OK there aren’t only five things every CISO needs to do, but you better at least get these five right!
#1 – CISO’s Must Master the basics.
It’s a great pleasure to talk with CISOs and other information security experts every day in my job. If it’s my first time meeting you (in the correct setting and context), it’s not uncommon for me to ask you two questions:
What is your definition of “information security”?
and
What is your definition of “risk”?
What is your definition of “information security”?
It doesn’t get more basic than this. I have asked this exact question at conferences, with CISOs at Fortune 500 companies and I have asked this question of Security Managers at small organizations. The first response I usually get when I ask this question is a puzzled look. Almost like “how dare you ask me such a question” or “do you think I don’t know”. After the puzzled look, I get a variety of answers such as:
“It’s protecting the information that the company deems valuable or sensitive.”
“It’s controlling access to sensitive information so that only people who should have access actually have access.”
“It’s understanding what assets need to be protected and putting the proper controls in place to protect it.”
Sometimes I don’t even get a verbal answer.
So, what is your definition of “information security”? I’ll share mine:
Information security is the application of administrative, physical, and technical controls to protect the confidentiality, integrity, and availability of the organization’s important information.
You may have a different definition, and that’s fine. Just have one, communicate it, memorize it, and drive everything you do in your job through it. If you don’t have one, use mine or make one.
If you are in charge of information security, you’d better darn well know what it means.
What is your definition of “risk”?
Risk is such an overused term; not just in this industry (information security), but everywhere. There are two bits of advice for this question:
- If you don’t have a definition of risk, make one or adopt one.
- If you don’t know why risk (and the definition thereof) is critical to your job, research this topic (this is a topic for another conversation).
My basic definition of risk is; the likelihood of something bad happening and the impact if it did. Others will use words like threats and vulnerabilities which are also important, but I don’t want to confuse the matter. Essentially a vulnerability (or “gap” or “weakness”) in the presence of an applicable threat leads to a likelihood of something bad happening, with an associated impact.
Everything you do in your job as a CISO (or Security Manager) revolves around your definition of information security and your understanding of risk.
After mastering these two concepts/definitions, then move on to policy/governance, asset management, access control, change control, training & awareness, or whatever else you’re addressing. If you’ve already jumped into other security activities, back up for a second and address these foundational (and basic) definitions.
It sounds basic because it is. Too many “experts” lose sight of the basics and chase the shiny objects.
You’ll need to master this!
#2 – Speak English.
Don’t assume that people know what you’re talking about. Consider your audience and speak their version of English.
Here’s an obvious real-world example. The audience is a group of executives (CEO, CFO, COO, etc.), and we’re delivering the findings of their information security assessment. The lead security analyst on the project starts going over the presentation and explains that:
“the organization should map their controls more closely to a chosen well-known information security standard such as NIST SP 800-53, ISO 27001:2013 and/or a framework such as NIST CSF.”
How well do you think that went over?
A more Englishy explanation for this audience might have been:
“the organization needs to standardize its controls in accordance with the rest of the industry.”
If the audience wants further explanation, then let them ask for it. You will have to get into this habit of speaking to your audience. Failure to do so makes you an outsider to the group and lessens your chances of getting a seat at the table on a more regular basis.
Another tendency that I’ve seen over the years is to speak your version of English because it makes you seem smarter to your audience. Here’s some advice… They already know that you’re smart, and that’s why you are there in the first place!
#3 – Make the case for the next five things.
Even though there are a million things (if you look hard enough), focus on no more than five. I’ve found in my own experience as a CISO, and the experience of others, that I can effectively manage no more than five things at a time. As a CISO, the five things are hopefully high-level strategic things and you can delegate the details to others.
What are the five most impactful (hopefully, based on risk) things that your organization should be working on right now? Define these things, document these things, verbalize these things, and get buy-in on these things. Do whatever it takes to make sure that these five things are done, and done right. No shortcuts, no easy buttons, no compromises. These five things should become awesome things only to be replaced with new awesome things once these five things are done.
Make sense?
#4 – Tell the story in five minutes or less.
Sometimes you’re lucky if you even get five minutes. If you can tell your story in five minutes, it tells the audience (at least) three things:
- You know your story well.
- You are focused on the most important topics.
- You value their time.
If you are giving a board presentation or delivering a status update to your executive group, plan on five minutes. Leave the rest of the time (if necessary) for questions and dialog. Questions and dialog mean that there’s engagement.
I would rather cover one topic well in five minutes vs. covering multiple topics with a sleeping audience.
Try this once, and see how much more engagement and buy-in you’ll get.
#5 – Make yourself a champion.
Be a champion of information security AND be a champion of business. Say yes more often than you say no. Enable progress more often than disabling it.
A challenge for many information security groups is getting invited to things; things like project planning meetings, group outings, strategic planning meetings, etc. People don’t like inviting negative people who always throw up road blocks. Be a cooperative, engaging, communicative, positive, champion of all things. Take the time to understand business challenges and offer creative solutions using your mad security skills!