Choosing the Right Staff
NOTE: In his previous blog entry, Steve Katz discussed business/security alignment. In this entry, he writes about choosing the right staff to serve and preserve that alignment.
If there's one thing I've learned about information security professionals, it's that they come in multiple flavors.
There are folks who are security/technology people, and they excel at that. Some of them are not particularly comfortable either managing people or working directly with the business side of the house.
Other folks come out of the audit world, and they excel at doing security and vulnerability assessments, but they, again, may not excel at technology. They may not excel at working with the business side of the house.
Yet, increasingly today, you want people who can run security like a business, feel comfortable in maintaining a seat at the table and are willing to work with changing governance and putting together massive security awareness programs that involve not only the end user, but also involve spending time with the Board of Directors and the business heads to explain why security is really important to them.
Think of it like this: A CEO's role is to be the external face of a corporation, and you often have a Chief Operating Officer more closely focusing on the day-to-day operations. Likewise, the head of information security in major corporations today -- and even in smaller corporations -- is the face of information security to the business heads and to the board of directors. The role requires sitting down with business executives and helping them to understand the security impact of saying "yes" or "no" to doing one thing. Helping them to understand that when you say "yes" to doing one thing, you have to say "no" to something else, There are always going to be trade-offs, and one of the things a security leader needs is a rationally thought-out risk acceptance process. If you're not going to do something - then here, in very simple English, is what it is you're all electing not to do. Here is why you are electing not to do it. Here's the impact of not doing it.
In effect, what you're doing in this role is assuring that the executive understands `I am willing to accept this risk on behalf of the corporation.'
Now, for a security professional to aspire to be the leader in this role, well, in addition to understanding technology, in addition to understanding vulnerability, this person has to totally understand what it is that he or she needs to do to gain approval from the board of directors and business management of a corporation. Which means gaining acceptance and credibility across the enterprise.
The head of security can't be the person who only gets to see the business executive just when it's bad news. There needs to be a regular line of communication between the information security executive and the business heads. Whether it's once a quarter, once a year, there has to be a discussion of 'Here is what we're doing, here's why we're doing it , here is why it is important to your business and here's what is it we can do for you.'
Now, how do you choose the right lieutenants in your staff to be able to support an organization like this?
I'm going to sound awfully cliché, and I apologize for it, but someone once told me that the best thing you can do as a CISO is to hire giants -- because then you can stand on their shoulders.
You may know more about any one specific area of security and the business, but you want to make sure that in the aggregate your direct security team knows more about the technology, the awareness, the finances, the programs than you do. Hire the best and smartest people around, set the objectives for them, and then let them go ahead and fulfill those objectives for you.
The folks who are truly outstanding in the information security field have incredibly bright, articulate, brilliant teams that make sure that the program gets done. This frees up the CISO to provide general consulting support to the business areas so that those leaders know and see how the quality the team itself is delivering the security program across the company. One of the things we did at Citi, we introduced a concept called Business Information Security Officer. We had a person in each line of business that was responsible for overseeing security in that business. We had them report into the business. We had to make sure that they were business knowledgeable, and we trained them for two weeks every year. So we trained them in security, but their focus was 'How do I deliver the security within context of business departments?'
I think, in turn, lots of companies are doing that same approach today, and it becomes a really effective means of getting security in place because the people understand the business issues that they're dealing with - understand the business and also can balance that with the security requirements that are in place.
If you're not looking out for the business, then you are not going to get the job done.