The CISO faces something of a paradox in information security (infosec): While charged with keeping an organization’s networks and data safe, the CISO usually doesn’t control all the resources required to protect it.
This is because CISOs cannot possibly be in every meeting or witness every event that creates risk. CISOs don’t own application development or the sales force, for example. That’s according to Phil Gardner and Stan Dolberg in an exceptional talk presented at the 2017 RSA Conference entitled The Five Secrets of High-Performing CISOs.
Both gentleman hail from IANS – the Institute for Applied Network Security – and they presented research stemming from the input of 1,200 security leaders who have completed two 30-minute diagnostic assessments.
The conclusion? Effective CISOs lead their organizations “to adopt safe business practices.” According to the data, those CISOs that fall into the high-performance category tend to follow the five habits listed below.
1) Effective CISOs learn to lead without authority.
Only the luckiest of CISOs inherit organizations with a strong culture for cybersecurity risk management. Most, however, are stuck with too few resources fending off an oversized challenge. Success hinges on using “the tools of influence” – persuasion, negotiation, conflict management and communication – to “get business leaders to own risk.”
“Technical expertise is an imperative, but it’s insufficient,” according to the presentation. “Great tech chops won’t solve the problem, you have to get out of the tech realm, and drive information security thinking and best practices into the guts of the business – that’s infosec leadership.”
The first step is to “gain command of the facts.” Those facts include:
- What are the critical assets?
- Where are they?
- Who owns them?
- What are the risks?
- What is the true nature of exposure after controls are put into place?
That information is obtained slowly, over time and through conversations with business leaders to understand what they value, along with gauging their appetite for risk. It is through this process of leading without authority, that CISOs help business leaders understand the impact of cyber risk to the business and foster a sense of ownership.
2) Effective CISOs embrace the role of change agent.
People gravitate towards routines but cyber risks are dynamic, which makes change inherent, and so a natural resistance to change is inevitable. To that end, effective CISOs embrace a role as a change agent and more importantly, the responsibility that role carries for conflict negotiation and resolution.
The key is to embed security thinking into business processes which enable the CISO to be “virtually present.” This means weaving security conscious thought processes, checklists and testing protocols “into the fabric of the organization.”
To execute, effective CISOs look for allies with common objectives. The obvious allies probably rest in procurement or vendor management, but also the legal and auditing departments. The change management team is also a likely ally for working around the typical barriers with software or devops.
IANS research finds that about three-quarters of high performing CISOs “systematically and proactively engage stakeholders at all levels.” By contrast, just 1 in 20 low performers do the same.
3) Effective CISOs don’t wait for an invitation.
According to the presenters, high performing CISOs develop a broad agenda looking across the organization and don’t wait for an invitation. This requires a level of proactivity at scale which is built on two foundational prerequisites.
First, effective CISOs “run infosec like a business,” which requires tying budgets to impact, managing resources efficiently, and completing projects with transparency, punctuality and within budget.
Second, effective CISOs are able to delegate by developing a team that possesses both technical and business competencies. A security team cannot grow or scale if the CISO is the only person capable of having business level conversations.
The presentation suggested that team development centers on three areas: technical depth, business knowledge and interpersonal skills.
4) Effective CISOs build a cohesive unit not just proficient individuals.
It’s not enough to build an organization of proficient individuals – effective CISOs build a cohesive unit or “cadre” as the presentation defined it. IANS research found “84% of high performers say they have ‘the right people on the path to a cohesive team’ compared to just 1.4% of low performers.”
This means building a team that can “communicate the value of infosec.” Moreover, security awareness in an organization is just table stakes. Communicating value means the team helps an organization understand how security enables a business to “grow and win.”
The effectiveness of a team is also related to how its organized for success within the enterprise – with the visibility to influence priorities. According to the presentation, many CISOs report to the CIO or CTO, which means infosec competes for resources and priorities with an “Office 365 rollout.”
IANS suggests that sophisticated organizations often report to operations or risk departments.
5) Effective CISOs recognize the journey is long.
It takes time to build trust, to build a team, and to build an enterprise-wide security program “to the point where information security has woven itself into the business.” By way of a quantitative estimate, the presenters suggest that takes 5-7 years.
The full presentation, which is embedded nearby, runs just about 40 minutes. It’s well worth watching because it builds on multi-year research including data presented at the 2015 RSA Conference: The 7 Factors of CISO Impact
If you enjoy this post, you might also like:Cybersecurity: The Best Defense is a Good Offense
Photo:Pixabay (CC0 1.0)