How to be a Chief Information Security Officer (CISO)

If being a Chief Information Security Officer (CISO) is your dream job, this video is for you.

Ernie Hayden, consultant and former CISO, gives a Chief Information Security Officer job description -- from proactively protecting sensitive data to creating incident response procedures -- that can teach you how to keep things running smoothly enough that you could even take time off.

Read the full transcript from this video below:  

How to be a Chief Information Security Officer (CISO)

Ernie Hayden: So today's agenda is really to talk about a few things. One is, some
skills and perspectives that I feel is important to your success. And I've
been asked also what my opinion is on certification and whether it's enough
or not, talk a little bit about strategic security plans and tactical risk
management as a means of getting through the day. And last but not least,
some survivor skills as a CISO, to really help you kind of sustain your
perspective and be able to get through the days, the weeks, and the months.
Really, it's four primary categories that will be pretty much the way I
see things as having a skill set to be successful.

Number one is, you need to understand technology security, and understand
the technology problems. Secondary is information security and the
business problems. The third area is strategic security which is really
pretty much becoming more and more our lifestyle, focusing on critical
security issues and really the one offs. And then what kind of glues all
this together is what's called, I call them soft skills, So you'll see a
model that I've been working with Kirk Bailey, the CISO of the
University of Washington, and Kirk and I have been building this model
about the Security Profession Expertise Levels, based on a seed of an idea
from Forrester about three or four years ago. And really what we're seeing
is that to have a foundation and be successful in this space, you really
need to have three different areas or three columns of expertise.

The first one is technology securities. This is very fundamental. It's
foundational to our survival and this is the stuff you learn in CISSP
classes, CISM, the boot camps and so on. This is the stuff like the
firewalls, the IDS's, IPS's, network security telecoms, and so forth. And
you really need to understand this, but this is not what our work is,
especially as a CISO. The CISO is evolving into the next two areas which
are information security and strategic security. Now, I spent most of my
life pretty much in the last two areas, information security and strategic

For example, in information security, risk management, business continuity,
intellectual property protection, data leakage issues, business integrity
issues, regulatory compliance, privacy, and forensics and investigations.
And these are really business problems that we're trying to solve and
protect our businesses and enterprises. So this is pretty much an area that
I spent an awful lot of time in, but now we're also spending time in what
is called the strategic security or the critical security issues, and
ranging from nation's state attacks of which I must admit that every
company's got some issue going on here. We've got different politics and
political issues that are surfacing, that will affect us, regional
interests, including the different cyber issues and also even natural
disasters. So the bottom line is that when you look at a CISO foundational
requirements, Kirk and I would argue that this pretty much is a fairly good
model as what you should look at, and how you can sustain your areas of

Now I mentioned as a glue for all this, the soft skills, and what are
those. Well, people say soft skills, they're thinking about good
communications and so forth, and I would agree with that. But a couple of
the ones that I'm also looking at are like social skills. You have a
network of security professionals as well as other professionals that
you're dealing with, and not only do you have to establish that network,
but you really need to sustain it, and nurture it. Because those people are
really going to be there to help you when the time comes for something
going on in your enterprise, that just doesn't make any sense, and your
question is, "well, what do I do, who do I call?" Well, look to your
network and get that network built ahead of time. I'll talk a little bit
about legal in this case later on.

Another thing is the soft skill is psychology and sales and marketing. You
really are pitching, you're always trying to educate, you're trying to talk
to your employees, giving them employee awareness issues, explaining why
security is important
. You're working with your management, trying to
understand what motivates them, but you're also trying to explain to them
why you need a budget, why you need to increase your budget, and so on. So
you're always looking at the psychology and the sales and marketing pitch
very, very frequently, and I rely on these skills quite a bit.

You also need to be a great thinker. You really need to able to sit and
think outside the box. Not every problem has a technology solution. Not
every technical problem is a technical problem in many respects. It could
very well be a social problem. I've got one instance where we were doing
some investigations and we kept on seeing people using Google images, and I
was trying to understand why they were using them so much. And I finally
asked the individual we were investigating and the comment was, "oh, that's
how I bypass the porn filters, because I can use Google images." Well,
here's a technical tool being misused, and something I never would have
thought about. So it really helps you to think way outside the box and
realize that what you see may not be necessarily what's going on.

Then another soft skill is you really need to understand social
, criminal operations, fraud. You need to sit there and go,
"OK, I have a product or an idea or a technology and the question is, how
can a bad guy or a bad person take advantage of this and use this against
us or against other organizations?" And also continuing the soft skills
discussion is a couple of other techniques I use is ones I call on for
organization and how do I take a look at all of the things on my plate
everyday as I do some chunking. But really what I am doing is I'm taking a
look at all the myriads of issues and I kind of put them in their own
little piles to help me realize how to proceed, or how to look at an
investigation, and so forth. And really it's just a methodology that is
extremely helpful for all the things that I do.

