What is an Anti-CISO?

TLDR - Skip down for the six elements that make up an Anti-CISO: Autonomy, Creativity, Humour, Leadership, Recognition and Success.

So first and foremost, I am not a CISO, I don't hold the formal job title, I don't perform that function, I do not have CISO on my business card. My actual job title at the moment is the rather mundane "Security Engineer", but the title doesn't reflect what I do or how I do it.

What I actually do, is influence thousands of Builders, Operators, Software Developers, Program Managers, Policy Makers, Executives, Lawyers, Compliance Officers and Security Professionals in how they perform security work every single day.

The impact I and my colleagues have on security is immense, we influence and strengthen the security on some of the most critical parts of our organization, and we see a real difference to what we do. It's rewarding, and it brings huge joy to those of us that work in this way.

If you want to be happy in your security career and feel like you're making a real difference, read on.

This kind of broad organizational influence doesn't come from position or title, it is not something that is given to you, it is something you earn through your actions and your attitude, it comes from how you live your life and how you execute on your values within your organization.

You can have that trust and influence by becoming an Anti-CISO.

The CISO

There's a view in wider industry of what a CISO is, they're the person handling all the major security decisions, they formulate strategy, interface with the board, manage the budgets, and even fall on their sword when the worst happens.

These CISO's are heroes, they do an amazing job of their own creation, they handle situations as best they can, given the complex and difficult environments in which they operate.

However, it's been my observation that most CISO's have untapped potential and opportunity to transform their approach which will not just make their lives better but will also improve the security of their organizations in a way that doesn't rely on them to drive every decision and activity.

In many cases, these CISO's are the reason that security is not moving forward because of the approach they take. Maybe you're one of them...?

In the eight years I worked at Microsoft as a consultant, I met hundreds of CISO's and spent time in their organisations, assessing their security practices and advising on how they could improve their approach, I saw the same pattern time and time again of overworked, burned-out CISO's doing their best to hold everything together and failing, and my conclusion is that it is not sustainable. They need a different approach to success.

The CISO's that were succeeding were the ones not acting like traditional CISO's. Often, the true security influencers in organizations were the ones who didn't hold the CISO title.

Enter the Anti-CISO.

This is where I see myself, and it's an approach I think anyone can take, no matter what level you are within your organization, whether you're entry-level or a high flying executive, you can influence and shape your organization's security for the better, with or without the CISO title.

Okay, Philip, I hear you say, but so far this sounds a little wishy-washy, so how do you be an Anti-CISO?

My approach centres around six key areas that I have embraced and they form a major part of all the interactions I have with others and how I approach all security decisions.

Autonomy

This is the most difficult and painful element of the Anti-CISO. It's also the most important. It's letting go. And if you can't do this, then the rest probably won't work for you.

Most security is centralised within organizations, one team or teams pulling all security decisions in, all information to a central point, and controlling all authorizations, requests and denials through a central decision queue, sound familiar?

In the organizations that have this central queue, what happens is everyone else avoids taking anything to the "Security" group unless they have to, they do everything in their power to sneak under the radar, using loopholes in policies and sometimes just being downright sneaky, but why?

Simply put, centralised security is generally slow and doesn't take in to account the business context around the decisions being made, they have hard rules which they enforce with an iron fist, and the wider business, (news flash), hates you for it. They don't trust you and they don't want to talk to you, you just get in their way and stop them being successful, so they avoid you and the consequence is they end up doing dangerous and unsafe things because they are actively alienating you.

So how does an Anti-CISO fix this?

You do the one thing you believe is the biggest most painful thing you can do. You let go of security.

Give the responsibility and autonomy on decision making to those closest to the problem, the people on the ground, the developers, the process owners, the technologists, the business.

What we've discovered is the more you do this, the amount of security activity the organization is doing doesn't reduce, rather, it increases, exponentially (I can't share numbers but I have evidence to back this up), security starts being done EVERYWHERE, not just on every second Wednesday afternoon when the security team gets together to do their prioritization meeting.

Not only does Security activity increase, but the quality of the security decisions being made and the number of risks and threats being identified (and more importantly mitigated) also increases exponentially, and they're mitigated BEFORE they are exploited. 

