12 lessons they don't teach you in security school about being a CISO
You may trust your perception of how businesses operate and what your role as a CISO is in making them safe, but nothing can really prepare you for the reality of when you walk into that office for the first time.
CISOs shouldn't focus on the latest and greatest technology, but on getting things done enterprise-wide and incrementally improving the security. Every task, objective and operation needs to be vetted by stakeholders, working groups or committees. To top it off, the constant calls from vendors (each with a silver-bullet solution to all your problems) don't aid the process.
When I assumed the CISO post at JPMorgan Chase after 12 years of consulting, I had many preconceived notions about how things worked and what needed to be done. Suffice it to say that most of my assumptions were thrown out the window before the first week was out.
So, how should you maximize your time as a CISO? It's not something they teach you in security or business school. After a year on the job, I can tell you that these 12 essentials are what security leaders need to know and practice to do their jobs properly.
#1: Forget Titles and Org Charts
Don't get too hung up on organization charts, titles and who reports to whom. None of these things really matter; every enterprise is unique and organizes security differently. Big titles and large areas of responsibility don't always go hand-in-hand with the ability to get things done.
CISOs often start off without a lot of leverage, especially in large organizations. When I became CISO, I thought that my job would consist of setting long-term strategies and deciding corporate-wide policy and direction. However, I found that I had no financial responsibility or connections to execute my strategies, thus my title was relatively meaningless.
As an added frustration, organizations often have multiple CISOs, each with his own role in corporate security. Consolidation of the various aspects of security--policy and implementation, engineering and operations, and regulatory compliance--under the umbrella of risk management isn't always an option, so be sure to build strong relationships and develop credibility with the teams responsible for executing your vision. Don't ever treat yourself as "above" any specific operational task--your ultimate success is dependent on the operational capabilities of the group as a whole.
#2: Negotiate Security Enforcement
Many large enterprises have divisions that could qualify as Fortune 500s. Undoubtedly, individuals from each division believe their security and risk models are the best. This is bad news for you, since it's impossible to enforce policies and support infrastructure when everyone's got "a better way."
Trying to deploy a single enterprise-wide solution to enforce a specific policy is often impossible, since each business unit has different needs and operational requirements--as well as their own specific technology platforms that may not exist elsewhere in the organization. Thus, you often end up with multiple systems that do the same thing in different ways.
However, there's a certain baseline amount of security that no one should have the ability to opt out of--for example, having antivirus precautions or applying patches. Legislate these requirements in corporate standards, and have strong SLAs to back them up. Working with division heads and department managers to define how and when security is handled will allow your team to effectively address security issues and maintenance with minimal disruption to operations.
#3: Set the Risk Management Bar
Security managers are notorious for saying "no": No to business initiatives. No to open networks. No to anything that exposes the enterprise to risk. An effective CISO will find a way to say "yes," while minimizing an enterprise's risk exposure.
You need to determine your enterprise's risk tolerance, and then set realistic parameters for what risk is and isn't acceptable. By providing good visibility into the risk posture of your organization, you're able to drive risk decisions into the business--where it belongs--and to build credibility for the security department among business managers.
Security professionals often see things in terms of black and white-- you're either compliant or you're not. But, risk management is all about trade-offs. Set the bar in the right place, and you'll find enforcing compliance easier.
#4: Measure Security Objectives
You won't be taken seriously if you don't have a strong set of metrics.
But where do you start? Measure the things that you can measure, and be sure to understand the data you're collecting and how it relates to your objectives. (See "Security: Measuring Up.")
Performance metrics showcase the efficiency of specific groups: Did you deliver on your initiatives? What sort of improvements did you make? Did you meet your goal on time and under budget?
Compliance metrics look at policy exceptions: How many people have been through awareness training? How many vendors have you reviewed?
Risk and exposure metrics measure the security posture of the enterprise: How many vulnerabilities are there in the environment? When you put it all together and rank it in terms of severity, how are you doing compared to where you were yesterday? Where are the exposures?
It's vital to avoid common metrics pitfalls.
First, measure results, not activity. It doesn't matter how many events were logged at the firewall; metrics should actually provide visibility into the risk posture of the firm. If a metric doesn't closely link with your objectives or tell a meaningful story about the firm's risk, stop monitoring it.
Second, even good data is useless if you don't use it. Metrics are meant to measure performance today and to drive improvements tomorrow. They enable you to make decisions about where you should spend your time and where the biggest issues are in your enterprise's network.
#5: Spend Wisely
Security managers often complain that they don't have enough money, and that's partly true: As a percentage, security receives a comparatively small share of the overall enterprise IT budget. However, security is beholden to the same spending and ROI metrics as any other part of IT; you have to quantify a need for spending and then prioritize your resources. Budgets won't necessarily increase; you just have to practice better spending.
