Sunday, May 15, 2022

Wanna Be An Awesome CISO? Follow These 4 Cardinal Rules

 


I have a new book that is coming out in the early part of August.  The thrust of the book is how to actually create and launch a new Cyber business.  But it is not from the standpoint of the recent college graduate or a seasoned IT professional, but rather it is from the viewpoint if the burnt out or even terminated CISO who is looking for greener pastures. 

One way that this goal could be accomplished is to start a consulting gig, focusing around offering vCISO services, which is a hot ticket item right now.

But unfortunately in the end, whether it is right or wrong or fair, it is the CISO that usually takes the fall for everything.   After all, they are the easiest person to be blamed and put in the firing line.  The CISO has a lot to deal with, ranging from how well the lines are beefed up to dealing with the Board of Directors.

But one area that they are often faulted for is the lack of communication from them to others in the company, or if they do at all, the communication is sparse and confusing at best.  So, what is a CISO to do in this regard?  Here are some tips to help with that communication breakdown:

1)     Understand thy audience:

As a CISO, you will be asked to talk to different people that are a part of your organization.  These include both the internal and external stakeholders.  Not everybody is going to understand Cybersecurity the way you do, so you need to angle the content to that specific group you are talking to.  Take these cases:

*For the Board of Directors:  Keep things in dollars and cents.

*For employees in your company:  Keep things simple to understand, avoid any and all kinds of techno jargon.

*For the IT Department and your team:  You can get all geeky you want.

*For shareholders:  Keep the topic centered around how all Cyber efforts are going to impact the Earnings Per Share (EPS).

Get the idea?

2)     Start with the business objectives first:

In any form of presentation that you may give, it is always key that you never first start talking about metrics, and KPIs.  Why so?  Well, first your audience will probably have no idea what you are talking about, and second, you need to provide some kind of reference point for these metrics that you eventually want to point out.  One of the best ways is to first talk about your business objectives from the standpoint of Cyber, focusing in on what has been accomplished so far and what hasn’t.  It is equally important to provide a roadmap as to how plan to finish those objectives whose goals have not been met yet.  Then once you have laid all of this out, you can then get into some of these metrics and KPIs.  Nobody likes quotas and such, but you and your IT Security team need to be judged against something that is quantitative and measurable.  Sure, you can even throw in some qualitative aspects as well.  For example, of the key metrics that you can talk about is the meantime to detection.  This describes how long it takes a company to detect a security threat that resides in their organization.  So far, the average is a long period of time, so point out how you plan to shorten down that time frame for your organization.    Another key point to remember in these types of presentations is that you should keep them only 30 – 40 minutes in length, tops.  Beyond that, you will probably start to have people nodding off in the audience.

3)     It takes everybody:

Traditionally, IT Security teams have taken an isolationist role in what they do, because everybody else in the company thinks that if anything breaks down, these are the guys that should fix it.  While this might be true in a theoretical sense, they can only do so much. They should not at all be finger pointed or isolated by any means.  What I am trying to get at is security involves everybody in the company, all the way from the Board of Directors down to the overnight cleaning crew.  The CISO can foster this kind of thinking by visiting each department on a personal level, and tell them directly that they are a part of the security chain as well, and that their input is highly valued.  But the CISO first needs to take this mentality with their own IT Security team.  There are still many complaints that CISOs often ignore their own employees, and don’t even make the time to listen to them.  Then, the gap between effectively communicating with other members of the C-Suite and especially the Board of Directors needs to improve as well.  The view that the other members of the C-Suite take is that Cyber is a CISO only effort, and that they take no part in it.  But guess what?  With the data privacy laws that are out there today, even the C-Suite and the Board of Directors can be held both personally and financially liable as well if there ever is a security breach.

4)     Establish the layers of accountability:

Once you have demonstrated that everybody has some sort of “teeth” in the defense game for their company, the next step is establish some sort of accountability.  In other words, if other employees have agreed to what you have said is correct, then they need to be held accountable for their own roles and actions to help protect the digital assets.  For example, employees should be held accountable if they click on a Phishing email.  Another area where accountability is going to be of grave importance is in the creation and implementation of the Incident Response/Disaster Recovery/Business Continuity plans.  This really cannot be outsourced to an outside third party, the employees in your organization have to be responsible for this.  In other words, as these plans are being crafted, you need to take certain employees that you think you can trust and make them part of the process, and give them assignments in these plans.  Therefore, you should rehearse these plans on a regular time period in order to make sure that all employees know their assignments and are ready to act out in a very quick fashion should a security breach actually happen.

My Thoughts On This:

Improving the lines of communications in any organization is not an easy task, and in many instances, it can take a long to time to fully accomplish.  Although timing is critical given the way the Cyber threat landscape is unfolding in front of us, take the needed time as well to make sure that whatever you trying to communicate is being heard and understood.

Always ask for a feedback.  After trying to change your ways for some period of time always ask a sampling of employees to see how are you doing.  This is the only that you will know what is working and what is not in terms of communications improvement.  Remember, this should be a very honest and transparent process.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...