It's not enough to just throw your hands in the air and say "fine, you do it", you need to give the business the skills and knowledge they need to succeed.

• Teach and offer consultancy on an ongoing basis to everyone for security decision making and support others in their decision making.
• Provide clear guidance on what needs attention and what does not, a simple easy to understand data handling guide can go a very long way here, as can a set of "criteria" which needs to be met for self-determination and autonomous decision making. These can evolve as you start to be more comfortable letting go.
• Provide teams with the power to make decisions, with appropriate risk acceptance and escalation paths to help them.

Once you start doing this, you'll still want to make sure you have good governance and checks in place to ensure quality and standards are meeting the bar you've set, there's a wonderful mantra of "Trust but Verify", stick to it, trust your teams to do the right thing, and verify they are by regular catch-ups, not reviews, not audits, but catch-ups, ask how they're getting on, what troubles they've had, where can you help.

We are there to help everyone be as secure and safe as they can be given the other business and environmental constraints they are working to, not to get in anyone's way.

Take yourself off as many critical paths as you can, become trusted advisors, influence and encourage teams and groups to own their security, don't let them offload security on to you.

Deliver on autonomy - it will be transformative for you and your organization.

Creativity

The second bravest aspect of being an Anti-CISO is embracing creativity when it comes to security.

In a world of Security Policies, Control Frameworks and Compliance, people often find themselves with their hands tied. They need to deliver on the security requirements handed down to them from on high, and they need to do it in a way that will pass scrutiny.

We often find ourselves falling into the trap of tried and tested approaches, regardless of the context we find ourselves in.

Security Requirement X = Control Y

This often can result in inappropriate security decisions being made which create significant work for teams trying to implement their solutions and put significant hurdles in the way of them succeeding.

Amazon has a Leadership Principle of Invent and Simplify, and I love to apply it to Security problems.

Invent and Simplify

Leaders expect and require innovation and invention from their teams and always find ways to simplify. They are externally aware, look for new ideas from everywhere, and are not limited by "not invented here." As we do new things, we accept that we may be misunderstood for long periods of time

Some of the best security measures and controls I have seen come not from security professionals, but from those working on the front line, those with intimate knowledge of their process and activities, they know what makes sense, and what is stupid, they know what changes they can make, often they have a list ready to go, but no one is listening to them, and no one has listened to them for a long time, just quoted security policy and compliance frameworks to them.

The next time you're in a position where you have security requirements or a control set, and you're working with a team stop, and try this.

Never tell teams what to do, or how to do it. Ask them "How could you make this safer?" or "If we needed to meet this goal, how could we do it with the least negative impact on the business?". Help guide discussions, ask questions, allow the conversations to develop until the team is inventing their security measures, "Have you considered X? What kind of difference might that make?".

And don't ask the manager, or the department designing it, ask the users, the operators, the people who will be impacted by the security decisions, and have them work with you to find the right answer. Connect with your end-users, harness their investment in their jobs, give them autonomy to influence the direction of security, engage with them on an ongoing basis, keep asking "How can we make this better and safer for you?".

Often the best and most impactful security controls, aren't technical, they're small, almost invisible changes to the process, done by the people on the ground, they're things a traditional CISO or security team wouldn't even know about. Get out of your ivory tower, and engage the creative juices of your organization, the real security solutions are all out there just waiting for you to tap into them. 

When people are engaged in their security decisions, they feel a part of the solution and have a vested interest in making it work, harness people's passion for their work, and channel it into security decision making.

Humour

Security is boring. And lots of us working in security are quite dull. That's the image we give people. We're the Security Droids there with a DENIED stamp in our Secure offices with "DO NOT ENTER - SECURE AREA" written on the outside.

And that makes us unapproachable. So the Anti-CISO has a different way of working, be funny.

One way to break down that barrier is by using humour, and especially by being self-deprecating.

• Be open and honest, don't hide behind secrecy.
• Smile, and look for solutions, not problems.
• Play on Security's reputation and peoples fear of it.
• Encourage others to make jokes about security.