You also need to understand root cause analysis, and what it is. There are
so many times I'm having conversations with people, like our help desk and
our system engineers and so forth, where they're saying, "well, I
understand what the root cause is." But in actuality they only understand
what the symptoms are. and we actually have classes that I
teach, on root cause analysis and what that constitutes. So that people can
really understand good questions to ask, techniques to perceive root cause
analysis and so forth. And this is really a soft skill. It is not
necessarily a hard technical skill.

The other skill that I really advocate is the Winston Churchill rule of,
"never give in." There's a famous speech that Winston Churchill gave in
1941, where he's talking to a bunch of students and essentially it's
reported that he stood up and said, "The most important thing is to never,
never, never, never, never, never, ever, give in." And in our job, how many
times do you go home at night and you're finally saying, "wow, that was a
really crummy day today." You know what, the next morning you get up, you
have the same energy, the same positive view, and you go back in trying to
make things well. And that's really following what Sir Winston Churchill

Then a soft skill, although it's a theme throughout my talk, is being
ethical and doing the right thing. If you ever wonder what to do, just sit
back and ask yourself, "OK, what do I do? What is the right thing to do in
spite of all the pressures that are upon me?" A question that's always
asked, especially for me, as being a CISO or a person hiring other
individuals in security space, is, what do I look for in certifications.
And there's a whole bunch of them out there. I think that we all know the
CISSP, the CISA, the CISM, the CEH, Certified Ethical Hacker. SANS has
several different certifications, Microsoft and so forth. And really my
opinion is that the certification doesn't necessary make or break you as a
security professional
. But the primary issue is that it's kind of a
threshold. Have you been able to get through and do you have the knowledge
and even have the interest of getting the certification accomplished? A
particular issue that I have here is that if someone were to say, "well,
what do I look at for a minimum?" Well, my prejudicial perspective is
either a CISSP or a CISM, and what's really great is if you can have
Certified Information Systems Auditor, or CISA thrown in, then that has a
really good collection of skills, then I would argue those are very, very
good fundamental certifications.

Now another area that's always being asked for a CISO is that we have to
enhance your business skills. How do you get actively involved in
understanding the business? And in my case, I'm actually quite fortunate.
I have a degree in business from several hundred years ago and also, I've
been a CEO of a company before my entry into the security business. So I
tend to have quite a bit of personal experience in the business space. But
for people who ask me this question, what I really say to them is there's a
couple of things I would suggest you look at. Go back and look at the
security profession model that I just showed you a couple of slides ago.
The things to think about, number one, talk to your CFO, talk to your
procurement manager. Ask them what makes them tick relative to contracts,
and how they're working with outsourcing and so forth. But then take your
security hat and bring it into the discussion, to ask questions of the
procurement manager to say, "What are we doing about indemnification if our
outsourcing partner loses the data? Who pays for the breach. Who pays for
the notifications?" This is a good way to get a dialogue going way early
in the process, so that you're not in extremis later on when you have a
breach, if you ever do. And that you're trying to figure out who do I talk
to, when and where.

Also, the same thing with networking. When you look at other people in
your organization. Take a good hard look and meet with the people from
human resources, risk management, regulatory compliance, privacy officer,
legal. I mean you really want to meet these people way ahead of time
because you don't want to be trying to find out who the legal individual is
you're talking to when you've had a breach. You want to talk to them when
you first get on the job or when you start thinking about how you work with
different aspects of the organization.

Now, about the weekend, this is always the question. I know it's like,
"well, gee, you work a ton of hours, you know? I can't think of a case
where I've gotten out of the office early and usually whenever I use the
word "early," it's because I'm in the office early." But in actuality I'm
also very fortunate because I really love my job and I'm passionate about
information security and all the things that are associated with it. But also it's a
really easy place to get burned out if you're not careful. So a couple of
techniques that I try to lean on or look at when I'm trying to figure out
how to not work too many hours, are such things as a top ten list. I
sustain one like once a quarter or once a year, I sit down and just write
down what my top ten issues are, strategic issues. And I literally laminate
it, put it in my wallet, carry it around. Those times when I'm trying to
sit back and get refreshed and say, "OK, let's look at the swamp."
Remember, we're supposed to drain the swamp, not fight off all the
alligators, in whatever we are trying to achieve. Also, I have a strategic
framework that I built. It was a methodology of saying, "OK, what is the
strategy for information security for the enterprise,"and I built one and
try to update it about every two years or so, and again, it's really the
foundation for the top ten list.

