The CISO role encompasses much more than setting up firewalls and patching systems. While security leaders still need strong technical acumen, these skills alone won’t be enough to succeed as an executive. CISOs and CSOs (or anyone who leads a security department) need to be aligned with the business and understand how eight events at an organization can shape a CISO’s career
That advice comes from Cybereason CSO Sam Curry, whose career includes four stints as a security leader. Those events, according to Curry, include obvious ones like data breaches and mergers and acquisitions, as well as tech replacements and large technology projects, which present CISOs with an opportunity to show that they’re business savvy and not only technologists. While each event is different, security leaders need to be viewed as the risk expert during each one.
“We want to be seen as the risk storytellers within a company. It’s very important to start having a dialogue about risk and risk reduction, not in terms of absolutes, but in terms of what are mitigating controls, and how do you invest your resources? That’s the challenge for a CISO,” Curry said.
We asked Curry for his take on how security leaders should best respond to these eight events, which all have the potential to either make or end a CISO’s career. We’ll cover two of those events (management change and a breach) in this blog and get to the remainder (audit, merger or acquisition, maturity shift, large-scale project, tech replacement and management briefing) in the coming weeks.
Can’t wait that long? Then listen to this webinar Curry lead on the eight moments that can make or break a CISO’s career.
Management change
Maybe you’re a new CISO. Or an interim CISO. Or maybe there’s a new CEO. No matter what type of management change has occurred, security leaders should seek the same outcome: establishing a either a manager or employee relationship where the two intuitively understand each other.
“You actually don’t require as much communication, because you’ve learned about each other,” Curry said.
For security leaders who either lost a manager or employee with whom they had this type of relationship, they’ll likely be tempted to quickly build this relationship with the next person who takes the position. That tactic won’t work, Curry said, and can backfire. Instead of reaching a level of deep understanding, security leaders who try to establish a relationship too fast often find themselves repeating information, frustrating them and making them think that “there’s something wrong with us.” The issue, though, is that cultivating new relationships takes time and requires a micromanagement phase when the fundamentals are established, he said. Ultimately, CISOs are going to have to socialize with their new employee or manager, a prospect that can prove challenging for some security leaders.
“Getting to know someone is something we, as an industry, are poor at it. Sometimes it feels like schmoozing and a little artful, but this is important. You have to like working together, at which point trust flows,” Curry said.
Working together means connecting with non-technical colleagues, a point that people new to the CISO ranks should remember. The CISO shouldn’t only be talking to the CIO, Curry said. Conversations need to happening with other departments, including discussions on those departments’ business goals and how security can help achieve them.
“ You have to know that you’re trying to achieve the same thing and need clarity about what you’re trying to do,” Curry said. CISOs who focus on the information security department’s interests instead of what helps a department achieve its business goals risk losing trust of their colleagues.
Breach
Inevitably, all security executives will have to deal with an information breach when data is stolen, Curry said, adding that a breach can impact a company’s stock value and the CISO’s career. The goal of any security leader following a breach should be to diffuse the incident with as little damage as possible to the business and its credibility, he said. And like an army preparing for a possible war, security teams can practice for the possible breach.
“The winning strategy is fairly simple: prepare in peacetime, rehearse, and train and train and train,” Curry said.
The breached organization needs to show the public that its making the right decisions around figuring out what happened and what actions to take, Curry said. This means security leaders need to make decisions without having all the facts since the public doesn’t realize that incident investigations take a significant amount of time and the “facts are not written on a screen.”
But the definition of right may vary in an enterprise, Curry noted. The CEO, the CISO and the board could all hold different views on what action is right following a breach. The CISO should be the person who aligns everyone.
“In meetings about the breach, make sure you say what your values and foundations are. The company must do the right thing, and [CISOs] have to be seen as driving or supporting it,” Curry said.
And while a breach may seem like the CISO’s time to lead, some security leaders could be surprised to learn that they may play a supporting role as the incident unfolds. The CISO may oversee the investigation of the incident and incident response, but the legal counsel, board members, CEO or COO may handle briefing regulators and the public, working with law enforcement and getting the business back to normal.
“Any number of executives may actually take the helm, and [the CISO] takes the supporting role. Be prepared for it,” Curry said.
For CISOs new to role (and perhaps handling a breach for the first time as the head of information security), Curry warned them to not expect any sympathy from the public. The actions CISOs take following a breach will make them seem like either a hero or a villain. But CISOs shouldn’t expect to be viewed as a victim.
“Nobody in the public has ever said, ‘Oh, poor fill-in-the-brand company was hacked.’ They’re always saying, ‘Well, did you do the right thing?’ If you didn’t do the right thing, the assumption is you did the wrong thing. Public perception is very black and white. It’s unlike reality, where it’s hard to find the facts sometimes,” Curry said.