How to Hack Your CISO to Get Better Results, Every Day! Pt. 2
Richard Bird
Chief Security Officer | Advisor | Board Member | Author | Multi-Time C-Level Exec | Keynote Speaker | Media Personality | Questioning The Status Quo Of Cybersecurity | Good Trouble Maker
Find the original article at: www.anticiso.com/how-to-hack-your-ciso-to-get-better-results-every-day-pt-2/
POSTED ON
JANUARY 24, 2018 BY RICHARD BIRD
Do you believe you have enough money to buy your way to safety with information technology solutions?
This is where we left off in Part 1 of this article. Do you truly believe you can buy enough technology to fix your security problems? Do you believe you can be fast enough, responsive enough or agile enough to buy tech that is right on time and ahead of the threats you face? Do you think information security, in your company is simply a money problem? My sincere hope is that your honest answer is; no.
Your Chief Information Security Officer is a technologist as a secondary function, not as a primary. And if you just treat your CISO as a firefighter, most organizations today are equipping these leaders like a 19th century fire brigade.
Your CISO is critical! Your CISO is the senior leader tasked with direct intervention to mitigate inherent and residual risk across your company. In fact, they are the only resource in your company with this mandate and supposedly the only ones given the tools, resources and staff to do so. Many CISOs may not even realize this truth yet; information security is a merely a component of an entire security universe within a company. Her primary role is implementing solutions, processes and standards that mitigate risks for the company. Those risks go well beyond the IT space. Way beyond the IT space.
In today’s corporate structure, this is what I hear CISOs saying across the dozens of companies I advise on cybersecurity strategy:
“I can only apply my technology solutions to what I “own”. I can’t protect everything because I have to put my limited money and resources into protecting SOX assets, critical applications, only PCI data and everything else is out of my control.”
Ask your CISO, today, what they don’t own. The list is enormous. They don’t own the defining characteristics of employee identity in your company today; but you demand that they have an effective identity and access management program in place. They don’t own change management but you demand that she keeps infrastructure and OS patching 100% current; fighting against all other feature and functionality patches and taking finding after finding for being further and further behind. They don’t own all of the dozens or even hundreds of cloud solutions being bought by your business managers, but you demand that there be no exploitable channels into your organization; while your business managers are pushing customer and employee confidential data into off-premise data stores that you no longer control. They don’t own the firewalls; but you demand that the perimeter is kept locked down. They don’t own directory services; but you demand that employees only receive the least amount of access to your systems, file shares and databases that they need to do their job.
Imagine for a moment any other function in your company having this “you must control it but you don’t own the underlying rules of engagement, standard or policies” … (notice, I didn’t say function). Imagine a CFO with no control over departmental budgets. A CMO with no control over site-level marketing budgets. A CEO with no control over subsidiary businesses.
So this isn’t just a matter of bad decisions related to your organizational structure or the budgetary constraints placed on the CISO. In companies of every size and within every industry, we have created a position that has all of the accountability for risk mitigation and we have kept that same individual from having direct ownership of all of the pieces, processes, many of the functions and most of the technology needed to accomplish the task.
Are you starting to see why the typical CISO lasts 18 months in their position?
On top of these challenges, the CISO’s executive peers see security as an inconvenience and as unnecessary overhead. This is not universally true, however. In companies where a major breach has happened, those same peers typically don’t see security in the same light. Urgency, ownership and responsiveness to information security and risk control demands changes overnight in companies that have been hacked. It is definitely a sad state of affairs though that this is the driver for true change within a corporation. Wouldn’t it be smarter to “hack” your CISO for heightened security performance and exponentially improved risk mitigation efforts? Before you get breached?
The truth is staring us directly in the face; your CISO’s authority to deliver risk mitigation has been completely marginalized by her positional and functional placement within your organizational hierarchy, his obligation to fight for budgetary table scraps to buy only part of the technology needed keep pace with a constantly evolving threat environment, and no power over business related security decisions ranging from cloud application utilization to physical security control to operations related risk. Basically, you have a Chief Information Security Officer that is neither a Chief Security Officer nor an owner of enough “information security” domains to even be a complete Chief Information Security Officer.
But we can change this, we can hack our CISO, our company structure and our security focus to get the results we not only want, but that we desperately need. We can change this by;
- Aligning the CISO to the CEO with direct and regular contact with the Board of Directors
- This means that your CISO (or another resource) becomes a CSO and controls not just information security, but operations security and potentially fraud operations and physical security
- (Ever notice that your operational risk management organization and your IT risk management organization seem like they are from different planets? Hmmmm…. another potential article? I wonder..)
- Before you say “yeah right”, understand that many large companies are already doing this
- Funding information security as well as business security as if it were a brand new product line for your company
- Bring all security related functions together under a unified structure; recognize that information security is only one piece of the security puzzle
- Stop treating information security as an “IT” function; treat it as a corporate service
- Stop giving information security away if you really want to create a secure company; a topic you can dig into further by reading my upcoming article, “Information Security is Free!”
Certainly many of these recommendations are up for debate. I don’t, for a moment, believe I have all the answers or a silver bullet to solve the universe of complexities we face as risk and security practitioners. But, I do know that how we have been conducting the business of cyber security and risk management isn’t working under our old structures, models, beliefs and methods. If it were, we’d be seeing fewer and not more cyber events every single day, month and year.
Are you ready to hack your CISO and your company to fundamentally change how you keep your organization safe?
Founder @ Domandus LLC | CISSP | Startup Investor
7 年Great article that exposes the systemic/organization problem of how security is handled. Corporate Boards MUST take more responsibility for asking their C-suite how they structure and handle Risk (big R incorporates cyber, physical, business risk). Scattered and disjointed with poor authority/responsibility correlation? Are more tightly integrated providing real time information and resilient response? Richard is also right in that several large organizations are now fusing these efforts. We are working with several of them to bring cyber and physical together. This is an area that successful companies will lead in.