A DAY AT WORK AS A CISO – PART #1 [EXTENDED]

Posted on by Henrik Parkkinen

Cat: Where are you going?

Alice: Which way should I go?

Cat: That depends on where you are going.

Alice: I don’t know.

Cat: Then it doesn’t matter which way you go.

The quote is from Alice in Wonderland. And the role as a CISO, Chief Information Security Officer, is in many ways starting out from this perspective.
To find “the way” that the organization you, as a CISO, are helping. Read my words —> ”Helping + organization.”.

You are there to find out where the organization currently is and to set the trail and lead the way forward towards a destination, i.e. a formulated vision and goal for where your organization is heading. And this is an ongoing journey, it will be iterative and need to be conducted in a continuum. Security, within the realm of cyber, information and IT is not something that is and shall be seen as a “check in the box” activity.

Unfortunately, as I have witnessed, this is how it can pan out in some organizations. Security is seen as something which is related to cost and things that slow down the organization. Of course, it will cost resources and energy from the organization, both in terms of monetary and also in the aspect of humans, technologies, and processes. Anyway, let’s get back to that journey, trip, and adventure that needs to be conducted in a continuum.

HELPING THE ORGANIZATION NAVIGATE INFORMATION SECURITY

Securing an organization is not a single-way trip with only a departure. This is a beautiful adventure filled with wonderful places that you and your team will come across and many interesting side quests may take place along the road. And there will be rabbit holes, endless and pitch black, which may pop up from nowhere. For example, security breaches, incidents, and so forth. These might not always be so joyful, but they are a part of the job. And the best thing is, you do not need to jump down into these rabbit holes alone.

The role of a CISO is a leadership role. The accomplishments and rabbit holes are, in most cases, managed as a team effort. But as in every team, there needs to be a captain. Someone leading the team. This is your role as a CISO. Engage as a captain. And with the mindset and attitude to enable others around you to grow alongside with you in the journey you are on together. There is a strong word here in the last sentence. “TOGETHER”.

Security is not a one-man show, a.k.a single mission in John Rambo style. It is a team effort. Everyone in the organization needs to pull up their sleeves and provide for the team. To the organization’s security posture. It does not happen without some effort though. But the CISO, is not the dude that will ensure everything is safe and secure on his own. The person in this role needs a team and support from the organization. And cyber and information security is something that involves and concerns everyone. And with this in mind, it comes pretty clear that everyone needs to help out in making things more secure.

CISO is about helping the business and aligning security towards the organization

The battle against the opponent shall not be conducted within the own organization. Why am I even saying this? One of the reasons behind this statement is that from time to time, not only related to the security-land, there appear those bureaucratic and political battles in the corporate landscape. This is how it always has been and always will be. We are humans.

We have different mindsets, visions, agendas, perspectives, and so forth. Unfortunately, these forms of energy consumption do not provide an increased security posture. Everything is not and shall not need to be sunshine and rainbows all the time but things become more effective and fun when the focus is put on helping each other. The opponent, i.e. the bad guys, are out there or inside the organization that tries to cause harm or in other ways negative damage. Think about this the next time when there is an internal beef or situation. Remind yourself and those around you to skip this part and instead spend the energy and time helping each other and your organization to become more resilient. I know, politics is a thing in the corporate world…but from time to time things are made more problematic and troublesome than they need to be.

“I have understood that you do not agree with me, I am ok with that. Could you please express what is concerning you and how we together can find a way forward?”.

It is not always those organizations with the largest security budgets and most appliances installed in the IT estate that are the most secure. Technology is one part. But the largest strength and weakness in an organization is the Humans. Start there, by ensuring the humans in the organization work together with you. Invest in time and energy to educate them. Make sure they feel trusted. Listen to what they have to say. What do they need to feel more secure and protected? The answer will rarely be “We need a new security appliance installed in our data center.”. It may more likely be something related to “I would need to better understand how to do my day-to-day work in such a way that does not jeopardize the assets in our organization.”. The appliance in the data center may be a result of fulfilling the expressed requirement from the organization’s employees though. But to arrive there the requirements first need to be understood and sorted out. Security does not function in a vacuum, it is there to support the organization and protect the assets…and Humans are the most important ones.


SECURITY MATURITY & REGULATORY REQUIREMENTS

But the role, i.e. CISO, as such is not something that always looks generically the same in every organization. Don’t get me wrong on this one but the responsibility may be the aspect, which is more or less generic, but the day-to-day work will vary. Trust me, I have seen quite a while of different organizations and have been taking on the role as well. And this is because it mostly depends on an organization’s current security posture, i.e. where an organization is in its own security journey. How far have they come in the adventure of cyber security?

But also, which industry is the organization operating within? And what types of regulatory requirements need to be aligned. What types of threats are targeted towards the organization? A classic one-liner, there are no silver bullets. There is no golden appliance that comes with a step-by-step manual that will tell the CISO how to “configure” the organization to make it safe, secure, and protected. It would be cool though but this appliance is not invented yet (at least to my knowledge and understanding).

But there is some better and less good (read bad ways) for how to take care of the security stuff. Keep in mind though, that every organization needs to have general security controls and measures implemented, this includes for example robust configuration management, asset inventory, endpoint protection, perimeter protection, malware protection, and recovery capabilities.

As I see it, these types of security controls are and should be seen as something comparable to “good hygiene” when it comes to information, IT, and cyber security. And every organization should have, but this is not always the case, a stringent risk management methodology coupled with threat and vulnerability management.

CISO is about being a leader helping the business

I think that in a matter of time, maybe a couple of years, these disciplines and skills will become seen as security hygiene. In some cases, due to regulatory requirements, threat and vulnerability management are determined as security hygiene factors. In general terms and perspective, many organizations still lack the capabilities to adequately detect and respond to modern cyber security attacks and threats. And this is how it is. All the security stuff (controls and measures) can not and will not be in place in every organization. All organizations around the world do not have the same security requirements, budgets, resources, skills, knowledge, and competence. But what needs to be done is to start from somewhere. Start the journey from where you are within the organization. One step at a time. And it is highly recommended to start now. The bad guys out there do not have a stopwatch. They are not waiting for you to secure your organization first and then launch the attack. It is the other way around. They take every chance they can get.

CISO is there to lead and help the organization

As a CISO you are the person who is leading the pack, in the front, and looking into the unknown. You may not always have the answers on your own and for this reason, it is of high importance to have a strong team in your corner. Being able to communicate, both verbally and visually, is a key capability that will contribute to strong business relationships both internally and externally in your organization. And as a leader, in my opinion, and based on the principles of my leadership philosophies, you are the product of strength gathers from the relationships you have. If you have a strong team around you who trusts you and are willing to take a part in the journey you and the organization YOU as a CISO help, you are in a fairly good place.

As a CISO you are the composition of strengths shared and accumulated within your organization, business landscape, internal IT team, external specialists, suppliers, and partners.

You are a leader. You are there to enable others to grow and develop to into leaders within the context of security and the organization you help. Enable and establish security awareness within the organization. Foster a secure culture. Empower the employees within the context of cyber security.

The CISO is there to help the organization and lead

You are there, as a CISO, to HELP the organization you are a part of and to lead them in their journey to become more protected and secure. More resilient. In part 2 we will dive deeper into the role of a CISO. Stay safe. Stay protected. Contemplate and trust in security. Together.

Henrik Parkkinen