[BreachExchange] CISO - Don't Take it Personally But Make it Personal

Destry Winant destry at riskbasedsecurity.com
Mon Dec 30 10:15:14 EST 2019


Over the course of my career in cybersecurity, I have come to the
realization that in order to become a good CISO who successfully
manages to direct the cybersecurity maturity of the organization to
continuous growth, you need a lot more than technical knowledge and
the ability to design roadmaps and execute projects.

It is a rare reality that an organization has reached a near perfect
cybersecurity posture and all that remains to the CISO is reaping the
fruits and fine tuning some security control or policy.

Usually, at least in my experience (maybe I was just lucky), you
join/consult a company, perform risk assessment and come to the
conclusion that it does not match your vision of a required
cybersecurity posture.

Designing and presenting a long-term cybersecurity maturity roadmap to
the board or upper management is usually met with goodwill and
acceptance especially when you don’t have to drill down to the
technical level.

It is when you are moving over to the deployment phase that things
start to get a little complicated. When milestones turn into technical
tasks and people start to realize that things are going to change,
from their perspective, to the worse and you turn into “public enemy
No. #1”

Suddenly all sorts of obstacles arise such as: “it will impede
production”, “the policy will increase working time”, “it needs to be
re-designed” and pretty quickly the remarks turn personal and
unprofessional. At times like these, you as a CISO, have to embrace an
egoless attitude and avoid taking it personally, try to look at things
from the other’s perspective and ignore implied insults.

Judge the complaints to your security plan in as much objectivity as
you can and understand that they are motivated by fear and uncertainty
as to the implications of the new security plan, such as: extra work,
criticism over slow progress, system crashes due to new controls and

Embrace the patience of a Buddhist monk and hot spirits will calm.
Never act as if you know best. Don’t repeat technical arguments that
describes the process and don’t counteract opposition with seemingly
superior logic, for most people the reaction for new security is more
emotionally based and things will quickly escalate if they’ll feel you
reject their uncertainties with a know-it-all attitude.

Take into account that compromises go a long way in trust building and
help create a win-win situation. You might lose a battle today by
agreeing to let go of a certain control you deem important but you
will establish a long term relationship that will enable you to put
other security processes in place without objections.

Try to think creatively and suggest other solutions that offer lesser
yet achievable security. More importantly you will be thought of as an
approachable and a pragmatic solution provider.

Much the same as in most things in life, preempting is better than
preventing. To lower significantly those objection reactions and/or to
be able to solve those kind of heated arguments quickly I have adopted
a technique that works for me most of the times.

I have found out that when you invest in personnel relationship in
your day-to-day dealings, cultivate trust and friendship with the
teams who will have to implement your directives (truth be told, I try
to make it happen with everyone in my day-to-day working
relationship), people will be less prone to fear implications of the
suggested security plan. Once you established a personnel
relationship, they will trust you to take care of their interests
(don’t abuse that trust!!).

Disclaimer: you can’t make everyone your friend. A low percentage of
people will resist no matter how hard you try to come up with
alternate solutions. They will always struggle and object to changes
especially when it creates potential risks to their operability.

In those cases, once you exhausted all your goodwill efforts, tough
measures must be taken. Go to management and demand a business
decision and pronouncement. Even if things go your way don’t gloat,
try to be sympathetic to the objecting party and offer alternative
solutions that might go down smoother. Be the first to offer the olive
branch, you’ll probably need their cooperation later so get them on
your side as soon as possible.

I know, my way might seems the long way with a lot of effort, well,
nobody said being a CISO is easy! Surprisingly, tough, in the long
run, I have found this to be far more effective and a lot more
enjoyable working experience.

More information about the BreachExchange mailing list