Stories from the Front Lines of Security Leadership: Former CIA CISO Robert Bigman [Part 1/2]

This is the first interview in our new series, Stories from the Front Lines of Security Leadership. We'll present insights from CISOs, security leaders and IT executives on topics including what's required to succeed as a security executive, how to convey the importance of security to an organization and how security leaders can advance their careers.

A strong technical background is only part of what makes a CISO successful. Understanding what’s driving a business and building personal relationships with co-workers is just as essential. That advice comes from Robert Bigman, who retired from the CIA in 2012 after a 30-year career, including serving as the agency’s CISO for the last 15 years. In part one of this two-part interview, Bigman, who is now an independent cyber-security consultant, also discusses why listening is critical for CISOs and why security needs to be considered from a project's inception.

How can CISOs help their companies balance innovation with security?

The answer is - and you hear this a lot but it’s important and whether it’s operations or administration it’s all true - it’s critical that the CISO and the security team get their issues addressed as early as possible.

At the CIA, if you had an idea for a project or operation, security had to evaluate it from the start. Before you propose it or ask for a budget or get approval for the actual idea, top-line managers have been trained that the very first thing they ask is ‘Have you talked to cyber security?’

So the culture we grew there - and it can be done elsewhere - is that when you are thinking about doing something - going to the cloud, BYOD, whatever it is - you get security involved at the earlier possible point. The sooner, the better. That way security can help the organization be even more flexible and adaptable, especially if you are trying to do something innovative. If you come to security after the vendor contract has been signed and the people are writing code, for example, well, you’ve really limited our cyber-security options. Sometimes, cyber security looks like we are limiting innovation but we are really working with what we’re given at the time we are contacted.

Ninety-eight percent of new projects got approved at the CIA. That’s because when you came to us early we had an opportunity to talk about what you’re going to do and figure out the feasibility of it and the best place for cyber security to fit in. Just a very small percentage of projects where cases when we couldn’t come up with a way to make [security] work or the risk was too high.

How do you explain technical topics to people who may not have a technical background?

I suggest you don’t try. Here’s what I mean by that. This is true in the private sector as well as the [CIA]. For someone who doesn’t really understand IT well, doesn’t understand computers and how they work, trying to explain the concept of memory insertion of malware or DLL type confusion, there are some things that you can’t reduce to explainable terms that makes sense and still have value. It may make sense but it may not have value. Or it may have value but it may not make sense. It’s really hard to get some of these concepts across.

What I try to teach these CISOs is that you have to make sure your IT people, who you are making the deals with, understand what you are doing. With the business people you have to develop relationship so that they trust you. You’re not going to learn every aspect of their business. But you need to trust them and trust in what they need to do is a priority and you can work with them. And this works in reverse. The business needs to trust the CISO and the cyber-security organization that they’re going to come up with solid recommendations. You really don’t have to know every function of your car before you drive it, right? That’s also kind of true in cyber security. I spend a lot of time trying to explain technical concepts and it occurred to that this wasn’t working well, either for me or them. And it was usually me not being able to explain the concepts well. But in what other industry do you actually have the person stand there and describe to everyone else in the company the most obscure aspects of everything they do? Why do you make the cyber-security people do it?

At some point it becomes an organization trusting the CISO to do the right things. Do you really want an explanation about a firewall that has these types of capabilities, that does these things, that uses this type of software, that runs in this way? You’ve got to say, “Okay. I trust you. That’s your job.”

How can CISOs build that trust?

It’s about developing one-on-one relationships. Not just at the senior level but the IT manager and even at the worker level as well. It’s making it clear that we’re not the enemy. It’s very hard to do this in private enterprises but the ones who do it well - and I’ve seen people do it - are very successful.

Do you advise CISOs to use business terms instead of technospeak when talking to nontechnical audiences?

Techospeak clearly doesn’t work. That’s just going to go over their heads. I think what you have to do is put this all in a context they understand from a risk perspective. If you don’t do these things or we don’t do these things the right way, here’s what could happen. If we have malware in our network that exfiltrates data off our network and we’re having trouble getting the malware off you need to be concerned because here’s what could happen our business. It could turn into a Yahoo. They all get that. They now understand what Yahoo means. They understand what Target means. But you have to be careful that you’re not becoming an alarmist.

Again it comes down to a matter of trust. If the CISO has built the trust with the organization - in this case the board - they don’t need to know the details. They just need to know what the risk is, the impact of the risk and trust the CISO to make the right recommendations.

How can CISOs develop relationships with other departments?

Yes, knowing what the business is. I’ve seen some CISOs who are very personable and very good at cyber security walk into a business unit to talk to them and do not know what they do, how well they do it or what their priorities and worries are.

A true partnership is more than just a willingness to work together. It’s an interest in what a person does individually, what the business unit does and how you can contribute to that. And again the ones who walk in there with knowledge and understand what the business unit does and can spend time learning, they’re very successful.

I know one CISO, the very first thing he did when he got to the company was go to the business unit CIOs and just listen. He said ‘I’m here to listen to you. Tell me what you do, tell me how security can help you and tell me where we haven’t in the past.’ He’s the most successful CISO I know. And I know a lot of them.

So the CISO has to know technology and be a good listener?

Yes, a lot of CISO tend to be good cyber-security practitioners but the ones who do well are the ones who are business people as well. They understand where the business is going, what’s driving it. You don’t see a lot of that.

Why don’t CISOs better understand what their company does?

They seem to have a simple understanding of “we make this or we do that.” But getting down into understanding which products are having which issues, for example, and which ones are successful; a lot of CISOs don’t have that understanding. And it isn’t necessarily a problem with the CISO. A lot of companies aren’t yet open enough to the idea of making a CISO a true partner.

If you ask CISOs what their organization does, you’d be shocked that after about two minutes they don’t have much to tell you. They say, “We buy this, we sell that, we make this, we make that.” But if you ask them what are the big issues or pain points on your organization they simply don’t know.

Are there any areas of security that CISOs are wasting their time on by focusing on them?

User training. The idea that you can train users to stop malware is just complete idiocy. I wouldn’t spend a whole lot of time doing that. I wouldn’t spend a whole lot of time on cyber intel. I’m not a big fan of cyber intel. Intel is always telling me about what happened to someone else’s network and never about what happened on yours. The best source of cyber intel comes from inside your own network.

I also wouldn’t spend a lot of time on insider misuse. It’s not a cyber problem and there are not good tools to help. Your company simply hired the wrong person.  The reason why it has now become a cyber security issue is because the HR people couldn’t solve it so they passed it along to CISO to solve. You can’t blame the CISO for hiring or not paying attention to the emotional status to an employee. The CISO and the cyber-program should focus first on the fact that they are really bad dudes out there who are trying to penetrate your network.

Anything else to add on how CISOs can succeed?

I just want to emphasize that if you want to do really well, truly become business partners and work to understand what the business is doing and really make a concerted effort to become invested in the company’s success.

I don’t think many CISOs did that before. I think for a long time people viewed security people, including the CISO, as IT professionals and not security professionals. Security professionals tend to be much more aware of what the business is doing. They have to be. With IT professionals, you can get almost anyone that knows Cisco networking to make a Cisco network work in any corporation. You don’t need to know what the company does do that. This is unlike like cyber where you really need to know how the company operates to be successful.

Check back next week for part two. Do you know a security executive who has great insights and would like to talk with us for this series? Email us at ciso.series@cybereason.com.

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.