A DAY AT WORK AS A CISO – PART #2 [EXTENDED]

Posted on by Henrik Parkkinen

Cat: Oh by the way, if you really like to know, he went that way.

Alice: Who did?

Cat: The white rabbit.

Alice: He went that way?

Cat: Who did?

Alice: The white rabbit!

Cat: What rabbit?

Alice: Didn’t you just say?

Cat: Can you stand on your head?

Alice: ???<gets mad>???

What if Alice had some kind of a map (a roadmap for example) pointing her in the appropriate direction? Some tools available for her to find a better way forward when being lost that she could apply on that map (like a compass maybe?)…instead of to trying to guess, or by listening to the disoriented Cat trolling her from the tree, which way to go?

For a CISO (Chief Information Security Officer) a good starting point, for setting out the coordinates and navigation, could be to conduct a cyber security assessment. These types of assessments are generally more driven from a technological perspective though, but with the addition of a threat and risk management exercise tailored towards the organization, a cyber security assessment makes a fairly good starting point for creating an initial roadmap to be used as a compass for guiding. To understand which road not to take. To understand which weaknesses and vulnerabilities need to be prioritized first. To find a road forward and reduce the head-scratching moments and guessing game.

Personally, I am less into that myself. The guessing game is when a decision is to be made. Guessing games are more applicable for lotteries and fun games. Guessing and hoping for the best, by having your fingers crossed or by painting up a fancy pipe dream, is not the way to go when it comes to cyber and information security. This is a bad system. A bad way how to create resilience. A less “modern way” how to create an increased security posture.

Before diving further into today’s subject let’s do a fast recap of the message propagated through the first article, Part 1, in the series. In the essence of the role of a CISO (as in all types of C-suite or manager roles), one of the most important aspects that it comes down to is “leadership”.

But what type of other skills/tools are needed as a CISO and why? This is today’s subject, to put emphasis on those other skills, which I believe are highly important for a CISO. Or one who wants to become one or one who wants to improve their skills. For example, what is needed to create that roadmap? What is and why should a CISO use a “roadmap” and a “compass”? How can this type of “roadmap” be used to accomplish and reach a target destination?

inside the ciso TOOLBOX

Business minded. For me, this skill translates to the ability to be able to understand, analyze and contemplate about security from different business perspectives, processes, industry verticals, or horizontals. A CISO need to be able to, at least on a holistic level, understand the core components of the business processes in an organization.

Gaining an understanding of the business processes enables the possibilities for the CISO to better help the organization to for example, but not limited to, identify the information assets which are most critical and sensitive to the organization. Or to identify possible risks, related to information and cyber security, and applicable scenarios if actualized that will lead to a negative business impact. And of course, better insight and understanding of possible threats against the organization and potential vulnerabilities.

The toolbox of a CISO and the many skills

Understanding an organization’s so-called business value chain(s) provides enormous insight for a CISO. This skill for me is a blend of curiosity and analytical capabilities that is not directly something learned from a textbook. It comes more from engaging and communicating with key stakeholders and business leaders in the organization. Listening to the audience that is around you in your organization.

Without an understanding of the business landscape in the organization, certain subjects and topics become significantly more challenging for the CISO. Let’s take an example and apply this skills/tool (I.e. business-minded) into a simple practice to understand how it can help the CISO.

Our subject for the example will be “business continuity”. If there is a reduced or limited understanding of the business landscape, there is also a reduced or limited understanding of how an applicable and adequate business continuity plan should be crafted for an organization. Where to start, who to involve, and what, and how it should be tested and carried out if such a situation takes place. A business continuity plan is about the business. And it will in almost every case have attachments and dependencies to digital capabilities, such as information systems, applications, digital capabilities, IT infrastructure, and so forth. But the discipline, Business Continuity Planning (BCP) as the name says, is highly focused and connected to the business landscape within an organization. The process, of crafting an adequate business continuity plan, needs to start with analyzing and understanding the business landscape of the organization. The CISO needs to be able to listen, understand, communicate, and analyze how changes or initiatives in the business landscape translate into information and cyber security.

NOT TO BE AN EXPERT. THE KEY IS TO “UNDERSTAND”

So, what about technical know-how and knowledge? In my mind, it is beneficial for a CISO to have a relatively good understanding of different technology domains and emerging technologies, i.e. technologies approaching in the near time and future. This part of the sentence, “understanding, is the essence.

