[BreachExchange] Top 5 First Strategic Steps for a New CISO
Destry Winant
destry at riskbasedsecurity.com
Fri May 1 10:22:17 EDT 2020
https://securityboulevard.com/2020/05/top-5-first-strategic-steps-for-a-new-ciso/
A CISO starts a new role every 17 months. Each time, the CISO must get
a strategic and tactical bearing on their new role, company and the
security program, and, more importantly, build credibility with the
board and C-suite. This article will focus on the strategic priorities
that will help lay a strong foundation for success.
Understand the Business
The CISO’s job is to understand the business and its crown jewel
assets: How it generates revenue, what gives it a competitive
advantage, how it makes and keeps customers happy, and how it keeps
control of its operations and regulatory commitments. These are
central to the security strategy. If a CISO doesn’t align protection
goals and security strategy to these, they will have a very
challenging time relating to and influencing the board. The security
story should start with protecting these assets, starting with the
most basic and ratcheting up security capability to protect against
more and more capable threats. Since that protection costs more, the
CISO will be able to pitch cost calibrated and justifiable budget
options to executives. That, as it turns out, enables executives to
choose a risk appetite—and, in turn, for the CISO to get on with
building out to an executive-chosen and -funded protection outcome. An
excellent source of initial crown jewel discovery are annual reports
of theirs and their competing companies; internet research often
uncovers analyst and investor reports. This is the foundation of the
protection strategy—it’s what we want to prioritize the protection of
by applying security controls.
Know Your Stakeholders
A CISO has numerous stakeholders, from the board and executives to
operations and customers. To be successful, a CISO must align their
protection goals and strategy to solve their stakeholder’s
challenges—or, at least, not to make their objectives more expensive
or challenging. Once you have a good understanding of the business
from initial discovery, it’s time to engage stakeholders. A bottom-up
approach is strong as it allows you to gain more granular knowledge
that becomes more valuable as you later engage more senior
stakeholders. That way, it’s clear you have done your homework and can
be a good partner. First, understand the challenges from the view of
risk, compliance, audit and business continuity. Then, engage IT, HR,
Finance and Facilities. Then Legal and the executives. Link these
perspectives into the crown jewel model of the organization. This way,
you can develop a top-level crown jewel protection strategy for the
board and executives and an interlinked set of challenges and concerns
from the operational stakeholders. Next, we’ll want to link this to
what our opportunities are to apply security to gain protection.
Know the History of Your Role and Associated Roles
Engage your predecessor (if possible) or ask HR about your predecessor
and their challenges. In addition, ask your team and, most
importantly, ask your stakeholders. You want to discover without being
subjective or overt what was perceived as positive and negative, as a
success or failure and the key challenges and opportunities. What can
we learn and leverage to make the best outcomes possible? You want
your stakeholders to know that you want to understand their needs and
that you wish to focus on helping solve their challenges and not be an
obstruction. You want to show that you understand, care and can be
pragmatically engaged at any time to solve business problems and do so
in a way that doesn’t disrupt business outcomes and operations or
personal agendas. In fact, you want to be perceived as advantageous to
them achieving their business and personal objectives.
Know Your Working and Total Budget
Security budgets are very often nebulous. It’s not clear what the
current working budget is, what is tied up and what can be repurposed.
And that’s just the tip of the iceberg; what often goes undiscovered
is the iceberg under the waterline. This is the historic “run” or
operational budget, the rolling snowball that accumulates year over
year. You want to get a handle on that. It’s not necessarily easy at
first glance, but there are a few approaches you can take to at least
sketch it out. Approach the lead for each control and have them
approximate how much human, technology, vendor and peripheral (e.g.
travel, pizza parties) time is spent and the costs. As they typically
won’t know, ask them for a floor and a ceiling number. You can
aggregate this for estimates of total security costs. A chunk of this
spend may be wasteful—perhaps a big slice of it—and you’ll want to
include this in your larger budget plan to be repurposed potentially.
You want to show that you don’t just want more money, but you want to
take control of all investments, easily visible or not. You can run
security with a zero-sum budget and justify every bit of it.
Know Your Commitments and Requirements
Your security plan is going to include what you want to do as well as
what you have to do. These aren’t always the same thing. But, if we
can strongly link the two, particularly with spending and resource
utilization, then we can show shrewd use of investment and resources
as a sort of 1+1=3. Commonly, there will be security framework or
regulatory commitments. Even though these often are more a distraction
toward delivering actual protection of business assets, the CISO is
still accountable to deliver the security tasks that are necessary to
achieve these. Let’s call this the compliance strategy. Previously we
introduced the protection strategy. It’s beneficial for all to link
protection strategy and the compliance strategy strongly into the
security strategy. That is, the CISO is going to pitch, and leverage,
investment to achieve quantifiable levels of protection of crown
jewels from levels of threat capability. Further, the CISO is going to
pitch, and leverage, investment to achieve framework and regulatory
commitments. Collectively, this budget can be blended to a unified
security budget to achieve both and eliminate duplication of effort
and maximize economy of scale.
First Steps for a CISO
By pulling these strategic dimensions together, the CISO can
socialize, justify and defend a robust security strategy that solves
board-level problems, gain and maintain the support of key business
stakeholders, and achieve results cost-effectively. This is the
foundation of the modern CISO.
More information about the BreachExchange
mailing list