There are three ways to obtain wisdom.
- Imitation – the easiest way;
- Reflection – the noblest way; and
- Experience, which is often the bitterest way.
That’s how Frank Kim of ThinkSec opened his presentation – 10 Tenets of CISO Success – at the RSA Conference 2018 in San Francisco. Mr. Kim is a former CISO for the SANS Institute and built a security program for the healthcare company Kaiser Permanente.
His presentation was fast-moving and focused on leadership and communications techniques any modern security leader would find useful. Many of his ideas are actionable – with tips and examples ranging from the slides a CISO needs to brief the board of directors – or to make an effective pitch for the security budget.
Our takeaways on his 10 tenets follows.
1) Catch the culture.
A security leader Mr. Kim once knew began a new role as a CISO who set an ambitious goal of changing the business culture around security. That CISO didn’t last, as the organization “chewed him up and spit him out.”
Instead of trying to change the culture, Mr. Kim suggests CISOs first try to understand it. When you understand the culture, you are in a better position to influence behavior change and choose security strategies that are best aligned with the corporate culture.
2) Relate to risk.
Business has never been more reliant on technology and continues to add new enabling technologies – even as threats like advanced persistent threats (APTs), organized crime, and nation-state attacks grow. The risk gap is widening, as some market researchers forecast the cost of cybercrime will reach more than $1 trillion.
Yet the business needs these enabling technologies to remain competitive. Therefore, the task for security leaders, according to Mr. Kim, is to figure out how to say “yes” to some of these tools, while also understanding them in relation to the modern threat landscape.
3) Create credibility.
Security leaders can create credibility by comparing how their organization stacks up against competitors, or against other industries. That is why benchmarks and standards are so important to illustrate how your organization security stacks up. Business leaders recognize that security is important – but what they really want to understand is whether the organization is spending too much or too little relative to peer-businesses.
4) Shape the strategy.
CISOs need to frame their strategy for cybersecurity. He likes the NIST Cybersecurity Framework for communicating with business leaders. It’s useful because it “simplifies the complex story of security” across five key lines of work – identify, protect, detect, response, recover.
He turns these five areas into a comparative model. It’s a model the CISO can use to map where the organization is currently, where he or she thinks it needs to be, and denote where the industry leaders are presently. He creates a simple slide out of this for the leadership or the board of directors. You can see his example on page 11 of his presentation (opens in PDF).
5) Deliver the deal.
If a CISO walks into a budget meeting with only one option for securing the enterprise, the conversation will inevitably center on “what if we did a little less?” Instead, Mr. Kim suggests first mapping security goals to strategic business objectives such as financial stewardship or process efficiency. Next, develop three options and highlight the tradeoffs.
Typically, the middle option is the one the CISO wants while the other two are a) more and b) less expensive. Importantly, every option presented must be viable and achievable. A CISO should be prepared to get more money than he or she requested, just as they are prepared to do the job with less.
6) Invest in individuals.
Investing in people means both involving them in the process and advocating on their behalf. For example, if a CISO wants his or her team to buy into a strategic security plan, you’ve got to involve them in the planning process. In other words, avoid just showing up with a complete plan and asking the team to execute it with enthusiasm.
Mr. Kim also suggests investing in a team is more than just about rewarding performance – but also providing exposure. In other words, if you want to promote someone on your team, it’s far easier to obtain peer-manager buy-in if you’ve provided the proper exposure prior to making that suggestion. In other words, taking care of people requires some groundwork.
[Note: He advocates the PIE model – performance, image and exposure – popularized by Harvey Coleman]
7) Make metrics matter.
Most security metrics focus on technical measures – scans conducted, or vulnerabilities discovered. The key is to operationalize those metrics to relate them to strategic priorities and improve the security program.
For example, drawing from the NIST framework again, Mr. Kim says the CISO might assess the current state of each capability, identify whether it’s trending up or down, and then provide the metrics to demonstrate how you arrived at those conclusions in the footnotes.
Page 21 of his presentation provides a simple example (opens in PDF).
8) Master your message.
Cybersecurity must do some marketing to communicate the value. A useful way to do this is to borrow a page from internet marketers.
For example, there’s a popular infographic that shows what happens on the internet every 60 seconds – millions of social media posts are made, emails are sent, and videos are uploaded online. Mr. Kim made a variation of that – a security infographic about what happens in security every 24 hours – and included technical metrics like scans and blocks.
The graphic was a hit and Mr. Kim said his leadership was sharing it and marveling at all the things the security team does every 24 hours to keep the organization secure. That’s a big win for mastering the message and one a CISO could start for their organization today.
9) Champion change.
New project management methodologies such as agile have caused businesses to rethink processes to bring products to market faster. In turn, this is causing a tremendous amount of change within the organization – and change brings new challenges to security.
Mr. Kim believes security needs to adopt some of the best practices, such as agile, to support change and “inject security in an appropriate way.” Just as agile thinking has broken barriers with development and operations, the CISO needs to do this with security.
10) Solve business problems.
The scope of responsibility in cybersecurity has expanded beyond just IT. Today it includes risk management, regulatory compliance, legal, privacy, and business savvy.
He cites the CISO mind map by the SANS Institute for reference, which illustrates all of the “top domains the modern security leader needs to be knowledgeable about.” It’s not enough to just be a technical expert, security leaders also require business savvy.
* * *
Mr. Kim makes this all look and sound easy, but if it is overwhelming, he suggests tacking one or two of these at a time. His full presentation – 10 Tenets of CISO Success – is embedded nearby runs just about 35 minutes, is well worth the time to watch.
If you enjoyed this post, you might also like:
Security Leadership: 5 Habits of Highly Effective CISOs