I have a technique I call Tactical Risk Assessments. You know these are
formalized risk assessments where you're doing the graphics and the highs
mediums and lows and so forth. But I think we all know that our day to day
job has risk assessments that are ongoing. I'll look at my email and look
at incoming messages or a phone call from the boss or a phone call from the
help desk. And immediately do a tactical risk assessment where it's pretty
much a mental approach to say, "OK, what is the risk for the enterprise,
what is it, do I have to take care of it right away, is it something that
can wait," and so forth. So it's just a very simple methodology that's a
way to try and look at all the things on your plate and essentially
establish what the risk analysis is and how do I proceed. One thing to look
at when you're really getting kind of swamped is look at what your
company's core business is, its competency and then work from there. So
for example, if you're getting all carried away on a telephone issue or an
instant messaging issue, just stand back and say, 'hey, wait a minute, what
is the competency that I'm trying to protect, what is my company's core
competency,' then I'm going to go back and focus on protecting that

Also, definitely remember that there's no such thing as zero risk. I mean
you're going to be faced with all sorts of decisions and issues and
questions and so forth. And it's impossible to get yourself down to zero
risk. So what you have to do is look at your security portfolio and your
profiles and activities, to try and get your risk level to what is
acceptable. There's no formula to that. And definitely last but not least,
one thing to remember for sure is that your job is to protect the data. And
if there's ever a question in your mind to sit there and go, "protect the
data, what am I doing to protect the information at the organization?"

So, how do I survive and thrive in this environment? I've got a couple of
different aspects and this is a bit of a build. One thing for sure is I
read, read, read. I am a prolific reader, I read as much as I can. I read
blogs, I read misc documents, I read magazines, I read books outside of
information security, that help me have a little bit different ray of
thought when I'm approaching problems.

Another thing you do, again, I talked about this earlier, expand, nurture
and care for your network. Boy, isn't it great if you have botnet attack,
that at least I know who to call. It's a dear friend of mine, Dave
Dietrich at the University of Washington. He's one of the world's experts
on botnets, so at least I have a reference who is in my network. Have a
mentor, and in many cases, they also act as a great psychiatrist. It's
basically someone you can lean on, ask dumb questions, basically just kind
of sit there and say, "hey, look, I don't know how to proceed, or I'm
frustrated, or help me figure this out." And your mentor is not your boss,
it's not your CIO. It's just a very good friend who's also got some really
good solid perspective. And there's bound to be one in an adjacent company
or another organization that you can find.

When in doubt, go to the basics. This is always my case, am I protecting
the data? I talked about that. Am I protecting society and the corporate
reputation? Those are also very key to what I'm going every day. Does this
pass The Wall Street Journal test? And if you've never heard of that, the
question is always, if we're doing something, of if I take action and it
winds up on the front page of The Wall Street Journal, and it's
embarrassing to the company or shareholders or stakeholders are irritated
about it, then maybe you shouldn't do it. Maybe that's just the best way
to look at it. And again, is it ethical and the right thing to do. I've
talked about that before, so my life as a CISO, I'll tell you why I love
this job. It's just a fantastic experience for me, that I've been doing
since 9/11. It's intellectually stimulating. If you look at the headline
that was recently posted by Symantec. About their detecting rising
professional cyber crime on the internet. That is a pretty profound
statement and it's something we're going to be facing more and more all the
time. Well, that's a pretty exciting environment to from the standpoint
of, wow, there's some really interesting things going on, that are causing
me to think about how do I protect the environment, how do I protect
myself, how do I protect my family and in that case, or the organization?

The other thing about being a CISO is that you are all over the place. You
learn many different disciplines. I told you to go to HR, you're into IT,
you talk to risk, you talk to compliance. It's just all over the place,
it's many, many different disciplines, and really causes your gray thinking
to get grayer in many cases. Never a dull moment and I also would contend
that it's sheer terror punctuated by moments of "Aha's." I mean you get
the problem, you're going, "holy smokes, how did this happen and how am I
going to approach it?" And sometimes you just kind of sit back and there's
an answer, or you talk to your mentor, or you talk to your network. I love
being surrounded by very smart people, and all have strong ethics. So I
want to thank you very much. Obviously if you ever have any questions, feel
free to give me a call.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

what is a gray thinker. Is it like QA where you have white, black and gray box security and testing?

What is Ethics to you, because sometimes ethics is out the window when a security breach has taken place. So Sir how do you define ethics from a risk management standpoint?