Introduction
No CISO is an island. Of all the executive roles in a mature organization, the CISO is one of the most dependent on the collaboration and integration of disparate resources and people. The CISO is responsible not for a specific, discrete segment of a business model but for managing an abstract principle with shifting boundaries.
The success of CISOs hinges on their ability to listen, build consensus, and communicate in a wide range of registers. In practical terms, this means they spend a lot of time in meetings. We’ve broken them down into nine major types.
1. Security team meetings
These are the closest thing to a closed or internal security team meeting. They are usually attended primarily by the security staff who report directly to the CISO, and who may be managers or directors of their own specialized teams, such as governance, risk, and compliance (GRC), network security, a security operations center (SOC), etc. External security staff, such as consultants, contractors, and vendors may attend as appropriate.
These meetings are primarily intended for ongoing, routine management of the security team itself. They are for checking up on progress, managing external staff, and mentoring junior staff.
This meeting is the closest thing a security team has to a safe space, in which they can be absolutely frank about risks to the organization and the team’s progress. In our opinion, these meetings are crucial to building maturity and moving an organization away from dependence on CISOs themselves. CISOs who neglect to manage their teams and fail to cultivate and grow individuals’ capabilities are doomed to be overworked.
2. Security process meetings
Despite superficial similarities, we consider this a separate type of meeting from the others because of its prevalence and importance, and its focus on security processes. We’re talking about vulnerability remediation, firewall changes, incident review, threat intelligence, change control, and so on. These meetings have a more distinctly operational focus and are intended to solve specific, time-sensitive issues.
These meetings should ideally include a risk steering committee, as conceptualized by the ISO 27001 standard. The risk steering committee is a multi-disciplinary team composed of a combination of subject matter experts and leaders. It is their responsibility to make informed decisions regarding specific risks as advised by the security team and other experts. Depending on the subject at hand, additional expertise from tech teams or particular business units may be helpful as well, such as IT Operations, Development, HR, Facilities, or Legal.
The crux for these meetings is having the discipline to go through the laborious process of getting all these busy people together to focus attention on multidisciplinary security processes. In short, if the CISO doesn’t drive these processes, they simply will not happen, and nobody will notice until fingers start pointing after an incident occurs.
3. Executive meetings
CISOs are C-level executives, after all, and so they have routine C-level meetings (and meetings with the board in some cases) to discuss the broader operation. These meetings provide an opportunity to get executive input on security issues, plan budgets, and report on the risk management process as a whole. They are also an opportunity for CISOs to listen carefully to the concerns and goings-on of the rest of the executive team. Reading between the lines here can often save money in the long run, because potential issues are on the radar much earlier than if the CISO waits for someone else to bring them up.
Executive meetings call for an approach to communicating risk that is drastically different from the tactical focus CISOs might use with the security team, depending on the execs and the organization. They can feel like a waste of time, but that mentality is a trap. If the CISO communicates with care in both directions, they can have the influence necessary to drive maturity and transform your security program into a pillar of strength.
4. Audit meetings
“I actually got into security for the compliance,” said no one ever. While this is nobody’s favorite way to spend their time, most security teams worth anything spend a lot of it preparing for and undergoing various forms of audit. In addition to the big, official audits like SSAE-18 and ISO 27001, there are internal audits, external checks from customers, regulators and business partners, plus the occasional account or sales meetings to assure customers or partners about security.
Given that these kinds of interactions occupy so much of our time and energy, the best thing to do is be prepared. Having bound reports from the more substantive or exacting audit processes at hand means that informal audits, sales meetings, and less exacting standards can be met with no extra work.
Even for experienced professionals, it is easy to look at compliance as a chore that gets in the way of “real security work,” which usually means implementing controls. This is a mistake. Compliance is real security work, and paradoxically, being proactive, constructive, and engaging in these meetings will result in more efficiency, not less.
5. Liaison meetings
As we noted above, the CISO doesn’t manage a single process or entity so much as they wrestle with this abstract concept of “securing the business.” This means that many of the people, procedures, and technical infrastructure required for their success are out of their direct control. That’s what the liaison meetings are all about. These meetings are for staying engaged with our peers in IT, HR, Legal, Facilities and those responsible for physical security, and so on, to collaborate about sharing resources and achieving shared objectives regarding security.
These meetings are often tactical in nature, responding to emerging or shifting risks with new or tweaked controls, or getting feedback on existing controls. However, they also have an important awareness function, sharing information in both directions about new issues or ideas on the horizon. Few things are more frustrating for all parties than an idea going through a great deal of ideation, or even budgeting, before the CISO says that the idea represents an existential risk to the business. These sorts of things can damage the security team’s relationships with crucial partners and make security feel like a damper on operations or creativity. However, these meetings, done well, can ensure smooth operation of the security program in myriad minute ways.