The person does not need to be able to sit down behind the keyboard and develop exploits, configure firewalls, design networks, or shoot payloads through msfconsole (i.e. Metasploit framework). The reason why I think a somewhat good understanding of technology for a CISO is beneficial, but not an absolute requirement in any way, is due that it helps the person to better understand risks, threats, and vulnerabilities related to the organization.

Technology is today unavoidable. All business is today more or less highly dependent on technology, digital capabilities, and enablement. And for this reason, which is less often spoken about, a CISO will also play a vital part in how accelerating business opportunities. Yes, accelerate business opportunities! This is not only something (in my mind) the role of a CIO or something he is singularly responsible for. The CISO, at least according to my own beliefs, shall also be accountable to ensure business value realization is enabled. It’s a team effort like in all types of sports. The CIO and CISO are not two dudes on opposite teams, they are and shall act as if they are within the same team. They are there to help the same organization.

The CISO should not, in my opinion, or in any circumstances, turn into the Dilbert narrative named Mordac who strives for making information services and digital capabilities in the organization unable to be used due to all those security control implementations. But in some cases, the CISO becomes this guy. The preventer of digital enablement. The Anti-hero. Not so business-oriented, but things at least from a security perspective got more secure. I’m joking here. This is not a sustainable approach. This is not an adequate way how to enable a secure and protected organization or digital value realization.

CISO is about helping the organization and stakeholders

Throughout my career, I have noticed that it is quite common that the CISO role tends to become somewhat driven by an IT-centric and technocratic agenda and less by a business-oriented one.

In some cases, the CISO role, unfortunately, becomes a glorification of a secadmin (Security administrator). A technocratic and elevated extension of an IT security specialist. There is nothing wrong in doing so, going by the technocratic approach but the results will be (at least based on my own experience) suboptimal for the organization. The potential value realization for an organization will be reduced and limited due to less concentration being made on the organization’s business ecosystem.

So why is that? Why does this keep happening? I think there is not a given answer but as in many cases within the IT industry, the person considered “best in class” within the organization when it comes to technology is believed to be the best leader. This might be the case but there is no guarantee ensuring this is the case.

Another case I have come across is where the CISO is reporting to for example the CIO, CDO, Head of IT, etc. There is nothing wrong with this either, so don’t get me wrong here. But adding a reporting layer between CISO and the board can generate reduced focus and suboptimal decisions related to information and cyber security in terms of risks. The CIO, CDO, Head of IT is more often and should be (in my opinion), concentrated around digital enablement and less focused on the application of security and risks related to the subject or the business landscape. The latter part is the role of the CISO.

And I must also say that it shall not be forgotten that the CISO role is still quite new, and this is a function of Cyber, Information, and IT security and the whole industry is still young.

In many cases and organizations, the CISO’s engagement has since the early days been driven by a technocratic agenda. There is nothing wrong in doing so but as mentioned before, this may lead to suboptimal decisions if technology dictates the objectives of the business and not the other way around.

Of course, if an organization provides technology services to their customers there will be much more focus on tech though. But if for example the organization is mainly centered around humans where technology and digital capabilities are more of an enabler then, in my opinion, technology, and digital capabilities shall be seen as enablers.

I think that if a CISO role is driven from a more technology focus this may lead to an amplification of less digital enablement and less business risk insight. In smaller organizations, the CISO may become somewhat of a guy who sits on two or maybe four different chairs. Nothing wrong but it can be challenging to outthink the own brain and to always be the mastermind of things and ensure that security both from a technocratic and business perspective is somewhat optimally aligned towards the organization’s requirements.

FROM RISK TO SUCCESS

Risks are often seen and approached as only something negative within the realm of cyber and information security. Of course, cyber threats and attacks are not something related to a positive risk but this perspective to risk within the realm of cyber and information security does not need to be the singular perspective of truth.

With a somewhat good understanding from a holistic perspective of technology, and not only something that may be generating negative risks, a CISO can also use the opposite side of the coin when communicating with key stakeholders and business leaders. Or to understand how the business ecosystem in the organization may enable a competitive edge within the operating industry, market, digital ecosystem etcetera. Let’s call this success, the positive effects of risk…and something that I believe should be spoken more about.

