[BreachExchange] The best CISOs think like Batman, not Superman

[Destry Winant]

https://www.helpnetsecurity.com/2021/05/11/best-cisos/

Many CISOs see themselves as Superman — soaring overhead, cape fluttering,
and ready to swoop in and save the day at a moment’s notice if a crisis
arises. There have been entire summits and award ceremonies based around
the idea of CISOs as superheroes, and there’s even a web tool that will let
you figure out your own “security superhero” alter ego.

But the best CISOs aren’t superheroes — or at least, not superheroes cut
from the same cloth as the Man of Steel. The reality is that problems
quickly emerge if a security chief believes their job is to be a
universally beloved hero, basking in the gratitude and admiration of those
they protect.

When you see yourself through that lens, it’s far too easy to start making
decisions that please people in the short term and failing to make the
tougher decisions needed to keep them safe over the long haul.
As any CISO knows, cybersecurity is a tough job that seldom earns much in
the way of thanks or recognition. In fact, the most successful CISOs are
often required to act in ways that make them deeply unpopular. To do the
job right, in other words, you need to make your peace with being an
anti-hero — and that means learning to think less like Superman, and more
like Batman.

Think like the Caped Crusader
Why should CISOs learn to think like Batman? For starters, Batman knows
that fighting crime isn’t a popularity contest and doesn’t expect thanks
from the people he’s trying to protect. In the same way, CISOs should
accept that if they’re popular, they’re probably doing their job wrong.

People should feel a bit of angst when the CISO’s shadow falls over their
desk — because the CISO should be prodding them to make uncomfortable
decisions, badgering them to do better, and preventing them from settling
into complacency. Your role isn’t to keep people happy — it’s to keep them
safe, despite the groaning and muttering your efforts inspire.

Batman also knows that you can’t fight crime by basking in the sunshine.
Instead, you’ve got to know the city’s underbelly and fight crooks and
gangsters on their own turf. In just the same way, CISOs need to live with
a foot in the underworld. It’s only by understanding the way that hackers
think and operate that you can hope to keep your organization safe, and
that means knowing your way around the murkier corners of the dark web and
spending plenty of time tracking the scripts, strategies, and other dirty
tricks being shared by the black-hat crowd. Superman might be able to do
his job by soaring over the metropolis, but CISOs need to get down in the
gutter to beat cybercriminals.

Superman’s clean-cut approach to fighting crime also contrasts with
Batman’s grimmer and grubbier way of getting the job done. Superman is
idealistic and trusting; Batman is a realist with a healthy dose of
paranoia. In the same way, CISOs need to see most people, processes, and
technologies as potential sources of risk. Instead of looking for the best
in people, they need to assume the worst, so they can be prepared to
counter vulnerabilities and respond to security breaches swiftly when they
occur.

Finally, it’s worth remembering that Superman was born with incredible
strength, X-ray vision, and other spectacular superpowers that let him
defeat almost any enemy without breaking a sweat. By contrast, Batman must
take on villains with just his own cunning and a Batcave full of innovative
gadgets.

In the same way, CISOs can’t assume they’ll automatically be able to defeat
any threats. It takes real work and preparation to beat cybercrime, and
CISOs need to stay on top of all the latest cybersecurity innovations to
make sure they’ve got the right tools on their utility belts.

Be an anti-hero, but not a villain
What does all this mean in practice? Well, it means that as a CISO, you
need to get used to the idea that people won’t typically cheer when you
walk in the door each morning. In fact, you may well get a few dirty looks
when you arrive, especially if you’ve just shot down a project that would
have introduced a critical vulnerability or rolled out new security
measures that complicate people’s workflows or require them to learn new
habits. That’s regrettable, but it’s also a sign that you’re doing your job
well.

There’s a fine line, of course, between being an anti-hero and being a
villain. CISOs should recognize that their duties make them unpopular, and
that many of the security measures they introduce risk making people’s
lives more complicated. But they should stop short of reveling in making
people miserable.

Batman might bloody a few noses to keep Gotham safe, but he lives by a code
that ensures he never puts civilians in danger. And precisely because
they’re taking unpopular measures, CISOs have a responsibility to explain
the need for the policies they introduce, and to ensure their actions are
always proportionate to the threats they’re trying to counter.

The bottom line: CISOs are superheroes. But they can’t expect acclaim or
gratitude. Their job is a thankless one that requires them to protect their
organization without much recognition, using guile and technological
knowhow to plug vulnerabilities that others miss or to prevent looming
crises that others fail to spot or refuse to acknowledge. Like the Dark
Knight watching over an ungrateful Gotham, CISOs won’t win any medals for
their efforts — but they’re the heroes we need during these turbulent times.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210512/3c8a2834/attachment.html>