[BreachExchange] Hacking It as a CISO: Advice for Security Leadership

[Destry Winant]

https://www.darkreading.com/risk/hacking-it-as-a-ciso-advice-for-security-leadership/d/d-id/1338626

A security leader shares tips for adopting a CISO mindset, creating
risk management strategies, and "selling infosec" to IT and
executives.

Modern security leaders find themselves at the crossroads between
business and technology, selling the importance of security to all
levels of an organization while helping them maintain efficiency,
create a risk management strategy, and prepare for the inevitability
of a cyberattack.

This idea of "selling information security" is the area where security
leaders struggle most, said Peter Keenan, CISO of a financial services
company, in a DEF CON talk. As security practitioners transition from
roles as technical analysts or engineers into leadership positions,
they learn the challenge of driving security through a business
without control over employees' performance.

Information security at its core is "influence without authority," he
said, and it's more involved than convincing executives to invest in
new technologies. Security leadership may feel like a lot of top-down
selling, convincing the board and CEO that you're doing well, but
leadership also means conveying the importance of security to people
across all levels of the business.

"If you actually want to fix security at an organization, you have to
sell it from the bottom up," Keenan said. "It's the people on the
ground, the people at eye level who are actually doing the things that
will make you more or less secure, and you have to convince them that
this is the right thing to do, and these are the changes they need to
make in their processes to be better."

This requires a different strategy depending on who the CISO is
talking to. Consider IT: You may think tech folks all have a similar
mindset, he said, but selling security to IT can be a challenge.

IT's goal is getting information to as many people as possible, as
quickly and reliably as possible. Their concerns are cost, features,
and uptime. Security isn't among their main goals — it's adjacent to
their goals, and infosec has to convince IT how security can be
helpful.

Because people respond better to a story than to data, Keenan
suggested a penetration test. Show someone walking through the
environment; demonstrate how they could be targeted. This could help
in addressing the optimism bias, or the tendency people have to
believe they're less likely to experience a negative event. Nobody
thinks they'll be next to get hacked.

"If you demonstrate clearly [that] they are capable of making
mistakes, they'll be angry at first, but generally if they're
professionals, they'll get over it and want it to be better," he
explained. CISOs don't want to bring IT concerns to audit or
management unless they absolutely have to.

Selling security to the board is different. Most board members are
focused on security now; they know it's a risk and they want the CISO
to know they care. A key thing to remember here is few of them have
technical or cybersecurity backgrounds. In preparation for board
meetings, he advised readying answers for four questions they're
likely to ask:

Are we compromised right now? Answer with a high, medium, or low
likelihood — be humble — along with why you think this.
How vulnerable are we to compromise? Explain details like who might
attack you, what might they target, how they'd get in, and what you've
done to counter that.
How are we proactively addressing the next generation of security
threats? Here, elaborate on budget, organization influence, and team
size.
What is our plan if we get compromised? Review the incident response
and cyber-crisis communications plan.

Risky Business: Speaking Executives' Language
An area where security leaders can find middle ground, and a key
differentiator between sole contributors and leaders in cybersecurity,
is risk.

"Business leaders understand it," Keenan said. "They may not
understand your specific technical domain, and they may not understand
what a router or a switch is, but they understand the language of
risk."

Keenan outlined several terms security leaders should understand
before risk conversations. Risk reduction — or ensuring systems are
patched and users trained — is one. There's always a chance a patch
didn't work or a user didn't reboot after it was applied, but the
overall risk will be lower. He spoke to risk acceptance, a concept
technical pros struggle with. If there's a 10% chance a website will
get hacked, but it'll only be up 30 days, the business may decide to
risk it.

"It makes our heads explode, but absolutely, that's their call," he
added. The CISO's job is to identify, quantify, and report a risk;
it's the CEO's job to accept it.

Security leaders must understand risk appetite, or the amount of risk
a business is willing to take on. Everyone has a different tolerance
level: Financial services is usually more risk-averse; tech firms and
startups are more risk-favorable and take chances. There is no numeric
value here, he said, and most people will have a different definition
for it. A CISO will have to chat with a lot of people, learn their
risk appetite, and communicate it back to senior leadership.

Because everyone has a different view of risk, the CISO has to
consolidate their viewpoints into a calculable risk level — whether
someone is low, medium, or high risk. It helps to create a lexicon
that brings everyone onto the same page and builds a common
understanding of risk; if an incident occurs, having this framework
will get everyone on the same level.

An effective way to mitigate risk is to build a team to help you
manage it. Keenan advised his audience to build a diverse team with a
range of backgrounds and experiences. "The more viewpoints you have on
your team, the better you're going to be," he said. In order to
effectively manage risk, the CISO and their team must understand it
from every angle.

These perspectives can inform the company's cyber-risk profile, which
should include the likelihood of getting attacked, frequency of
security incidents, who may target you, and the impact of a potential
incident. This profile should also include external viewpoints from
peers and law enforcement, and it should be updated over time as
processes are adjusted.

Businesses are in a race with today's cybercriminals, Keenan
emphasized, and their strategy should plan for continuously investing
more in security training and awareness. Security hygiene should be a
top priority in protecting the business, from patching critical
vulnerabilities to ensuring frequent backups and phishing tests, to
protect from likely types of attacks. People talk a lot about advanced
persistent threats and sophisticated threats, but most don't need to
worry about them.

"Chances are, you're going to get owned by a mediocre ransomware crew," he said.