[BreachExchange] Hack like a CISO

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jul 19 19:00:58 EDT 2018


https://www.csoonline.com/article/3291280/leadership-
management/hack-like-a-ciso.html

I have written several times over the last couple of years about how the
role of today’s CISOs have changed and are now more tuned to support
business activities and the management of enterprise risk. Serving an
organization as their most senior security executive requires one to be
creative and flexible on how to approach issues. Part of this creativity
that many CISOs develop over time is specific processes or “hacks” that
they have found useful to grow their security programs and use resources
efficiently.

A hack has multiple definitions; it can be defined as a piece of computer
code providing a quick or inelegant technique to solve a particular
problem. It also can be what I believe is a more appropriate definition for
CISOs – a process, strategy or technique for managing one’s time,
resources, teams or program more efficiently.

As a CISO for different organizations over the last ten years, I have
developed hacks on how I approach my role, develop my security program,
manage my security teams and protect my organization. I developed each of
the following hacks through trial and error; I never got it right the first
time. As an executive, you have to be comfortable with failure, so you can
learn from it and succeed the next time. I hope you find these hacks useful
and they provide some benefit to you and your organization.

Hack no. 1: Interview team members and document services

One of the first things I recommend as a new CISO is to spend time with
your new team, and document exactly what processes they are doing that
benefit the company. I view my cybersecurity program as a service-oriented
department, so I first document all of the services that we provide – this
should be more than just answering trouble calls. With this list of
services, I then begin to map out the security technologies and the
required technical skills and soft skills to support this portfolio of
services. Once this is done, I now have a good map of my current “security
stack,” and I have a list of technical and soft skills that are required
for my security program.

With this type of information, I can now ask my HR department to update the
job descriptions of my current staff, and if we are recruiting, I can make
sure we recruit for the current skills my team requires. I can also use
this information to review my security stack and highlight technologies
that may be end of life and require replacement or need upgrading. Finally,
the last thing I can use this hack for is to create a training matrix to
list all of my team members and assess them to the identified technical and
soft skills we require. This also allows me to develop an individual career
training program designed for each of my staff members. I have found doing
this last training hack results in more well-rounded team members, who are
energized to work as part of your team due to this investment in them as a
person.

Hack no. 2: Request a list of all contracts your department is responsible
for and those that renew soon

I have found requesting a copy of all contracts your department is
currently assigned will provide you, as the CISO, long hours of reading but
good insight into your new programs responsibilities to its partners and
third-party vendors. As you read, be sure to document the SLAs that measure
how your vendors are delivering service and also document your
responsibilities to them. Use this information to create a timeline of
which services and technologies will need to be renewed within the next six
to 12 months and schedule them for review. This is where having the
security stack information from the first hack becomes useful, because it
will help you when assessing what technologies or services to keep, which
ones to upgrade and finally which ones will need to be replaced.

I have also used this hack to negotiate better terms on renewing a
contract. When you have insight into the technologies and services your
team requires, you can develop a list of alternatives. With this list, you
are better prepared to renegotiate any upcoming renewals, and be prepared
to cut a vendor loose if they refuse to work with you. What is important is
protecting your business and if you have established a working relationship
with the vendor, they should understand your priorities and work with you
to an effective compromise.

Hack no. 3: Inventory provides the visibility you need as a CISO to survive

This hack should be a CISO mandate; it is intertwined into many of the
processes an effective CISO and security program will need to be
successful. I first start this hack by collecting copies of current network
maps, security diagrams, data flows, security contracts, budgets, and
previous assessments. I also will review current security projects that are
underway and will review their documentation. All of this information I
will collect and put into a CISO runbook, which is a current state view of
my organization and where my program and role fits into its business
operations.

The data collected in this hack will feed into almost everything you do as
a CISO. Just understand it will take time to collect the information, you
will need to keep it updated and as it is sensitive information, you will
need to protect it continually. One last thought before we move on: This
information helps the CISO understand how the organization is using its
networks for business and provides context into how security is currently
supporting these operations. With this current state view, as CISO, you can
now adjust security to your view on managing risk and continue to mature
your security program with a better frame of reference on how you want to
support the company.

Hack no. 4: Conduct my own internal risk assessment

I typically do this after I have completed my inventory hack. Even if a
third-party assessment were done recently, I would still do my own internal
risk assessment. I do this so I can meet the various stakeholders in the
organization and better understand how the networks, applications and
business data are used by them to support the business. When starting an
assessment, I will use the CIS 20 as the initial assessment framework to
review my organization’s maturity with regards to its security controls and
managing risk. If at the end of the assessment my company scores a 70
percent or better, I will drop using the CIS 20 and transfer the results to
either the NIST Cybersecurity Framework or ISO 27001 framework. The reason
is if my company scores over a 70 percent completion, they are at a high
enough maturity level to use a more in-depth compliance framework to manage
risk.

Once I have transferred the CIS 20 data to either NIST or ISO, I will
continue to document any shortcoming and compare the results to the recent
third-party audit. With both results, I verify if anything was missed,
review the current budget to see if it was addressing any of the identified
issues and tailor a strategic plan to mitigate any gaps. As a new CISO,
remember this process takes time; you will reach across numerous
departments and business units for information, so be patient and get to
know your stakeholders because they will become the customers and champions
of your security program if treated with respect.

Hack no. 5: Your security teams are your best asset; it’s all about
customer service

Cybersecurity does not provide revenue to an organization, but it does
provide a valuable service – continuous risk management. I have found as
the CISO you will need to organize your teams around a help desk or subject
matter expert (SME) framework to provide quality customer service. When I
approach this challenge, I use data from the first hack I collected on the
security technologies that are used by my teams to support my organization.
I review these technologies and identify an SME and alternate SME for each
technology. Each team member will be assigned as an SME to an equivalent
number of technologies. Once this is established, I then create a watch
rotation where a team member will be assigned as the queue manager for the
week. They will handle trouble tickets that come in and if there are ones
for a specific security technology or service, those tickets can be quickly
routed to a specific SME team member for resolution.

I have used this methodology so that every team member will spend a week at
a time working with customers. Without these customers, there wouldn’t be a
security program, so it is crucial for my teams to understand how to
support our employees, assist with projects and respond to their requests
promptly. This help desk/SME rotation can also be used to help facilitate
the types of training your staff will need, and it helps with assigning the
SMEs to create runbooks for their assigned technologies. These runbooks
become critical assets when your program matures, and you look to implement
orchestration or automation.

Conclusion

This is only a small subset of hacks I have developed as a CISO building
security programs. As a servant leader, I feel it is imperative to share
these types of hacks for the improvement of our community and to help train
new CISOs as they build their first security programs. Cybersecurity is not
meant to be implemented and managed in secret; I believe our community
matures when CISOs collaborate and assist each other.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180719/748808b7/attachment.html>


More information about the BreachExchange mailing list