Governance & Risk Management , Incident & Breach Response , Leadership & Executive Communication
Troublemaker CISO: Do You Know What You Should Be Doing?
The Rant of the Day From Ian Keller, Security DirectorIf you missed my previous rant, you can find it here. It gives my bona fides. Or you can cyberstalk me on Linkedin and OnlyFans. Just kidding - I don’t have a LinkedIn page.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
I have a sense of humor. It's weird, but it's mine - as are the opinions given here.
What You Should Be Doing
Do you know what you are supposed to do as a CISO? Not what you are doing, but what you should be doing.
Let's start with what all CISOs are doing. For the most part, we spend our days trolling through data, doing threat hunting and building walls around data. We pull our hair out because someone higher up in the food chain got a brilliant new idea and now we have to defend it, perhaps by explaining to people, "No, Bill Gates is not going to give you $1 million if you send this email to 100 people and copy him." You know - the normal stuff.
Although that stuff is important, it is not what you should be working on. Those functions should be under your guidance, but executed by your teams, or as I call them, your "propeller heads." Yes, back in the day it was our job - if you have been in as long as I have, or longer. We did it all. We were the owner/operator of all things security, hidden in the closet office somewhere … far removed from the rest of the people … but I digress.
Things have changed. This is no longer what we do. I have not been doing it for years. The job now is a strategic role working at the top end of the food chain, directly enabling the business strategic objectives. You are the executive for information security. It says so in your title: Chief Information Security Officer - of which cybersecurity, or the tech bits, is but a part.
As a CISO, your role is to provide leadership, strategy, coaching and mentoring to your team - not to be the firewall admin.
You as a CISO are now mandated by the chairperson of the board of directors and the CEO to keep the company’s information safe. You also have personal liability, if you are unlucky enough to hold the Privacy Officer designation under GDPR, and you also are the first one sacrificed when things go wrong - hence your salary.
Your skill set must evolve from technical to executive to reflect the title and duties of a CISO. If cybersecurity is your thing, that's not a problem; it's more than relevant. But then you are not a CISO. You are a CCSO, or Chief Cyber Security Officer.
Your technical skills should not be in question as you have demonstrated those skills throughout your career, and if you still have a current technical certification that you use, you shouldn’t. The skills you acquired in technical roles are not wasted; they are critically important, and you use them as a basis in your role as CISO.
As a CISO, your role is to provide leadership, strategy, coaching and mentoring to your team - not to be the firewall admin.
Skills a CISO Needs
In my opinion, the new skills you need to learn or get better at revolve around all the nontechnical aspects of being a CISO.
You must:
- Have the strength of conviction to tell it like it is, without sugarcoating or downplaying the risk.
- Get rid of the FUD - Fear, Uncertainty and Doubt - sales pitch - see point 1.
- Collaborate with the Chief Risk Officer to produce a unified risk report - see point 1.
- Be able to express information security risks in a way the board will understand.
- Have deep understanding of all the laws and regulations applicable to your entire business - not just the IT stuff - and for all its operating areas. This will enable you to:
- Act as information security adviser on legal matters with Chief Experience Officers and Contracting and Legal Council.
- Understand the workings of the various executive boards and be able to give the directors the information they need in a language they understand and in the time allocated to you;
- Have a detailed understanding of the business's 10-year plan.
- Develop a fluid security plan that supports the business plan.
- Build close working relationships with all the executives to the point where you are a fundamental part of the formulization of their individual strategic plans.
No, You're Not Done
Now you need to take all that, translate it to information security’s operational outcomes, digest it further with the CCSO into technical requirements, and have those aligned with the CXOs. Then - once you have had a moment to scream out in total frustration - you can go back to the board and assure them that it’s all been done and handled, even though some of your outcomes are executed by, and dependent on, other departments.
By the way, this is just the tip of the iceberg. I have not even started ranting about managing threats, such as the insider threat, but that is a story for another day.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, who is director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force’s Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.