Leading Cyber Security Execs Describe CISO ‘Toolkits’
Security Pros Talk Strengths, Knowledge & Programs
Today’s Chief Information Security Officers (CISO) preside over a wholly dynamic and fast-moving space. Their intuition, experience and pragmatism all play into their security philosophy and operations. Yet, each CISO has to be unique, as they cross industries, sectors and even borders.
At the end of the day, however, they’re protecting their respective organizations from potentially devastating cyber-threats – in a world now filled with threat actors hovering in and around networks.
So, what unique qualities define today’s CISO? What experiences do they typically draw on? What is their management style? Is there a common thread in that conversation – and does it comprise a (universal) “toolkit”?
We were able to chat with CISOs on our Editorial Advisory Board (EAB), each of whom carries extensive security experience. Topics included strengths, specific knowledge, tools and programs, and thoughts on the “toolkit.”
Lisa Tuttle, CISO, SPX Corporation told the Cyber Security Hub that she brings productivity, engagement and “voracious learning” to her position as a CISO. “Throughout my career, I am most proud of building high-performing teams who are inspired to grow because they are challenged and empowered to succeed,” Tuttle said.
Rebecca Wynn, Head of Information Security and Data Protection Officer (DPO), Matrix Medical Network, said that visible strengths in her capacity include being a “polymath” and a “big-picture thinker.” She also credits technical, governance and risk and compliance knowledge with success in the role, as well as “strategic security leadership” skills.
“It’s very important that the CISO take the time to translate the enterprise security/risk/compliance needs into what executives can assimilate and make the decision,” Wynn said.
Higher Education CISO, Bob Turner, also piggybacked off of those comments, saying that his obvious strengths in the role include understanding risk management and practical implementation “in an environment that does not necessarily appreciate risk.” The CISO also said that much of the role requires “making a call based on good data (which) sends us in a direction, which is far better than standing still.” Turner also credited team-building and encouragement as prominent CISO characteristics, especially in his position.
Knowledge Is Power
Commenting on specific knowledge and mastery that she brings to the enterprise, Tuttle told the Cyber Security Hub that it lies in information security, privacy, technology, legal, compliance and project and business management (coupled with industry certifications).
“My experience crosses technology, banking, retail and manufacturing industries,” she said. “The common denominator to my success is being an articulate communicator and a good listener who builds solid relationships and earns trust. That enables me to better understand business need, balance risk and achieve objectives.”
Wynn said, “I have a proven track record of taking companies to the next level of excellence in many sectors including government, financial services, fintech, healthcare, information technology, legal, semiconductors and retail.” She cited experience in leading security, privacy, risk and compliance efforts pre-acquisition, acquisition and post-acquisition.
Wynn also said she has a keen sense of what is happening to the staff, and that the earned trust is priceless. “I really understand the business,” she said. “Seek first to understand.” Additional advice: meeting with business leaders and “going beyond the corporate vision, mission, etc. that is stated on the website.”
Turner added that an understanding of NIST publications and expertise in federal guidelines are also clear assets, as well as an understanding of “non-standard IT systems to include IoT.”
With skill sets and a firm knowledge base, CISOs are also charged with implementing tools and programs, and that depends on philosophy and management style.
Tuttle said that she directs the security and compliance programs from a “project management perspective.” She continued: “By understanding and carefully researching options (industry websites, user groups, CISO roundtables), I develop logical priorities and plans that are necessary to get buy-in from the executive ranks. It is important to engage both IT and business teams, educating and involving them in systematic ways.”
From a team level, Wynn said that she doles out responsibilities for each team member – for daily reports and weekly metrics (key performance indicators (KPI) and key risk indicators (KRI)). On communicating with executives, she added, “(Also), if you’re not clear on why you are showing someone a number, you will find yourself in a rabbit hole of a conversation. Focus on who sees the numbers, and why they’re seeing them, and what you’re trying to convey, and then ensure consistency of your story.”
See Related: CISO 2.0: Tips To Succeed, Lessons Learned
Turner credited specific tools and programs he’s helped deploy, including a tailored version of the NIST Risk Management Framework (using MS Word and Excel templates plus Qualtrics for data gathering), and a two-part threat protection package over the course of two years. He also credited rollouts of malware protection and endpoint protection. He said he’s using his team and expertise to “slim down” over 150 different endpoint services across the campus.
Some parting wisdom from Turner on all of these factors coalescing into toolkits: “CISOs who lack robust teams to back their initiatives need to have the right references and resources at arm’s reach. Creating websites where the tools are located, producing toolkits in portable media formats, applications for mobile environments, or desktop guidebooks are all viable ways to get the CISOs…involved in ‘building the future of cyber security.’”
While no toolkit can be completely universal, it is no doubt helpful to see the specific focus areas of today’s CISOs, as well as what inherent qualities make them successful (and even what tools they draw upon quite often!).
Be Sure To Check Out: DevOps In Need Of A 'Security Champion'?