CISO 2.0: Tips To Succeed, Lessons Learned
Security Practitioners Share Insight On Evolving Role
Today’s Chief Information Security Officer (CISO) certainly has their hands full with overall security oversight. It’s a tall order in an age of “mega-breaches,” cloud misconfiguration, lax controls and more flaws.
Essentially, it’s incumbent on the CISO to deploy effective controls that mitigate risk and reduce the attack surface. But as various technologies proliferate in the enterprise – automation, cloud services, device “inundation”/endpoint management – the security practitioners don’t necessarily have the bandwidth to defend the network properly.
That setback is only enhanced by a glaring talent crisis, siloed/isolated units and a disconnect with management. While the CISO role has become more and more strategic and business-oriented (and less technical), the workload continues to climb.
Through this complex maze, security teams have mostly remained on top of the changing tides, honing in on the news cycle and alerting businesses when threats are “real.” But like any position, the CISO role is filled with (immense) challenges.
The only way to keep up with such a dynamic space is to learn as you go – to ensure proper controls and build the network’s defense based on prior experiences.
Much like a politician might learn the ins and outs of the government at each respective level – municipal, state and federal – a CISO grasps elements of the role accordingly, over time.
While case studies in the space highlight successful initiatives – oftentimes boasting an impressive return on investment (ROI) – and contributed columns pinpoint timely concerns, the exposé reveals “what not to do.” Oftentimes the security community might find this splayed across a national news outlet. Other times, the information remains so sensitive it likely never gets revealed to the public in full form.
See Related: DevOps In Need Of A 'Security Champion'?
As such, there are components of the cyber security space that have to remain confidential – for technologies are proprietary and initiatives are sensitive and trade- or industry-specific.
Nevertheless, we caught up with a few CISOs who were able to offer some wisdom on the role, based on their unique experiences and what they’ve seen in the space. These helpful tips come from years in the cyber-trenches, but result from clear wins and, in all likelihood, days of setback.
Randall Frietzsche, CISO, Denver Health, told the Cyber Security Hub that CISOs must “fully understand the business – not just what they do but who they are, what the users do, what technologies are critical to their workflows, etc.”
He continued: “If you see something that needs to change, make the rounds. Socialize it – meet with leaders and discuss the issue, and try to determine if it’s a big deal or not. This way you can determine if more work is going to be needed, to offer real alternative options for those folks.”
Of course this hearkens back to the “silo” debate in cyber security; and if principles are not laid out clearly enough, the “shadow IT” end-run may emerge.
Frietzsche said, “The most important relationship a CISO can have, whether the CISO is under IT or not, is with IT itself.”
Clearly, one must be prepared to meet other department heads in person and communicate the cyber message concisely. Otherwise, the chin-scratching begins, as does the likelihood of that shadow unit.
Frietzsche advised CISOs to “have at least weekly coffee with the CIO/CTO,” this way goals are met and objectives are defined.
“The business will have things they want to do which will raise the hair on the back of your neck,” Frietzsche said. “As CISOs, we have to realize that sometimes we just have to ensure that the risk is fully assessed, quantified and communicated.
“Be a trusted partner,” he continued. “Sometimes, you just have to accept that businesses must take risks to succeed and grow.”
Similarly, Joe McManus, CISO, AutoMox, told the Cyber Security Hub: “Some CISOs mistakenly take the position of being little more than an internal adversary. This occurs when the InfoSec office is not seen as an enabler but instead takes the position of being the ‘group of no.’ They spend time putting up walls, taking security as the sole focus of the business and not a conduit to ensuring the business meets its goals.”
It’s here where McManus also pushed for a diversified staff – engineers with experience as developers, system admins and network engineers.
What’s more, on a specific roadblock and what could, perhaps, be done differently, McManus said: “I had trouble with staffing some positions in the organization. When they went unfilled, I found out that the hiring manager was only interviewing people with extensive security backgrounds. But security teams need junior engineers, too. They are happy to learn and perform the triage work that frees your senior engineers to work on more complex projects.
“I’d ensure that we have a clear path for bringing on junior engineers and giving them a path to learn and grow in the company,” he added.
The tips on a tight-knit team, as well as staffing concerns, essentially boil down to constant and effective communication internally and, perhaps, externally via public relations and brand management. Today’s CISO must be prepared to do all of the above. Yet still, cyber continues to shapeshift almost daily, so top concerns/lessons today could be somewhat modified just months down the road.
In that spirit, stay tuned to the Cyber Security Hub for continued coverage on the deepening CISO role.
Be Sure To Check Out: Budgetary Foresight: 3 Essential Cyber Security Programs For 2019