There Is Value In Scar Tissue: Why Breach Management Experience Is Critical For CISOs

**Thank you to my fellow #tinkertribe members who contributed updates and their valuable insight into making this article concise and for #Forbes for helping bring this article to our community. This article is published on the #Forbes Tech Council website.

As an operational CISO, I actively mentor and contribute content to the CISO community. In this process, at times, I like to contemplate and talk with friends about where we have come from and where I think as a community we can grow. In these discussions with peers, one area of common interest is the CISO role’s changing responsibilities based on the threats to our businesses. I view these changes to be good, though I am sure many of my peers would like for the rate of change to slow down and be more manageable. Unfortunately, I don’t see that happening any time soon; in fact, I believe the requirements for the position are going to continue evolving at a rapid pace.

Recently, as I was searching for my current position, I had the opportunity to interview for several different CISO roles. I wrote, in a previous article about this experience and discussed how the job descriptions for CISO positions and what the hiring organizations thought they needed seemed to be misaligned, which continues to confuse the security community. Even with this confusion, there is one area I have found hiring organizations currently focusing on -- and that is leaders experienced in incident management.

This interest in incident management to me is intriguing, especially because this skill was never listed in any of the official job descriptions I applied for this past summer. However, even with this skillset not being listed, I had multiple times where different interviewers would ask questions to ascertain if I had real breach management experience and the scars to prove it. I believe the experience of being asked several times about incident management from different companies is evidence organizations are maturing to the threats they currently face and expect their CISOs to provide critical leadership and collaboration services in times of crisis.

To me, this is good news! Several years ago, if you were a CISO and your company had a breach, you could expect your job would be under review and that you could be fired regardless of whether the incident was something you could have prevented. Fast-forward to today when, as I've heard from fellow security leaders in the CISO community, there is value in having breach and crisis management experience. This value is actively being sought by companies and was evident in every job interview I went on where I was asked situational questions about how I would handle a security incident and if I had real-world experience from previous breaches. I was never asked to divulge which organizations I had previously worked at that suffered a breach, but I found through discussions with these potential employers that there were several skillsets organizations wanted from their CISO candidates for managing incidents.

Calmness during a real incident 

As the security lead for an incident, did you, as the CISO, approach the management of the security incident in a methodical manner by using resources efficiently to reduce the risk exposure to your organization. This skillset is where I was asked to describe how I approached an incident and how I deployed my teams and resources. I was asked during my interviews to describe what practices I found worked well and, through experience, what didn’t work well and how we corrected issues. Questions in this area to me demonstrated organizations wanted a leader and team player who could be calm during an incident and be strategic in her decision making.

Knowing how to triage an incident

As the CISO leading an incident response effort, there are times where critical decisions, regardless of their impact to operations, must be made. Some examples can be decisions such as isolating a subnet that is overrun with ransomware so it doesn’t fully compromise a business network. Another issue may be accepting an incident is beyond your level of knowledge that and you need to speak with in-house counsel and exercise your cyber-insurance rider to get third-party forensic assistance.

Many of the questions I had in interviews around this skillset were focused on how well I would troubleshoot an incident with stakeholders and if I was willing to collaborate and ask for assistance from peers. I found that having the willingness to collaborate and work as part of a larger team effort is fast becoming the norm for CISOs and that companies are looking for leaders who are comfortable being team leaders or team members when required.

Effective communications

This final skill was explored in depth in multiple interviews and covered how CISOs communicate with the various incident management stakeholders, both within their teams and above them to executive leadership. As a CISO, you are basically at a crossroads between the technical teams triaging an event and the non-technical teams that may be leading a larger business continuity effort. You must be able to communicate technical topics to non-technical audiences and ensure they understand so you can get the resources you need and they can execute the correct response for managing the risk exposure to critical business operations. In my interviews this past summer, I was asked to describe how I worked within a larger business continuity effort and was asked to provide examples of how I reported to or worked with executive teams during times of crisis.

These are just examples of what CISOs today are expected to do as senior security executives for their organizations. This is by no means everything a CISO would need to know during a security incident, but it demonstrates that security executives must be flexible and willing to accept help and lead during an emergency.

It is important for organizations to understand that there is no such thing foolproof security. No organization can exist on an internet island and be deemed safe because we all are connected. So with that in mind, it is better in today's connected world that businesses face their threats and support their CISOs, who may not always prevent a breach but can manage it.

 ***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2. For those of you that have asked, both are now available in print and e-book on Amazon, and I hope they help you and your security program excel, enjoy!