The CISO’s Guide to a Winning Cybersecurity Strategy

16 May 2024 at the Secure360 Conference

I proposed in my official presentation abstract that deploying and maintaining an effective program for cybersecurity or privacy governance is difficult without engagement and participation from the business. Because I only use slides if the event makes me, the notes from my presentation are listed below. I recognize that my perspective does not align with the status quo. I hope people consider using the lessons I’ve learned during the past few decades to improve collaboration, coordination, and support of security within their organizations to produce desirable outcomes that benefit all stakeholders.

You cannot discuss strategy without citing Peter Drucker.

According to Drucker, “Organizations are organisms that are made up of individual parts, each with its own needs, and structured to achieve maximum performance.” The organizational hierarchy and the many departments, role, and responsibilities that exist represent the idea that Drucker presented. Security must have a place in the organization. It must be positioned to add value and equipped to produce desirable outcomes. One of the best ways to make non-security people care about security and give the function its proper place is to tie security to performance-based compensation that rewards them for meeting specific goals or objectives.

The three-tier hierarchy in NIST SP 800-39 encourages engagement about security throughout the organization.

SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View

Level 1 represents the highest levels of organizational leadership where fiduciary duties exist, corporate strategies are defined, and the appetite for risk is established.

Level 2 represents business functions led by individual c-suite executives who execute the requirements from Level 1 within their area. For example, the CFO executes the strategy for finance. The COO executes the strategy for operations. The CTO executes the strategy for digital transformation.

Level 3 represents the system level where controls are implemented to protect information systems, cloud and web services, and data. System and data owners are responsible for protecting their assets with the help of security (ideally).

Moving up the hierarchy requires laser focus on the right problems if you are not already at Level 1 or Level 2.

CISOs and other technology executives are often unwelcome in the boardroom because the board is focused on Level 1 issues while the CISO is often focused on Level 3 issues that the board is not addressing. For example, the board cares about the consequences of security events and incidents, which helps drive decisions. The board does not care quite as much about the intimate details of the technology stack adopted to develop systems, services, and applications used by the organization. Security leaders must focus on the right problems and accept responsibility for the obligations that exist at higher levels of the organizational hierarchy if they want to move up the stack.

I don't think the CISO needs to be at Level 1. In my humble opinion, the primary function of cybersecurity is to support enterprise risk management, measure and communicate risk, and influence good behavior. Developing the Leader Within You 2.0 by John Maxwell provides insights about mastering influence. Linchpin by Seth Godin prepares leaders to exercise their influence no matter what their title or where they sit on the organizational chart.

Understanding how boards work is imperative for success.

A CISO can develop a winning strategy and achieve success no matter where he or she is positioned in the organization. Because of the role and responsibilities of the board (or senior executives in a company without a board), understanding how the board works is imperative for success. Not important. Not essential. Imperative!

The real work of the board is done in committees. Most organizations have three standing committees. The audit committee focuses on financial performance and regulatory compliance (in a fiduciary context). The nominating and governance committee focuses on succession planning and effective board operations. The compensation committee focuses on compensation and incentives for executives. Select committees exist to solve specific problems that vary by organization. The OECD Corporate Governance Factbook continues to report growing adoption of a dedicated risk committee that focuses on enterprise risk issues that include cybersecurity risk. Any committee can focus on security. Success depends upon the skills matrix of the board, their resources, and the priorities of the organization.

The board is responsible for risk appetite. It is a mistake for the CISO to overstep corporate boundaries and define the level of risk the organization should accept in pursuit of business objectives. This is a key board responsibility, and it should be communicated in an official risk appetite statement that defines the acceptable level of risk taking and the maximum amount of risk that the organization can accept before facing an extinction-level event.

Decisions about risk appetite are driven by the duty of care. Putting the organization in a legally defensible position requires the organization to consider the interests of all parties, reduce risk to a level that would not require a remedy for any party, and ensure that safeguards are not more burdensome than the risk addressed (Reference: DOCRA).

The CISO must understand all relevant information about the organization to develop a winning cybersecurity strategy.

Every CISO should be able to answer these questions about the organization that he or she serves.

?What do we do, and why?

?How do we do the most important things?

?Who is involved (insiders and third parties)?

?Who are the threat actors relevant to our organization (The Threat Agent Risk Assessment developed by Intel is a good tool to answer this question)?

?How motivated are they to attack us?

?What is the inventory of vulnerabilities that exist, and what level of exploit resistance do we have (Exploit resistance is a driver for prioritized remediation)?

Good places to find these answers: 10K and 8K statements for public companies, investor relations information; corporate policies and guidelines; details in contracts and agreements; regulatory requirements and industry standards; and formal risk assessments.

Strategic Planning and Execution

The information cited above must be known before any formal strategic planning process can begin. The strategic plan that is produced is less important than the debate and gnashing of teeth required to align competing interests across the organization and produce consensus about priorities and the resources that will be allocated to achieve success.

Assessment: The planning team must know the situation. Where are we? Why are we here? Where do we want to go? Why? How will we get there? What resources are required?

Strategy Formulation: What perspectives exist? How do we align them? Do we have buy-in? This information is a pre-requisite for documenting a formal plan. The action plan must include a declaration for who is responsible, accountable, consulted, and informed (RACI) throughout execution of the strategy.

Execution: Ninety percent of strategic initiatives fail because of poor execution. Do the work. Maintain engagement and accountability. Adjust fire when necessary. Keep moving.

Performance Management: Are we doing what we said we would do? How do we prove it (metrics)? Is everyone carrying his or her weight (look at the RACI chart)? What evidence demonstrates successful outcomes?

Reporting: Review. Adjust. Keep moving. The board should receive a quarterly progress report. This is necessary for effective oversight.

Bold Statements and Key Takeaways

?I have never had a request for budget or resources rejected when I presented the right information to the right people in the right context.

?Strategic management is a team sport! All stakeholders must remain engaged, and they must be held accountable for their role on the RACI chart.

?Management of cybersecurity risk is a strategic activity supported by tactical practices. The board is responsible for defining acceptable boundaries, allocating resources, and providing oversight. The business is responsible for execution throughout the organizational chart. The CISO provides support and coordination to facilitate success.

?The CISO is not a superhero or a loner. Proper positioning of the role and reasonable expectations for the role will increase opportunities for successful outcomes, job performance, and job satisfaction. Everyone must play their part.

?Maturity Models Must Die?! I know this is a strong statement. However, the numeric models that people depend upon are the result of subjective assessments. No two people will produce the same results. The duty of care for cybersecurity and the minimum requirements for cyber insurability provide better drivers to produce measurable outcomes for the businesspeople who own corporate risk.

Parting Shots

• Thanks in advance for your feedback below.
• I cover much of this information in my Cyber Executive Masterclass.
• A few of my fabulous friends will join me in deeper dive on this topic at the 2024 Cyber Strategy Retreat in Atlanta this summer.

Until next time. Peace be with you!

?