6. Incident meetings and incident post-mortems
These are the meetings that take precedence over all the other meetings. They are ad-hoc meetings about security incidents such as breaches, zero-day exploits, attacks in progress, major outages, and so forth. They are also the place to discuss any kind of incident that compromises confidentiality, integrity, or availability, which can be as mundane as a mis-sent email attachment with confidential data, or a firewall false positive that takes out a critical website. Or they can be urgent but non-emergent issues such as a rapid, quick-and-dirty risk assessment on a new SLA.
Emergent meetings like these require a cool head. Above all, the goals are to limit damage, communicate clearly and purposefully in all directions, leveraging legal, PR, and executive guidance on messaging.
The key in these meetings is to avoid the temptation to assign blame, especially to end users. It’s both procedurally and politically unproductive to point fingers, especially while the incident is still underway. Instead, incidents like these require someone to stand up and take responsibility, if not for the original incident, then for the recovery. Even if there is a trained incident response team in place, the CISO must lead from the front to restore trust and normalcy as quickly as possible.
7. Control implementation project meetings
These are meetings to address the periodic task of implementing new controls effectively. They are perhaps a subtype of the security process meetings, described in #2 above, but we call them out separately here because of their focus on a single, often significant project. Unsurprisingly, these are deeply collaborative meetings, involving security staff plus representatives from any team the changes will impact, such as Development, IT Operations, or Facilities. Dedicated and trained project managers should also attend these meetings, whether internal to the security team or allocated from elsewhere, because these projects will take time, organization, and coordination.
These projects have their own lifecycles, starting with planning and budgeting, then architecture, implementation, and assessment. Listening to user needs and getting a sense of requirements and constraints ahead of time will go a long way toward making security feel like an enabler, not an anchor. They will help identify new issues that may spring up during implementation. As systems become increasingly complex, unintended consequences crop up more, and communicating about all stakeholders’ needs early and often will ensure that the control is emplaced with a minimum of fuss and maximum impact.
One significant pitfall for these projects is to lose sight of the big picture and become enamored of the control (tactic) as opposed to the risk it is supposed to mitigate (strategy). It is possible to exert so much effort that the cost of the control outweighs the risk. Both the human big picture as well as the structural big picture should come first, and pride and stubbornness should go last.
8. Vendor meetings
For all except the incurable gadget lover, vendor meetings can be a drag, especially given the emergence of newly persistent and surprisingly annoying email sales campaigns. However, they actually serve an important purpose. Vendor meetings help CISOs keep an eye on new ideas, capabilities, and trends in the industry. It is important, especially as CISOs grow more experienced, to check these themselves and form their own opinions. The alternative is to get blindsided when an exec sees a shiny new security service and forces it on the CISO, regardless of its applicability.
The keys here are to always remember that every system is unique, and that no matter how slick a new gadget might look, it might not actually solve current problems. While it is good to be open to new ideas and new trends, it is also good to be skeptical. A bad vendor is an annoyance, but the best can be allies and a source of surprising strength. CISOs shouldn’t hesitate to attend an occasional conference or lunch seminar, force down some rubbery chicken, and see what the kids are talking about these days.
9. Self-learning
So, finally, we come to perhaps the most important type of meeting, the ones for CISOs themselves. In a field that is surprisingly dependent on collaboration (on the good days) and politics (on the bad days), it is important to schedule time to breathe, think, self-educate, vent to peers, and be vented at in turn.
One of the best things about the security industry is the level of support we provide for one another, even for competitors. It is in our individual interest, our collective interest, and the public interest for information security to be a collective effort and be founded on shared information to the greatest degree possible. This imperative is even stronger given how quickly things can change. Even if the fundamentals stay the same, the terminology can shift so that the conversation sounds different.
So, if you’re a CISO, take time to read, talk, and listen. Exchange ideas with peer CISOs, mentors and mentees, trusted vendor allies, and professional organizations like Infragard, ISSA, ISC2, etc. It is too easy for CISOs to feel like they have to do it all and do it alone. That’s not just unpleasant, it’s unproductive, so engage in a little self-care. It’s not an indulgence.
Wrap Up
If all of the above makes the CISO job sound like just a bunch of talking and politics, that’s because it partly is. But all of this talking and politics is predicated on the deep skills, knowledge, and experience that we need to do our jobs. It is not so much that we have to balance these two sides, but that they are intertwined, and that is really what leadership of any sort is about.
So, the next time you look at your calendar and realize that there’s no room for lunch, lament for lunch but not for your work, because meetings are actually your stock in trade. We hope that our list helps you sort them out and recognize how and why you’re in that particular room, with those particular people.
