It ain’t easy being a CISO…

Think about the responsibilities of today’s CISO/CSO. The last time I counted, there were more than 40 domains of security expertise required of a CSO – and that doesn’t include all the business and financial expertise that you need to be successful. Today’s CSO has to have a good working knowledge of all security domains and try to keep up with the changes in each of them. A few are relatively static (transportation security, barriers and fencing, door alarm technologies, etc.) but most change rapidly with the advent of new technologies (closed circuit video systems, intrusion detection systems, web security, application security, database security, etc.).

On top of this, legal aspects, regulations, industry standards, investigation requirements and forensics change constantly as laws are written, case law modifies existing practices or new threats emerge. One source told me recently that there are over 120 new variants of crimeware (malicious code designed to perpetrate fraud and other crimes) being written each week. Just trying to keep up with all of this change is a full time job. You can’t be wondering if you have all the latest facts when something happens and you need to make quick and decisive decisions. Do you know all the laws and regulations around the world that could affect you?

Moreover, the environment is changing constantly. New threats emerge by the hundreds every day. Global issues like terrorism, civil unrest and outsourcing have major impacts on your security programme. What risk does terrorism pose to your organisation? Have you defined it? Have you quantified it? What about political and civil unrest in places you do business? What about the vendors and partners you rely on – could issues in seemingly remote locations put you at risk? What about the implications of business process off-shoring and a global economy – have you looked at those issues and the security implications of doing business in lands where there is no concept of intellectual property, and where it can be extremely difficult (if not impossible) to verify someone’s identity?

While all that is spinning outside your control, you still have to do your day job. There is no way in the world you’re going to deal with all 40-plus domains of knowledge by yourself. You’re going to need smart, capable people that you can trust to make good decisions. How do you find, develop and retain them? There are four basics assets you need to protect: people, property (which includes computers as well as buildings), information (in all its forms) and reputation. People are the most important asset as they are the hardest to replace. Do you have solid development plans for all your security personnel – not just to assure that they can do their jobs, but to assure that they can grow in their profession? Are you spending enough time mentoring?

People who feel they are growing and learning are far more likely to stay and contribute than those who are starting to feel bored. You need to keep them excited and enthusiastic. Of course, that means you need to stay excited and enthusiastic yourself. How do you get your training? Do you have time to go and sit through a four-day conference to hear the two or three sessions that are important to you? If you do, you’re the ultimate time wizard and I will pay you to teach me your ways! Start looking for different types of training that meets your specific needs. As I type this, I’m on a plane headed home from a CSO conference that involves two days of concentrated learning specifically designed for you with lots of opportunities to network with your peers.

Get with the program

So what needs to be included in your security programme? If you’re in financial services it will be a lot different than what you may need if your company is in manufacturing. You need to be able to adjust your programme every year (if not sooner) as the threat environment changes. How are you identifying the threats and quantifying their potential impact so you can adjust your programme accordingly? If you got called into court and asked to show that you are in fact exercising due care in the protection of the company’s assets, could you do that? Do you have documented processes that would allow you to demonstrate that you monitor changes in the environment and measure your risks – and then make appropriate adjustments to your programme?

Also, what is your security objective? Donn Parker is considered by many to be the Dean of Information Security. He suggests in his writings that you cannot tell who will attack you, what methodology they may use nor what their motivation may be – so the best that you can do is to exercise demonstrable due care and be able to respond effectively when an incident does occur. Have you met that benchmark? Is that sufficient for your organization? Do you need to be ‘best in class’? What is the reputational risk to your business if a major security incident were to occur? Is security a part of what your company needs to provide to its customers? What is best in class for your organisation? Have you looked at what other like companies are doing? Have you defined the scope of what needs to be included in your evaluation?

There are some truly good works out there you may want to look at. One I particularly like is from the Institute for Critical Information Infrastructure Protection (ICIIP). They have created something they call ‘The Security Continuum’ that depicts a five-stage transition from compliance-based security to commitment-based security. It may give you a good idea of where your program is today and where you want to take it tomorrow.

How do you find the balance between necessity and cost? We are all trying to develop and implement cost-effective controls. As a friend in Canada once told me, you don’t put a US$20,000 fence around a US$200 cow. It is a maxim I have remembered my entire career. What is the risk you are trying to mitigate/remediate and how much of an exposure is it? I am constantly frustrated at discussions where a businessperson says he can make US$40 million by doing a certain initiative and asks how much of a security risk it is, only to be told ‘high’. How high? We need to be able to respond with a statement such as: “You have a US$500,000 direct loss exposure, but the reputational risk exposure is in excess of US$200 million.” If you can substantiate that, the businessperson will not only listen, they will invite you to every discussion they have. Business people want to make sound business decisions. They get paid to take risks, but they also get paid to know how much of a risk they are taking. You need to be able to tell them in realistic money terms how much of a risk something is. The fact that someone could use a highly sophisticated attack to compromise an application does not mean that they will. We need to be able to define the likelihood of something happening as well as the consequences of compromise.

We haven’t begun to scratch the surface. Do you really have an effective executive protection programme in place? You can spend hours educating your execs on why it is so important. I’m told that the entire executive committee of a major corporation got in a helicopter in New York City a short while ago for a quick flight from mid-town to the airport. The helicopter crashed into the Hudson River. Happily, everyone escaped. Hindsight being 20/20, we can all make an excellent case now that they never should have all gotten on the helicopter in the first place. Do your top execs travel together, maybe on the corporate jet?

Finally, I think convergence is a trend that is not going away. There are far too many reasons for it to happen – physical and information security technologies are converging, the assets we need to protect do not distinguish. Computers are property – laptop theft has an impact on information security but the thief is stealing physical property. Information exists in electronic, hardcopy and spoken forms and all forms require protection.

I used to work at a research and development facility for a major computer company. A reporter, writing under a fictitious name, seemed to know exactly what was being developed, what the problems were, when products would be ready to go into production, etc. The security teams (both physical and information) were baffled. We had an excellent document destruction programme that prevented paper files from getting out but the stories in the press continued. One day, a colleague and I decided to get out of the office and go have lunch at the local restaurant and I happened to notice a man sitting by himself in a booth with a cup of coffee who was writing furiously in a notebook. I looked at the booth behind the man and it was filled with our engineers talking over lunch about the projects they were working on. We had found our leak! Protecting people, property, information and your critical business reputation require an effective blending of physical, operational, system and network security controls. Convergence has been happening for some time. We are finally acknowledging it.

I could go on and on. It’s clear why people get burned out or tripped up in a CISO role – there is so much to do, and all of it’s important. And most of what I talked about is operational, day-to-day stuff. How do you get out of the crisis-du-jour and get strategy defined, let alone implemented? Top notch staff is the answer, but then you need to justify those positions, do the recruiting, set direction and goals, manage performance and… and on it goes.

How to handle the CSO job

• Learn. Find a mentor. Develop a network of smart people you can talk to. Make the time to share with them. They will return the favour.
• Get off your chair and get out in the business. Help the business solve problems and they will also be willing to fund things for you.
• Join a professional association – or several if you can afford to. ASIS International, ISACA, ISSA’s CISO Executive Forum and the CSO Executive Council are all good.
• Learn business skills, particularly finance skills. You’re running a business inside a business. You need to talk, think, measure and act like the rest of the business team.
• Metrics – develop them and use them. They will show your value to the business.
• Learn the lexicon of risk. It isn’t all about risk but it sure is a huge piece of the puzzle.
• Find, hire, develop and retain the best and brightest. Surround yourself with brilliance and you will shine.