[BreachExchange] CISOs: What would you do over?

Destry Winant destry at riskbasedsecurity.com
Wed May 22 10:04:41 EDT 2019


https://www.helpnetsecurity.com/2019/05/16/ciso-do-over/

Just after the new year I was catching up with a CISO over lunch in
Pike Place Market in Seattle. We were reminiscing about how tough it
is to get a security program up and running in the beginning. Pausing
to dip his taco in the excellent house salsa, he commented, “Y’know,
if I had to do it all over again…” and he proceeded to tell me a
story. My brain twitched with possibilities—here was a great question
to ask CISOs and share with the community.

Over the months, I spoke to a dozen different CISOs and began
publishing the most interesting quotes on F5 Labs. This prompted more
security leaders to come forward and share their past failures and
lessons learned. All had at least a decade of experience in both
management and security, but there was no particular industry,
background, or specialty represented. Still, the lessons began to line
up along some basic themes.

The first theme CISOs talked about was regretting they hadn’t built a
strategic plan for their new security programs early on. They noted
that they could have saved themselves a lot of extra work and gone a
lot faster if they had spent the time to flesh out a roadmap. Without
a plan from the beginning, security programs devolved into a jumbled
patchwork of security controls and duplicated efforts. It’s easy to
say you’ll have a plan, but a lot of companies, especially tech
companies, move pretty fast and it’s easy to get lost in compliance
requirements, security frameworks, and technology stacks. This is why
they stressed keeping the plan simple but focused on the business
goals.

Along these lines, many expressed that being a CISO involved lots of
project management, mostly around making sure controls are fully
rolled out to mitigate risks and ensure compliance. Like a lot of
things in security, the economics always win. So, resources need to be
managed, which means keeping an eye on cost estimates, deadlines, and
bureaucratic slowdowns. If you’re in over your head, a security leader
shouldn’t hesitate to get help, either from inside or outside the
organization.

Building a security program is like growing a garden, one CISO
stressed. It takes time and daily commitment to nurture what you’ve
sown. Security controls don’t live in a single point in time, they
have a lifecycle that needs to be managed from inception, to
integration, to upgrade. Quite a few CISOs regretted the stress they
inflicted on themselves by being too impatient or taking on too much
at once. Move at the pace of the organization, they stressed, and keep
improving every day.

When it comes to rolling out their programs, many interviewed CISOs
kicked themselves for not understanding the human factor early enough
in their careers. As they say, culture eats strategy for breakfast,
and that includes security strategy. Quite a few CISOs said if they
could do things over, they’d spend more time studying politics and
organizational influence techniques. Nowhere was this more emphasized
than when working with senior executives. A common flub for CISOs was
to be too technical and not business focused enough when talking to
the higher-ups.

Another big theme was lamenting not double-checking assumptions or
what they were told. Many CISOs fell into the gap between what was
reported and what was actually happening. System and data inventories
were revealed to be incomplete, defenses that everyone assumed were
deployed turned out to be half-configured, and logging was not set up
for key operations.

Time again, CISOs learned the hard way that you can’t fix what you
don’t know about. The CISOs warned that people will often tell you
what they think you want to hear, not the truth, especially in you’re
in management. Don’t assume, check to make sure you know the ground
truth as soon as possible.

Speaking of understanding what’s going on, the blind spot for many
CISOs was looking beyond IT security. Many CISOs got their start in
technology, so they naturally forgot there’s a physical world out
there. Physical security and disaster recovery are two big physical
threats that CISOs ended up playing catch-up on. And like the previous
areas of security, this was also one area where CISOs
coulda-woulda-shoulda asked for help but didn’t.

Overall, it was a great exercise to talk to CISOs about what they
would do over. Stories continue to come in. Maybe this is a worthwhile
question to ask yourself, and maybe you’d like to share it with me and
pass on what you’ve learned as well.


More information about the BreachExchange mailing list