“Fire the CISO!” a 15-year veteran board member barked.
Wait, what? Okay, before you get too worked up, my name is Masako and I am in (gasp) Sales. Trust me…or not. It’s okay, I’m here to help. Maybe you’ve heard this all before, but this is my perspective based on my experience over the past 14 years working with CISOs.
Recently, I was helping mediate a cyber incident tabletop exercise at a banking-focused leadership event. We were at a point in the exercise where a hypothetical breach had become significantly widespread. To make matters worse, word had gotten to a well-known security reporter. It was just an exercise, but participants were taking it very seriously. With only three truly IT- or Infosec-focused individuals versus the 40+ management and board members, the room was getting heated and a bit uncomfortable. Mob mentality was creeping in and the room was vehemently agreeing with the board member. Was this learning exercise’s sole takeaway going to be “blame the CISO?”
I nervously blurted out, “What if your CISO had the answer to catching or stopping this particular breach?” I paused and glanced around at the stern faces. Then I dropped the other shoe. “But, as the Board, you were the ones that ultimately made the decision to deny the budget for it?”
Silence.
Luckily, before I got too red from the attention, someone said, “You are right.” And just like that, they all started working in their groups to talk about solutions.
Obviously, situations are not that easy in the real world where CISOs can become an easy scapegoat for security incidents. There is a lot more on the line than making sure you don’t start any fights in a fictional tabletop exercise.
As a salesperson, I have a lot of empathy for CISOs. A lot of responsibility is put squarely on their shoulders, and they often get little support. Not only that, they are getting bombarded by all the security vendors to check out their shiny new products. On one hand, some CISOs act like scary know-it-alls. But most of the time, I’ve found, they are open to conversation and collaboration.
CISOs Don’t (and Shouldn’t!) Have to Go at It Alone
There are a lot of articles that proclaim: “CISOs should be more engaging, better groomed…blah blah, blah.” Some of that may be sound advice, but managing cybersecurity and protecting the business should be a team effort. The business should include CISOs in the planning of business goals and build security in from the start. It should not just be a line item in the strategic plan.
My perspective comes from looking from the outside in. Sometimes it comes from working as a true partner. But in both cases, I’ve observed successes and struggles in implementing new security platforms and measures.
Where I Have Seen Struggle
Expecting people to speak cybersecurity. Even just the word “cyber” is enough to glaze the eyes of executive teams. It is important to understand organizational goals and how security can enable or protect them accordingly.
Working in a vacuum. Does this get anyone anywhere in life? No. So, why should we expect it to with security? Security-related projects continue to take a larger piece of the budget pie. I’ve sold solutions that could have solved a lot of challenges for risk and compliance, as well. However, the security team either didn’t want me to talk to those teams or felt their involvement would complicate the issue. Subsequently, the deal either died or budget was delayed.
Inefficient business process activity. I’ve seen security teams bring on a vendor they didn’t particularly care about for a critical control because they wrote up an “unbiased” matrix to meet a three-vendor minimum and didn’t clearly articulate value or map back to company improvement. Then, this same team laments getting stuck with the cheapest solution. If you are only concerned about checking the boxes to fulfill your RFP and not considering the true requirements of your organization, how can others?
Whining or sensationalizing a breach/incident. In the same manner that you hate when vendors come calling after a major breach in the news (“If you had our solution, you would have been protected.”), don’t expect that tactic will work for you. By all means, use relevant news to tie needs to business goals. Utilize lessons learned from those incidents to further your case for budget. Also, think about how you can lean on your trusted advisors to understand the general threat landscape versus clinging on to the sensational news. Work with them to build requirements for a specific security purchase.
Purchasing the shiny tool. I’ve seen many purchases spurred on by a regulated finding or because all your competitors or peers are buying it. Are you currently focusing on the basics like patch management and regular vulnerability reviews? I’ve had moments where I’ve told a client not to purchase a SIEM from me because they didn’t have basics in place yet. Instead, I helped them tighten other controls, justify the risk, and create a budget plan for the following year. Yes, it was a blow to my earnings, but the guilt of selling something not useful or relevant is something that cripples me. Find yourself a salesperson you can trust who looks out for your interests, as well.
What if your CISO had the answer to catching or stopping this particular breach?
But, as the Board, you were the ones that ultimately made the decision to deny the budget for it?
Where I Have Seen Success
Coupling security initiatives with business goals. This is not about having security as a generic item in the list of strategic goals but having security consistently incorporated into business initiatives. I could write a whole separate article or five-hundred about this, but here are a few ideas:
Think in terms of business risk. The most impressive security teams I’ve had the pleasure of working with found a way to effectively integrate the security story with the business story. This drives questions like, “How does this protect our organization?” “Why are we doing this?” “What is the risk to our organization if we don’t move forward?”
Speak about impacts in costs, not only about the cost to implement/purchase but the cost of doing nothing. Areas to consider:
- Dollar value of time saved
- Dollars spent on breaches
- Costs based on downtime
- Costs for fines, fees
Keep your message simple, prioritized, and consistent. Often, quarterly board meetings with a list of items isn’t going to cut it. Just as this one article is not going to change the course of your life, but maybe because is the eighteenth time you’ve heard that you should include more than just security or IT into your conversation, you do!
Actively engage with C-level executives (and the Board, as necessary) to arm them so they are able to answer basic questions about what, why, and the significance and risks of doing (or not doing) certain security projects.
Including outsiders in your circle of influence. What I mean by this is to not have only a security-centric point of view. The best CISOs I’ve worked with included perspectives from within and outside their organization. Examples include:
- Sales. I challenge you to work with some of your existing and potential “vendor reps” to understand if they can help you with answering some to the questions in the previous bullet point. I think you will quickly see whether they are there just to push product or to be an advisor. The best sales teams will ask questions to prompt better thoughts and conversations.
- PR. What team is better to engage for sending the right message to the public? Whether it’s to the larger company audience, actual clients, or to the true public, PR knows this business. This is not something you want to take lightly when you are caught in a breach situation.
- Legal. Your legal team may not understand cybersecurity but they are well-versed in communicating in terms of risk and understanding liability. Take them as a partner to help explain gaps in insurance coverage, internal policies, and contractual requirements.
There are allies everywhere and you may be surprised where you find one. However, the key is to gain different perspectives and built trust among your team so that communication lines are open when the more challenging situations arise.
Leveraging and integrating with compliance. This also goes back to business goals, but by aligning with any regulatory requirements, action towards protecting the business is more in step. The more diverse groups that speak the same language, the easier it is to take action when needed.
So, no, don’t “fire the CISO.” We need all the good help in protecting our organizations! Let us help you, CISOs! It is not all on you to save the organization from the security woes of the world. But, being open to engaging is a great first step.