This article can also be found in the Premium Editorial Download "Information Security magazine: 12 security lessons for CISOs they don't teach you in security school."
Download it now to read this article plus other related content.
12 lessons they don't teach you in security school about being a CISO
You may trust your perception of how businesses operate and what your role as a CISO is in making them safe, but nothing can really prepare you for the reality of when you walk into that office for the first time.
CISOs shouldn't focus on the latest and greatest technology, but on getting things done enterprise-wide and incrementally improving the security. Every task, objective and operation needs to be vetted by stakeholders, working groups or committees. To top it off, the constant calls from vendors (each with a silver-bullet solution to all your problems) don't aid the process.
When I assumed the CISO post at JPMorgan Chase after 12 years of consulting, I had many preconceived notions about how things worked and what needed to be done. Suffice it to say that most of my assumptions were thrown out the window before the first week was out.
So, how should you maximize your time as a CISO? It's not something they teach you in security or business school. After a year on the job, I can tell you that these 12 essentials are what security leaders need to know and practice to do their jobs properly.
#1: Forget Titles and Org Charts
Don't get too hung up on organization charts, titles and who reports to whom. None of these things really matter; every enterprise is unique and organizes security differently. Big titles and large areas of responsibility don't always go hand-in-hand with the ability to get things done.
CISOs often start off without a lot of leverage, especially in large organizations. When I became CISO, I thought that my job would consist of setting long-term strategies and deciding corporate-wide policy and direction. However, I found that I had no financial responsibility or connections to execute my strategies, thus my title was relatively meaningless.
As an added frustration, organizations often have multiple CISOs, each with his own role in corporate security. Consolidation of the various aspects of security--policy and implementation, engineering and operations, and regulatory compliance--under the umbrella of risk management isn't always an option, so be sure to build strong relationships and develop credibility with the teams responsible for executing your vision. Don't ever treat yourself as "above" any specific operational task--your ultimate success is dependent on the operational capabilities of the group as a whole.
#2: Negotiate Security Enforcement
Many large enterprises have divisions that could qualify as Fortune 500s. Undoubtedly, individuals from each division believe their security and risk models are the best. This is bad news for you, since it's impossible to enforce policies and support infrastructure when everyone's got "a better way."
Trying to deploy a single enterprise-wide solution to enforce a specific policy is often impossible, since each business unit has different needs and operational requirements--as well as their own specific technology platforms that may not exist elsewhere in the organization. Thus, you often end up with multiple systems that do the same thing in different ways.
However, there's a certain baseline amount of security that no one should have the ability to opt out of--for example, having antivirus precautions or applying patches. Legislate these requirements in corporate standards, and have strong SLAs to back them up. Working with division heads and department managers to define how and when security is handled will allow your team to effectively address security issues and maintenance with minimal disruption to operations.
#3: Set the Risk Management Bar
Security managers are notorious for saying "no": No to business initiatives. No to open networks. No to anything that exposes the enterprise to risk. An effective CISO will find a way to say "yes," while minimizing an enterprise's risk exposure.
You need to determine your enterprise's risk tolerance, and then set realistic parameters for what risk is and isn't acceptable. By providing good visibility into the risk posture of your organization, you're able to drive risk decisions into the business--where it belongs--and to build credibility for the security department among business managers.
Security professionals often see things in terms of black and white-- you're either compliant or you're not. But, risk management is all about trade-offs. Set the bar in the right place, and you'll find enforcing compliance easier.
This was first published in February 2005