Focus on Process
During the period where I was learning Risk Management (2000-2010), businesses started to realise the importance of Security. The role of the the Security Manager was elevated, the position of CISO appeared for the first time. A proper C-level role to aim for, or so I thought.
I continued in consultancy so that I would pick up all the right skills to become a CISO, and quickly learnt that most CISOs were still operating as Security Managers, often under a CIO or CTO, or worse, a COO who just wanted to be compliant. This felt like a step backwards.
Imagine if you will, a meeting between CISO and Board where the CISO is asking for money:
"We have all these risks, all these threats, I need money to fix."
"How much?"
"Um, £3m should do it."
"So you will improve these things?"
"Yes."
"Have £3m, come back in 12 months with your improvements."
Obviously this conversation never happened, asking for any money from a Board is a drawn out process, but the point is the CISO was ALWAYS asking for money to fix risks. It was all about downside.
Not to be deterred, I started seeing amongst the wider CISO community, and still do to this day, a focus on reporting KPIs and KRIs. The aim to balance risk against performance. It's a shrewd move to bring some upside into an otherwise totally downside conversation. Making the conversation about performance and improvement sometimes unwittingly focused security on processes:
The problem with KPIs and KRIs is that they require some extant knowledge of Security to make head or tail of them. I've heard ExCos and Boards turn quite aggressive in the face of stats which to the trained eye appear quite insightful. I have a quote from my old CEO ringing in my ears as I write this:
"I don't want data, I don't want information, I want insight!"
(I should add, this was not said aggressively, but by way of direction.)
Prior to working in my first CISO role, I advised on 2 long term assignments. In the first I used my previous risk management and compliance work, got utterly confused and achieved very little, except realising that we needed much better governance in place to get everything working together.
During the second, I discovered the US National Institute of Standards and Technology's (NIST) brilliant CyberSecurity Framework (CSF). If you've read my previous ramblings, you'll know I'm a fan. I'm not going to reproduce it here again, but go and take a look and read some of my previous articles, if you want an insight into what makes CyberSecurity tick. Tomorrow I'll go into more detail about how to use this to your advantage.