hired the good people, you now want to find a good framework for your team. Individuals rarely auto-organize themselves without some guidelines and there is a high chance they won’t feel satisfied in a non-structured environment. It may sound weird to say that, but I have seen many places without clear project methodology or guidance and you don’t want that if you are looking for results and happiness. On the other hand, I would recommend choosing the method that suits your team and context and stick to it with firm discipline.
Discipline doesn’t mean your framework will not evolve or that it will constrain people. You just want to put in place a set of rules with a clear direction and objectives and let your team organize themselves inside this framework. The process in place should be lightweight. We just want it to serve our people and our system, not to slow them down. As a product owner working with developers in a fast-paced environment, we choose to use Scrum with two week sprints as our core methodology. It’s adapted to our context, lightweight and effective while ensuring large autonomy for team members.
Measure your system and adapt it
Scrum is also great as you can play with it and add some good practices around the method to make it fit your needs and reality. You can iteratively build with your team a strong definition of done (DoD) to therefore ensure a better estimation process while boosting your code quality, adding extreme programming practices (XP). You can improve everything, and you want to do it. Just keep in mind that the improvements should be not too frequent, they should be motivated by measured facts or needs, and don’t forget that you should be disciplined and stick to your process when you find something that works. In the Scrum case we are lucky, you can inspect everything using KPIs like the burndown chart, the velocity, or the release burndown to collect facts. We even have a cute, useful, and funny tool called TeamMood to measure our team happiness!
Your company is generally not only composed by your team. You are working in a living system with real human individuals, not resources on a dashboard. It’s great to try to know them better and understand what they are doing. With a better global social understanding of your system and good knowledge sharing, you will be able to reduce the unknown that naturally creates a silo effect and a propensity to conflicts while generating great collaboration opportunities. You will also reduce the risk of bad choices if you can involve in your decision some external selected people that will bring a fresh view on your ideas.
At Kudelski Security, we are always trying to reduce the gap between people and gain benefit from their skills and experiences while being more efficient. A good example of that is the DevOps culture we have between our development and infrastructure teams. We really want to act as an entity integrated in a single methodological framework and we are close to achieve this goal which is a real challenge.
I won’t reinvent the wheel here as everything has already been said about leadership. Still, I assume that it must be remembered that you cannot act only as a manager. You must be a leader for your team and for me that mainly means being authentic and available for them. You trust your colleague, so you give them responsibilities. You also take care of always providing the “Why” while letting them manage their planning and work style on their own. Finally, you’ll make sure they can sometimes work on their own suggested topics and as soon as possible, free them from the corporate routine by sharing a drink or any other cool outside team building event.
Sometimes our industry tends to forget that people are still making a huge difference in our field. We also need to consider the fact that skills and performance can only emerge in an appropriate environment. Based on my experience, a happy and motivated team is always more efficient than a simple suite of super skilled experts. They will also stay longer in the company. As a CISO who wants to reduce time to remediation or as a leader who wants to succeed in his business, you should take the chance to think about social complexity and happiness at work as a top priority.
Are you on the “Team of No”? How do you know? Do you often get pulled into a project late in the process, where security wasn’t even considered or notified until 3 days before the ‘go live’ date? Do you have business executives agreeing to any and all security policy exceptions without even understanding the full details? Do you often find the business or IT going around security processes that you control? If so, you might just be on the Team of No!
At many corporations across the globe, the security department is often seen as a hindrance to the business, a necessary evil who has these strict security policies written so no one can do their job. Sadly, many Cyber Security Leaders take a risk avoidance approach where they themselves feel they ‘own’ cybersecurity risks for the organization, who must protect the business from itself. Making it difficult for the business to adapt quick enough to disruptive innovations, among others, is a key reason why many security leaders don’t get invited to the C-Suite table.
One of the key elements of a highly effective security organization is to establish a security risk committee (or several), with executive participation from key departments and with leaders across the business who truly own the risk. Often times, standardizing on a consistent risk assessment methodology across the company, and bringing key risks to this security risk committee will allow the security executive to share the burden of balancing risk with business objectives. When done effectively, the security risk committee will often drive appropriate behaviors within the various parts of the organization, improving the support for security processes and practices.
One of the key outcomes of a security risk committee is to empower the risk committee members through education and collaboration on cyber security. It is worth reiterating that the security organization doesn’t own cybersecurity risk, rather, it enables the information owners to better understand and manage the risk. Additionally, the risk committee needs to understand that the security organization cannot prevent data breaches, however, it helps to protect information, monitoring for attacks and anomalies, and responding quickly when an incident does occur.
While a security risk committee is now common practice, it is also important for you as a security leader, and for the security department, to find a way to “Get to Yes”. This doesn’t mean that you say yes to everything that comes your way, but instead, collaborate with the business to come up with alternatives which ultimately satisfy the business need that aligns to the risk appetite of the organization.
Here are a few recommendations to be a better business partner, and get to yes:
Understand the other person’s position, and their needs
If an ask is too risky, start with ‘why’, and share details in relation to the business impact
Separate the people from the problem
Focus on interests, not positions
Be less rigid, and more agile
Work together to create options that will satisfy both parties
Get out of your office, and be visible
As you set the security strategy for the organization and do your best to manage risk, keep in mind that 99 percent of your success as a leader depends on relationships with people from other parts of the business.
Our second CISO Fresh Thinking webinar, “Getting to Yes C-Suite Strategies for the CISO,” explores this and other key attributes in greater depth.
You can download the webinar now to hear Don Kleoppel, CISO at Cerner, discuss with Kudelski Security’s John Hellickson, Managing Director of Strategy & Governance Advisory Services, how this particular shift in mindset can help you enable the business to achieve its strategic objectives.
