By Thom Langford, Founder of (TL)2 Security
In the last post, we looked at some of the less apparent activities upon becoming a new CISO, namely:
- Stop thinking that infosec is your business.
- Stop making technology purchases.
- Ask your vendors to explain what you have in your services inventory.
In this post, we will take this a step further and closer toward actual “business as usual” and maintaining your security team as a functional part of the organisation.
Don't say "NO!" to everything.
We think this is an obvious thing to do, but it is much harder to do in practice. The reality is that this requires a complete change in mindset from the traditional view of the everyday CISO. As a species, the CISO is a defensive creature, one who is often required to back up every decision, be the scapegoat of every mistake (see One CISO, Three Envelopes) and generally rubber-stamp choices that are out of their bailiwick and control.
The mindset shift is one that requires a leap of faith wholly because of this perceived threat of blame and accountability when, in fact, it does just the reverse. It starts naturally enough with the language that is used by the CISO and the team, for instance, changing the Change Approval meeting to the Risk Review meeting, and not communicating a yes/no or go/no-go response to changes but rather a level of risk associated with the request and alternative approaches as appropriate.
There is a need to communicate this shift in the culture, of course, but people will come to see that they are accountable for decisions that affect the business and not the security team. Shifting the mindset away from being a gatekeeper to a security team that provides sensible and clear advice based upon clearly understood risk criteria is a fundamental step towards the avoidance of being known as the Business Prevention Unit.
Politely correct others language when they mention an action requires sign off or approval from "Security", and help them understand their role in the business decision that it entails.
This is not an approach that requires a snap of the fingers for 50% of the problems to go away, but with careful planning and education of your stakeholders, it alters the impact you can have on the business dramatically for the better. It also allows you to more easily draw a line between the activities of the security team and the performance of the company, all for the price of merely no longer saying "no".
Stop Testing Your Perimeter
What? Are you serious?!
As you come into a new environment, you will be taking a large number of critical pieces of information on trust, and from people with vested interests in their careers, livelihoods and reputations. Your arrival upsets the status quo and has the potential to disrupt the equilibrium; all reasons to not always be forthcoming with every piece of information you request. It isn't about people being dishonest or deliberately misleading you, but instead merely being complex, multi-faceted, human beings with multiple drivers and influences.
Your perimeter is one of the fundamental pieces of your information security puzzle. Despite cries of "the perimeter is dead", it remains an apparent place for attacks to happen, and where you should feel fully confident that you know every node in that environment to the best of your ability.
Whatever your testing cycle is, suspend it for some time and carry out as full an investigation as possible into precisely what your perimeter comprises. It can be done automatically with discovery tools, manually through interviews with those responsible, visually in data centres (where you have old school "tin" still being used, and any combination of the above.
You will likely find devices that you, and probably existing team members, weren't aware of, especially with the proliferation of the Internet of Things devices being used now throughout the enterprise. Did facilities install a new access control system or room booking system? Did they consult IT, or more to the point, you? It sounds like the stuff legends are made of or the script to the Ocean's 11 movies, but do you remember when a Las Vegas casino was broken into through their fish tank?
Knowing what devices are where on your network and perimeter are vital and must be considered table-stakes in any decent security programme. An alternative is simply a form of security theatre that is just giving the impression of security and doing nothing but creating a false sense of security. A cycle of no testing is worth finding out what you don't know because then you can do something about it.
Building your plan
Now you have a grip on your environment in a way that is relatively straightforward, simple, effective and also quick. Through this process, you will ascertain your stakeholders, advocates and even a few potential adversaries. Armed with this information, you can provide an accurate picture of the business to the business, and in a way that makes sense and displays a grasp of the fundamentals.
Building your plan will always start with your initial assessment, and what needs to be done to become operational, or steady-state. The trick, however, is to ensure that this baseline achievement perceived as the end state of security but rather merely the first stepping stone to ever more impressive services, capabilities and ultimately profit and growth for the company.
The plan itself though? That is yours and yours alone, and although further posts in this series will help as you plot your course into the future, nothing will replace your understanding of the local culture, organisation and ultimately what you need to achieve to meet the expectations of the business leadership. Know what the rules of your organisation are, when to adhere to them, when to bend them, and most importantly when to break them (but only when experience tells you it is the right thing to do):
“The young man knows the rules, but the old man knows the exceptions.”
Oliver Wendell Holmes
Be the Old Man, be the CISO.