The CISO role encompasses much more than setting up firewalls and patching systems. While security leaders still need strong technical acumen, these skills alone won’t be enough to succeed as an executive. CISOs and CSOs (or anyone who leads a security department) need to be aligned with the business and understand how particular events at an organization can shape a CISO’s career
That advice comes from Cybereason CSO Sam Curry, whose career includes four stints as a security leader. Those events, according to Curry, include obvious ones like data breaches and mergers and acquisitions, as well as tech replacements and large technology projects, which present CISOs with an opportunity to show that they’re business savvy and not only technologists. While each event is different, security leaders need to be viewed as the risk expert during each one.
“We want to be seen as the risk storytellers within a company. It’s very important to start having a dialogue about risk and risk reduction, not in terms of absolutes, but in terms of what are mitigating controls, and how do you invest your resources? That’s the challenge for a CISO,” Curry said.
We asked Curry for his take on how security leaders should best respond to these eight events, which all have the potential to either help or end a CISO’s career. In this blog, we’ll cover mergers and acquisitions and audits and penetration testing. We covered management change and a breach in an earlier blog and will get to the remainder (maturity shift, large-scale project, tech replacement and management briefing) in the coming weeks.
Can’t wait that long? Then listen to this webinar Curry lead on the eight moments that can make or break a CISO’s career.
Mergers and acquisitions
Navigating potentially career-ending situations that accompany the joining of two organizations requires considering the security implications before the merger or acquisition, said Curry, who’s been involved with 14 acquisitions in his career. Curry suggested that CISOs talk to the people who are leading the effort, especially legal and finance personnel, to get a timeline on when the merger will be complete. This window provides the security team with time to think about the risks associated with the merger and how to address them.
“Your career is at stake, but this is an opportunity to advance it as well,” he said.
To use a merger or acquisition as an opportunity to help them professionally, security leaders need to consider security risks that could impact the merger and communicate their plans to address those issues to the board of directors and executives at the companies that are joining.
During the last acquisition Curry was involved with, he met with his security counterpart at the other organization to develop 30-day, 90-day, half year and year plans for reducing risks associated with the merger. Those risks, he said, include technical ones that accompany having visibility into only one of the two networks that are being combined (“Whether you’re the CISO of the acquired entity or the acquiring entity, you’re effectively doubling your network size, and your visibility is not going to cover the other half.”); adversaries launching an attack during the merger process (“They’re aware that there are seams between the companies and take advantage of that window.”); and fiscal repercussions, like lost revenue, diminished stock value or a smaller deal. ("Security can impact finance, your business partners, shareholders and the bottom line, which you never want, especially during a merger.”).
In the 30 days before the merger was complete, Curry and his counterpart developed a risk registry and identified the top 20 risks they wanted to address during that time. That list was then narrowed down to five. To select those five they looked at other factors besides how great the risk was to the merger.
“We rated them on the basis of our ability to execute and reduce risk, not just risk,” Curry said.
This plan was shared with the executives and the boards of the companies that were merging, building security’s credibility with the business. At the end of 30-day plan, Curry and his counterpart developed a 90-day plan that addressed the next five security concerns on the risk registry. “The 90-day plan became easier to execute since we had feedback from the business and the board,” Curry said. Ultimately, having a detailed plan that covered risks before and after the merger showed that security understood the importance of helping the business complete its objective of having a successful merger.
“Grab the new risk voice in IT slot as fast as you can and be a bridge builder with the business. Try the ‘Yes, and’ instead of the ‘No, but’ approach with the new business stakeholders as well as the old ones,” he said.
Audits and penetration testing
Maybe your organization held an annual risk exercise or conducting a penetration test. Or perhaps there was an internal audit, or an external audit. Whatever exercise was conducted, the activity revealed security gaps that need to be addressed. While security gaps can make executives nervous and result in the CISO being subjected to scrutiny, audits and exercises that look for security gaps offer security leaders an opportunity to reduce risk get ahead of a potential security incident.
For example, a penetration test may reveal that a critical system requires patching. While this revelation may lead to some uncomfortable conversations between the CISO and CEO, the outcome could have been worse if the pen test didn’t reveal that some systems needed patching. Think about the potential fallout if an unpatched system lead to a breach or data exfiltration or a WannaCry malware attack, which happened to Boeing in March. There could be a loss of customers and revenue, fines or a public relations nightmare.
“Think about the PR in the context of if you didn’t patch your systems, and you have a finding of that, and you don’t take an action on it, how bad does it look if you actually have a breach that’s related in some way?” Curry said.
Getting defensive over the security gaps revealed in either an audit or other exercise won’t help the situation, Curry said. A more beneficial approach would be to resolve the issues in a way that helps the enterprise, a move that would help the CISO shed the image of a technologist who doesn’t understand business.
“Check your OCD or inner control freak at the door. Sometimes you don’t have to stand up and be the defense lawyer. Sometimes your job is to get through these things and improve security and business operations,” he said.