A certain level of security is well-understood as a cost of doing business, and people will always fund what they deem is necessary (electricity and air conditioning aren't profit centers, but we always find money for them). Metrics are key to security investments and ROI, because without them you won't know if you're properly allocating your precious security dollars, or if you're getting the intended benefit from that investment.
The C-suite will always seek alternatives to expensive new initiatives and will have your head if they discover a cheaper, just-as-effective resolution. By accurately projecting needs through metrics, you can minimize the costs of "necessary" bits while pushing for new initiatives.
#6: Know Your Limitations
Even with all the money in the world, you couldn't execute on every one of your security desires. Rather than juggling many long-term projects, divide your work into small, manageable tasks. This will allow you to achieve more goals faster and demonstrate security's worth to management.
From a risk perspective, base your security priorities on a list of potential objectives and evaluate them based on their achievability and ability to reduce risk. If an objective scores high in both areas, do it immediately; if it scores low, drop it. Prioritize the rest according to factors that make sense for you--logistics, cost, breadth of impact, etc. With this initiative, in addition to your daily operations, you'll have a solid plan for achieving your goals.
#7: Collaborate With Peers
No matter what your role is, there will always be higher-profile programs than yours. You need to leverage a broad base of programs, resources and people within the company to maximize your effectiveness as a CISO.
With the increased focus on corporate governance, many organizations have built strong operational risk capabilities, giving CISOs a framework for making informed decisions about risk trade-offs. This brings operational risk closer to the more mature disciplines, such as credit and market risk. By exploring linkages between information security and operational risk, you can effectively increase the visibility of your programs and better align them with larger corporate goals.
Furthermore, you're often dependent on other groups to achieve your strategic objectives. By including them in the actual security decision-making process, you will not only gain support for your decisions, but input from others regarding the best solution.
#8: Fix the Plumbing
Maintenance is the hardest part of security. You need to have a handle on the processes that support individual solutions that you've deployed, and ensure that they're consistently applied enterprise-wide. It's not enough to know you have a remediation/response plan; you also need to verify that it's in place, tested and comprehensive.
And, before you even think about initiating the long-term projects, make sure you are actually doing everything you think you are doing now. Do you really have antivirus in place--not just the technology, but the response and support processes? Is it fully rolled out across the enterprise? Do you have visibility into every corner of the infrastructure? Remember, 95 percent compliance means that there are still an untold number of unprotected systems on your network.
#9: Read the Regulations
Do you understand the impact of regulations such as Sarbanes-Oxley on your security operations?
Nothing has as much influence on the board of directors and C-suite as regulatory compliance. But, there are many fallacies thrown around these days as to what these regulations actually cover and how security plays a role in compliance. I can't count the number of vendors that claim to have "SOX in a Box" compliance products. But, as many of us have discovered, the regulations are not nearly as prescriptive as others might have you believe.
The Sarbanes-Oxley Act states that the CEO and CFO have to attest to the enterprise's controls over data integrity. No solutions are prescribed. However, independent auditors will want to see that there are security controls in place before signing off on any financial statements. Similar ambiguities exist in Gramm-Leach-Bliley and HIPAA.
The lessons: Read the regulations and devise smart, effective ways for compliance. CISOs need to meet with the executive team and craft plans that meet auditors' requirements and fulfill the regulations' intents.
#10: Help Your Auditors
A strong partnership between IT security and audit is incredibly powerful for your enterprise.
Your audit department has a giant searchlight, and your goal should be to help focus it on the problem areas in your network. The more information you get, the more the auditors get, which translates into better intelligence for all.
With your help, the auditors will mandate more support to address the real security problems and risks facing your enterprise. The partnership will reduce risks and make the infrastructure more secure.
#11: Get Your Hands Dirty
Conventional wisdom says that a CISO sets the security strategy for the enterprise and directs others on implementation. While somewhat true, you can't afford to not to get your hands dirty.
An effective security leader won't wait for others to act, but will roll up his sleeves, jump in the trenches and direct some of the initiatives, such as inventorying and assessing network assets. By working with the tactical and operational teams, you will get a worm's-eye view of the challenges facing the security and network teams. The personal contact will also gain you credibility and help transfer some of the importance of security to the operations staff.
#12: See The Big Picture
Remember that there are four facets to every successful security program: policy, process, people and products. Establish clear policies, build robust processes, make sure people are assigned roles and responsibilities, and ensure that they have the tools (products) to use the processes and policies to the enterprise's advantage. At the end of the day, the tool isn't the solution; it's the process and how well it works in meeting the program objectives.