The Role of a CISO in Today’s Increasingly Complex Cybersecurity World

The job of Chief Information Security Officer today is fraught with responsibility and headaches and requires being adept in both hard and soft skills. Delving into a CISO’s role was the topic of Monday’s Task Force 7 Radio episode 52 with host George Rettas, the president and CEO of TaskForce 7 Radio and TaskForce 7 Technologies.

Rettas’ guest was Mike Higgins, a former chief security officer of LexisNexis, as well as a former CISO at The New York Times, and the former vice president and CISO of NBC Universal Media. Higgins is a visiting professor at Northeastern University and the University of Virginia. He talked about the pros and cons of working as a security consultant versus being in the private and public sectors.

Higgins work for the U.S. Department of Defense as an intelligence analyst and then went into the private sector as a consultant. Wherever he has worked, Higgins likened the role to that of a salesperson.

“Security has been and will always be a sales job,’’ Higgins said. “You're going against the natural proclivity of people to do the easiest operations possible to get their job done. And that isn't natural. People don't want additional security in whatever they do;” they don’t want to have to take several steps to ensure they are protected.

“So you have to sell them on the idea that it's not only the business's best interest, but also in their personal best interest to follow the rule sets,” he said.

When he joined NBC, “security wasn't even on their radar screen,’’ Higgins noted. “They had a small security force” of about one dozen people. “And they were completely underwater.” At the time, Higgin was teaching an incident response course in the master's degree program for information security at George Washington University. He said he found the consulting work he was doing “frustrating” because projects often didn’t go anywhere after he left.

“You see a project to the point where it's [in a] steady state, you hand it off to the business, and then you walk away. And if you go back in six months to a year, you find out that the project died on the vine.” The reason was either that the champion within the business didn't adopt it -- or there was no champion of the project and the entire initiative failed.

The opportunity to be CISO for NBC was appealing because it gave him a chance to spearhead a project from start to finish, Higgins said.

Higgins also had CISO roles at LexisNexis and The New York Times. Rettas observed that the ability to “sell” security as a CISO requires a lot of soft skills, such as the ability to influence, persuade and negotiate.

Higgins agreed that those skills are essential. Currently, he said he is teaching a 14-week symposium at Northeastern University for students who may aspire someday to become CISOs.

“One of the most important things I teach them is the importance of developing those soft skills and the importance of developing that translation skill,’’ he said. “If you go in talking tech to a business or even … infosecurity, to a business, they just gloss over. They have no idea what you're talking about.”

It is critical for security professionals to speak the language of business people and make security terms understandable for them, he stressed.

The role of CISO

Rettas also noted that a lot of companies go through serious growing pains when they start to realize that cyberattacks may present the most significant risk to their business. He asked Higgins to discuss the issues companies face when they hire their first CISO.

Educating employees is critical, Higgins said. “You're in there trying to change a culture. And it's not just the employees, it's management, it's the executive board, it's the board of directors. You have to educate them on what a CISO brings.”

The CISO also has to tread carefully, he noted, adding that “hopefully, they don't walk in the door and assume all risk for the company. Because much of it is completely outside of their purview. It's the business's responsibility. It's the technology group's responsibility.”

A CISO oversees and identifies strategic ways to address a company’s risk, he said. “But they shouldn't be assuming that risk. A lot of young CISOs that I see make that mistake by going in and thinking, ‘I'm in charge. Great.’”

CISOs must balance the ability to manage the risk with making sure the risk is appropriately placed in the business, Higgins said. “And when the business decides that they're going to put up a website and have absolutely no security [on it], that business owner is making a decision about his career and his future.”

‘Yes, but’ is the right answer

Higgins’ first challenge as a CISO was teaching his staff on the need to support the business and not saying “no” to new technologies or having remote operations. “I think, inadvertently, security officers over the years had been doing that.”

This only encourages shadow IT—where business units purchase software without IT’s knowledge, he said. CISOs must emphasize that they will support the business, be aligned with their initiatives and goals, and speak their language, he said.

If you ask business leaders if they feel the security operations team is aligned their business goals, Higgins said it is surprising how many will say they are not. The CISO and the security department must meet the expectations of the business, he said. Communication is paramount, he said.

“Once you finish communicating, do it again,’’ he advised. “And once you finish doing it the second time, do it again. You have to continuously talk to the business and make sure that you're completely aligned with their strategy and approach, and then you have to basically walk the walk at that point.”

Until security staff “walk the walk with them and see some of the challenges … they see as a business and share that responsibility with them, you're really not doing the job.” Once security professionals do that, they will start to be seen as a partner by the business – and not an adversary, he said.

Assessing a company’s security posture

Rettas pointed out that when a lot of CISOs come in they want to benchmark the company's cybersecurity defense in-depth posture. He asked Higgins how a CISO goes about doing this.

Depending on the size of the company, it could take anywhere from 30 to 90 days, Higgins said, and he follows the NIST Cybersecurity Framework when he does an assessment. “But before I execute it, the last thing I do is I usually go in and I sell [it to] the businesses. And by selling the business, I mean I explain to them what I'm going to do,’’ and why he is deploying a particular platform.

Then he listens to the business leaders. “They don't know anything about security, but they’ve got a lot of common sense. And after I do that, then I make sure that the business buys into the program. Because it's essential that as changes occur … you have to have the support of the executives. As well as the bottom up.”

Security is disruptive, Higgins said, because “it's the antithesis to ease of operation,” and it is human nature not to like anything disruptive.

In closing

In the show’s final segment, Rettas asked whether security should be pushed from the top down or from the bottom up.

Typically, organizations take a top down approach since that is where budgets are decided, Higgins pointed out. “But I've learned over time that it's also got to be bottom up. You got to work both ends of the spectrum. You can't expect to push security from the top down.” As important as executive support is, if you don’t get buy in from the employees your security program will fail, he said.

The two also discussed the challenges ahead for CISOs as the security threat landscape becomes more aggressive. Whereas in the past, security was about identity and password management, now there is multifactor authentication, cloud, virtual machines and the increasing change in technologies, among other challenges.

Higgins said when he hears about new security technologies that incorporate machine learning or artificial intelligence he wants to “scream,” because “they are marketing terms, and have no basis in actual capability” and along with “intelligence,” they are overused terms.

If a vendor is doing a technology sales pitch, “you better be prepared to discuss the degree of what you're doing and how you're doing it, and not just using the words,’’ he said. Higgins said he stays current on all the new security technologies hitting the market by constantly reading and asking vendors questions. He also looks to his peers for guidance. He also stressed that organizations stay vigilant and that technology alone is not the panacea for protection. “You will be penetrated. You will be breached. You will be disrupted. How you best minimize the impact of that breach, penetration, disruption, is what I think is the differentiator between a good security program and a great security program.”

The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub. To listen to this and past episodes, click here.