I wrote down a scenario for how I personally, not so long time ago, presented a certain scenario to an organization’s management team. This is a part of the presentation in a verbal format, it does not include every detail of what was said but the essence is there. #Success

“To my understanding, the negative risks related to <emerging technology X> may result in a scenario causing negative effects for the organization. According to the risk assessment conducted, <(consequence + likelihood) + (articulated consequences + risk scenarios)>, we as an organization have the possibility to mitigate the negative impact by taking these recommended actions <risk response & treatment options>. We will still though need to live with some risk, to accept the residual risks which cannot be mitigated but as we, as an organization, have expansion plans to penetrate new markets and customer segments this <emerging technology X> also enables business opportunities that increase our digital transformation rate. We can accelerate business opportunities, by, for example, transforming manual processes into the digital ecosystem and by doing so leverage a potential magnified market increase. We will be one of the first organizations using <emerging technology X> and for this reason, we should together contemplate around to accept the risks in relevance to the identified opportunities that we as an organization can leverage on to generate a competitive edge against our competitors. Besides the risks <R01, R02, R03, heatmap, scenarios, risk appetite etcetera> there is also the success that can be achieved which will be generating further growth, increased customer satisfaction, amplified market recognition”. #Risk Management (one of the tools in the CISO’s toolkit) coupled with Success management.

THE DIGITAL TRANSFORMATION AND EVOLUTION

As more and more business processes and capabilities transform into the digital and cyber landscape there is a need of understanding these implications, both from a risk and success perspective. For example, how will an organization be impacted if the decision is taken to lift core business processes or line of business applications to the cloud?

The CISO does not need to be the cloud specialist, but the person should be able to contemplate, understand, analyze and communicate potential risks, threats, vulnerabilities, and opportunities related to this decision. And these risks, threats, and vulnerabilities are most powerful when being communicated with non-technical jargon or language.

But the CISO shall also be able to understand and articulate the business opportunities involved. The Success. How competitive edge can be gained? Acceleration of digital business capabilities. This is one of the reasons why a CISO needs to have the skills and understanding of how to communicate with a board, key stakeholders, business leaders, technical leaders, and other important stakeholders who do have and do not have a technical understanding.

CISO is about understanding and helping

Being able to tie security initiatives and projects to organizational strategic goals constructs a better understanding of why certain investments are needed, projects to be executed and investments to be sanctioned continually to security. This also enables the feature for a CISO to better craft a story, tailored and relevant with applicable analogies constructed in the language and visuals in the form of the organization’s own context and language.

As you may understand, I believe in the power of storytelling and see this as a great skill to master. Storytelling in general something everyone can benefit from. But from a security perspective and based on my experience this can really be one of the key ingredients for how a message or business case is best verbalized and visualized for any type of stakeholder, board/managers/subject matter experts/individuals/organizations/employees. And this skill, storytelling, is something everyone can learn to apply and master.

We all have our own stories. We all have our own memories. The feelings we felt in different scenarios. The quotes we heard from movies, history books, stories (like Alice in Wonderland), and so forth. We all get good at what we practice. And we always practice something in terms of our skills. Making powerful stories does not come by themself or does not appear on the power points by magic. They need to be created. And the magic superhero power behind creating the stories resides within every one of us.

LEADING BY EXAMPLE

I believe in leading by example. Pulling up the sleeves and getting things done. Creation of inclusiveness and engagement. Enablement of an open and multi-disciplinary environment. Teamwork and team building. If you want to go fast, go alone. If you want to go far, go together. Create a strong team and let the team be a part of the work you as a CISO do. Include the team to help you to craft the story to be told. Let them help you to better understand technologies in the organization. Let the business leaders and key stakeholders educate you and lead you in discussions regarding business challenges, processes, and knowledge.

CISO is a team effort. Do it together with the people around you and help each other out. Create trust between each other. Between the IT teams and the business teams. Be the leader who creates and establishes a platform, engagement, and culture within your organization where people feel they are secure and protected. This is not something that is done over a night or something that may go fast. In some cases, it does in others not. Have patience. Give the change time. See it as an investment. An investment for the organization and the people within it.

Doing the security things together will become much more fun, and the effects of resilience significantly amplified. Information and cyber security are not a single mission, it’s a team effort. Go together.

Henrik Parkkinen