October is Cybersecurity Awareness Month, a time traditionally focused on empowering individuals and organizations to adopt more safer practices online. But October should also provide a moment for honest reflection among the professional security community about what is – and isn’t – working in our security arsenals. The security executive role is evolving. Kudelski Security’s new suite of CxO Performance Solutions provides new tools, programs and methodologies for the security leader in your organization. Find out more about CxO Performance Solutions here.
The competitive and often opaque talk selection process of infosec conferences can be confusing and discouraging. If you submit a talk—an abstract plus a longer description and a biography—and your talk gets rejected, most of the time you won’t get any useful comment from the board justifying their decision. Submitters then often perceive the process as arbitrary, driven by hype, favoritism, and egos. This isn’t always wrong, but not all conferences look like cosplay-free comic cons. Conference organizers should be given some credit for trying to maintain a reasonable technical level while at the same time covering a wide range of topics and having broader-than-deep talks to get less experienced attendees excited about this or that topic.
To put the odds in your favor when submitting a talk, it helps to follow advice such as these by Enno Rey, Sean Metcalf, or Nathan Hamiel. There’s lot of experience speaking here, yet I’d like to add my two satoshis from a cryptographer’s perspective. I’ve been sitting in many program committees of academic conferences, but only in a handful of infosec conferences committees, which turned out to be quite a different game. My point of view is therefore more on the submitter’s side, after having talked at a bunch of high-profile cons such as Black Hat, Defcon, BSides, CCC, Shmoocon, Troopers, SyScan, or Infiltrate. I haven’t counted my ratio acceptance/submissions, but my submissions have rarely got rejected. One reason is obviously that there’s more demand than there’s offer for serious crypto talks. But I think I’ve also learnt how to prepare submissions that don’t suck and increased my chances of getting in.
As a submitter, your job consists in two things:
Do great work, be it pure research, survey of a topic, or opinions.
Describe it convincingly in your submission.
It’s worth mentioning that 1. should be done before 2., and 1. should not be (only) motivated by 2.
Given these two dimensions, and to simplify a lot, there are four classes of submissions:
Great work + convincing description: Ideal case, likely to be accepted.
Great work + unconvincing description: May be accepted, if reviewers know the topic well enough to go past the poor description.
Poor work + convincing description: May be accepted, alas, if reviewers don’t know the topic well and you BS well enough to fool them.
Poor work + unconvincing description: Likely to be rejected, and deserved.
Of course who you are or who you work for will also weigh in the selection process, but you can’t do much about it. So let’s focus on 1. and 2.
1. Do great work
Whatever your work, you should bring original, non-shallow thoughts to the table. New is better than non-new, breakthrough is better than incremental. But this isn’t sufficient. Your work should also be useful to your audience, and this helps if it addresses a problem that people have, now. In other words, your submission should be timely.
But reviewers will often struggle to judge of the quality of a work. They often have to use heuristics, and will typically assess the speaker’s expertise: Have you published some work that demonstrate the extent of your expertise? Have you previously published in well-regarded venues? And so on. This doesn’t (and shouldn’t) imply that veteran researchers get a free pass for weak submissions, but that, justifiably, the barrier to entry for them is lower.
Also keep in mind that “great” may not have the same meaning to you than it will have to the review board. If you’re a cryptographer, for example, you may think that your new multidifferential attack technique applied to break 9 rounds of AES in only 2^125 complexity is great. But people at the conference won’t care, sorry.
2. Describe it convincingly
Your submission, namely an abstract and whatever else is asked for, shouldn’t sound like it’s been written by an idiot. Clear writing is clear thinking. Be concise. Structure your description in different parts with logical connections. Read Zinsser. Provide the details that will convince reviewers—and later participants—that you know what you’re talking about, but don’t get caught up in irrelevant details. Try to make the reviewers’ lives easier.
In con submissions as in many other endeavors, trying too hard is counterproductive: Don’t exaggerate your findings nor their impact. Be careful with superlatives, jokes, and words like “cyber” or “pwnage”; you’ll sound immature. In your submission, don’t promise what you’re not sure to be able to deliver. And don’t BS, it harms everyone.
Talks are better with demos, but only good demos. A good live demo is better than a good screencast demo, but it’s also harder. Depending on what you’re demoing, the choice between live and screencast may be obvious. In any case, a submission will sound more convincing if you say “I’ll demo X and Y and Z” than if you just say “there’ll be a demo”.
After receiving good news from the conference, make sure to deliver a good talk, it will increase your chances with the next submission. If you get the reputation of a good speaker then review boards are more likely to excuse shortcoming in your next submission.
Don’t think that having talks accepted means that you’re a genius. Actually, most of the best people don’t talk at conferences, and don’t care. See the scientific diagram below.
While you might think that your reputation precedes you, different conferences have different expectations and, most importantly, different audiences. Always work hard on the submission and don’t think that your name plus a rushed abstract will suffice. Of course you will feel rejected when your submission gets rejected. But complaining on Twitter is, at best, a nuisance, at worst counterproductive towards your next submission. Your talk, while brilliant, might quite simply not be appropriate for the intended audience.
Thanks to Arrigo Triulzi and Halvar Flake for their comments on a draft of this post.
Kudelski Security Vice President of Global Advisory Services Mark Carney and Tony Spinelli, COO/President of Cyberdivision at Fractal Industries are back with another installment of ModernCISO. This time they’re in Dallas, Texas. Tony and Mark will be discussing three pieces of advice on how to be a successful CISO.