It has to be done carefully though, you hold a great deal of responsibility as security to help people do the right thing, so don't use humour everywhere, be selective. I've seen some people try and be funny and crash and burn disastrously, your mileage may vary on this one depending on your natural talents.

Try approaching things with the fa?ade of traditional security, the stern, cold robotic security personality, "The Security person in me want's to say DENIED and that we could never allow that..." then break it down "... but the real me, knows we can make some small tweaks and unblock you here, let's look at the options and I'd love to know what you think - I want to leave this meeting with you set up for success and saying APPROVED.".

Become the Department of smiles and "YES". Not the Security Robots of Misery and Policy.

One thing I love to do is lurk on Chat Rooms on the Corporate instant messaging environment and then just add an "eyes" emoji to comments people make which might be security impacting. Just letting people know you're there, and that you care. This kicks off conversations and people taking ownership and responsibility for their security. They also remember you're there to help!

Leadership

I truly believe that leadership isn't a job title or a managerial position, it's how others perceive you, and if they trust you to ask for and follow your guidance.

We as security professionals have a responsibility to give people a safe environment in which to operate. It's something many CISO's seem to forget, they get so focused on metrics which have no impact on the safety of their customers or their users that they forget about keeping their staff safe.

To that end, I also believe there is no such thing as human error (and I'll write extensively on this elsewhere in the future), we as security either set up our people for success, or for failure, and that is our choice.

There are contributing factors to every security issue, which you can help people explore, but it's rarely people or human error unless it's malicious, and in most cases it never is.

So how do you lead as an Anti-CISO?

• STOP blaming people, start blaming environments (and fixing them).
• Listen to people closest to the actual work internally and your customer's experiences. (Shadow people, see how they work every day).
• If you don't need access to something, have it revoked.
• If you don't need to be in the way or on the critical path of something get off it.
• If you can give others ownership and autonomy over decisions related to them, do so.
• If you can teach new skills and knowledge, give it away freely and regularly.

And the most important, if you can make yourself redundant - do it. Pass on all your skills and empower and enable others to do what you do. That's a true success as an Anti-CISO.

Recognition

If you work in a centralised security function, you probably spend most of your days complaining about how others aren't doing what they're supposed to, they clicked that Phishing link - again (coincidentally I think phishing tests are MADNESS - but that's for another post), they attached that file and sent it to the wrong person, they left their laptop on the train! Oh my. How miserable.

All we seem to recognize are failures. But that's not the way of the Anti-CISO.

Along with Autonomy, creativity and leadership come recognition, you need to consistently recognise people for their security efforts when you give them the ability to control their destiny.

Call out others for their work, no matter how small a step they're making on their security journey. This encourages more security work and better security work, where it matters, on the ground where it can make the most difference.

Tip: When someone you're working with makes you smile because of their security work, drop a quick two-line e-mail to someone's manager and their manager's manager calling out their great work and the positive impact it's having, add them to BCC so they can see what you've said. Trust me, management love success stories of their people - it reflects on their great leadership too.

This is the EASIEST of the Anti-CISO ways to pick up and follow, start today. Take 2 minutes right now and think back over the last week - who did something good for security (not in the security team), drop a quick note to their management and thank them for supporting their staff in making the company a safer place. (Then come back and finish reading the last Anti-CISO way of working).

Success

Recognize your successes, don't allow security to be measured by its failures.

All too often, we're reporting on security problems, not on security successes, it's hard to say "We stopped 100 attacks" or "We prevented 2 insider threats", but it's very easy to say "We helped 10 teams take control of their security destiny" and "We have seen increased security activity across this entire department".

Your success comes from others security success and the only way you can achieve that is by letting go of security and putting it where it can make the most impact, with the people doing the work, day in, day out.

Celebrate security successes wherever you see them. Smile, enjoy what you do, be happy in your career and your role, embrace the challenges and turn them into huge successes, for yourself, your team and your organization.

Summary

The cold hard truth is, that if you want security to get better, stop hoarding decision making and responsibility like a Dragon sitting on a pile of gold coins and treasure. Let others in, and trust them to have their, and our best interests at heart.