The Troublemaker CISO: Get the Organizational Basics RightSecurity Director Ian Keller Tells You How to Become Enabled to Fix What's Broken
Yes, it’s me in all my opinionated glory, giving you another glimpse into the mind of a frustrated CISO. Let the rant begin.
Everything starts with the basics. If you don't get the basics right, you will never achieve the result you are looking for or are mandated to deliver. You might attain something resembling the result you were chasing but that will only last for a period and eventually it will fail.
We know that the basics are not being done as consistently as they need to be done, and we also know why: We are hamstrung by not having the authority to do them. This can also be expressed as: We don't bite the hand that feeds us.
Our inability to fix things is what makes our adversary seem so unstoppable. Give them their due; what they have done is nothing short of jaw-dropping. Their consistency in breaking in - and the caliber of their victims - is staggering. These attackers are not pimply-faced youths running the cDc Back Orifice toolsets from Mom's basement. PFYs practice swatting, not hacking.
In this world, you are not enabled unless you have the organizational basics in place.
The hackers we face are highly motivated and funded groups focused on getting into our world with nefarious intent, not getting caught and getting their payday. These groups are well versed in the arts we practice, they listen carefully to our conversations, share information freely, leverage each other's strengths and focus on the fact that we are not doing the basics right because we have one hand tied behind our back. Some of us have both hands tied behind our back.
You may be thinking: "Tell me something I don't know." Well, here is more that you know but still need me to tell you.
The reason why you are not doing the basics right is simply because you are not enabled to do so. Everyone may say you are but in this world, you are not enabled unless you have the organizational basics in place.
Who Do You Report To?
I will wager that most CISOs still report to the CIO, which is wrong. For you to be successful, you must report as a member of the executive and not subordinate to it. As a member of the executive, you carry a board mandate to execute on your duties and to report to the board on a regular basis on the status of these duties. You must forge relationships with all other executives so you can understand their business and they can understand yours and from there, you can build a business-unique information security program.
To illustrate this, I am going to focus on two executive portfolios: the chief operations officer, or COO, and the chief information officer, or CIO.
This is most likely your boss. All the technology lives here, including all the information security technology. They own it; you operate it. Given this, it is fair to say that most of the basic technology security needs are executed under the portfolio of the CIO.
The CIO reports to the various boards and executive forums and, obviously, the conversations revolve around availability and stability issues and the operational aspect - not the burning security issues. Even when you, as CISO, are at the meeting, you maybe have one slide or one minute of airtime to try and get a point across. And your section is always last and gets cut more often than not.
But an executive with a board mandate is obligated to brief the executives and applicable board members on the execution of their mandate.
In my case, I had the Information Security Subcommittee associated to the Risk and Audit Board, chaired by the CEO and attended by all the other executives, including board member representatives. It was a two-hour, focused information security committee - not a technobabble session in which we spoke in acronyms. This approach changed the entire landscape associated with information security, giving it the wings it needed, the funding to support its flight, and the desired outcome.
The win for the CIO is that all the information security functions are now moved to the CISO's plate, and the CIO is only required to execute on the agreed processes and procedures within the approved timelines. What a stunning double-edged sword this is! So make sure you can "man up" before you stand up.
Your COO is another key figure in the success of your information security program. The COO impacts the profit and loss for the business and therefore has the most sway in what happens operationally. Your role is to be a value-added adviser to the COO, along with the CIO. You need to have a clear and detailed understanding of the "product" you are delivering, the go-to-market strategy, the tech requirements, realization of benefits, the operational costs, etc.
As a peer, you get first-hand information and not hand-me-down bits and pieces. This enables you to make sure that the defenses you need to put in place are done at the right time, with the right cost to meet the risk and enable the COO's desired outcome.
You - the Executive
If you can elevate your role to that of an executive, then you are on the right track. Let's assume you have done so. Can you now just go and fix everything that’s broken? Yes, you can!
Now you can:
- Get all the patches updated.
- Retire old end-of-life software and systems.
- Harden the hell out of everything.
- Put in zero trust networks and every other InfoSec acronym the salespeople dream up.
You can do all the stuff you have been itching to do.
And then you'll wake up and realize this is not as simple as it sounds. You are now enabled, but you're also accountable.
Go grab a coffee and a doughnut and wait for Part 2 of this riveting journey through the frustrated mind of the Troublemaker CISO.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force's Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.