By Thom Langford, Founder of (TL)2 Security
So you want to be a CISO? Perhaps you want to be a better CISO? In most cases, you could pick up a book, attend a conference or even talk to some peers and colleagues. There will be some good advice in these approaches too, but of course, you don't want to be just any CISO, you want to be THE CISO.
Across two blog posts, we are going to look at some the of the more unexpected but necessary activities that you can be doing from the moment you start in a new role or start with a new approach to being a CISO. Some may be counter-intuitive; some may be a little odd, and you may even disagree with a few. Whatever you feel about them, they should start you thinking about different ways to approach your role and how you see the contributions you make.
In summary, in this particular post, you will learn to:
- Stop thinking that infosec is your business.
- Stop making technology purchases.
- Ask your vendors to explain what you have in your services inventory.
Stop Thinking InfoSec is Your Business
As a CISO, your primary purpose is not to make the business secure; as odd as that may sound, it simply isn't. The objective of a company is to sell more stuff, increase profit and maximise shareholder value (there are exceptions such as charities, government and the like, but they still have goals along that include maximising value nonetheless).
If that is the case, then your purpose is to help it achieve that goal through your activities. If you put your (security) activities ahead of those of the business, you are ergo hindering its ability to achieve its goals. Flip the situation around and ensure that when you come into the picture you are fully cognizant of what your organisation does, it's goals, ambitions and vision, and look at how your security team can make that a reality. Simply slapping security measures onto the business with no regard for its purpose and intent is going to at best cause friction and disgruntlement, and at worst diminish its business operations.
Read the company report, talk to the CFO, talk to people on the shop floor, the road warriors, delivery leadership, and wherever possible executive leadership. Understand where the business came from, it's roots, its beginnings, and what the founding values and vision was, and even how it has evolved (if at all) over the years. By doing this, you will gain an understanding of how you and your security team really can help. Then, and only then, can you start to build your services and security posture.
Stop Your Technology Purchases
Unless the ink is drying on the cheques, you should pause any purchasing until you have a better idea of the business. This does make completing the first step all the more critical as some of the purchases may well be vital. However, purchasing something that does not align with your new way of thinking about the business makes no sense, and significant amounts of money can be wasted and misdirected.
You may find much push back from various stakeholders in the business, mainly as their pet projects and mini-kingdoms rely on those purchases, and you are stymieing their efforts and potentially making them look bad. Your long-term security strategy, though absolutely relies on strong business cases supporting sensible purchasing decisions that are going to support the company and its long term goals actively. Anything else is simply a distraction and can be a drain on the company's scant resources.
Ask your vendors to explain what you have in your services inventory
Why would you ask your vendors what they have sold you, surely you know that already? Probably not actually, and it is down to human natures as to why.
Purchases and contracts entered into may have supported failed initiatives or even not been appropriately implemented at all. This so-called "shelfware" is an issue in many companies, supported by research by 451 Research in 2014 (https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdf), with an evident rise in the problem when it comes to larger organisations. Asking your vendors for a catalogue of services is going to reap more accurate results as they have a vested interest in maintaining correct records as they charge you for their services (even if you use them or not). Any vendor that is worth dealing with will happily sit down with you and talk you through what they have sold you and what value it brings. If they don't, alarm bells should be ringing!
Armed with this information, you can now start to build a picture of technology services in the company, ascertain what is shelfware, what is used effectively, and what isn't. At this point, and no earlier, should the old purchasing go live again, minus the services that provide little to no value to the company.
All of these basics are going to be challenging to do, be that because you will be pushing against the weight of expectation from other people in the company or because frankly, it takes time and effort. That doesn't mean that they shouldn't be done, and in doing so, they will help set you up for the next three sets of basics that we will cover in the next blog. If you can't wait until then, here is a little teaser:
- Don't say no to everything
- Stop testing your perimeter
- Building your plan
Are you sufficiently intrigued?