The biggest problem in information security isn’t finding attackers, it isn’t patching systems and it isn’t even stopping phishing attacks.
While these are all very real, they are the bread and butter of what we do. The real top issue in security is lack of alignment with the business. There are many causes for this, which we’ll look into; but the answer is quite straightforward. The key to aligning to the business is a frequent risk dialog with the business. That doesn’t mean reporting on the number of viruses stopped in a month or tracking the right KPIs, which you should do, but rather it’s about a two-way dialog that really leads to changes in behaviours on both sides, starting with security.
Most security professionals rose through the ranks to the executive level by being the smartest security person in the room. Lo-and-behold, when they reach the C-suite or even get close to it, they often find that no one cares. This first introduction is crucial because first impressions with CxOs are lasting. For the security person to really shine they will be staring into a headwind as they have to prove themselves in a new and fundamentally different way and convince CxOs that they are about the business.
For many this is difficult, as the newly-minted CISO often suffers Security FOMO (Fear of Missing Out): they like security and want to stay current and fresh and continue to prove their security chops. This, however, is a mistake. The real job of the CISO is to serve the business and to perform a vital logistical and managerial function for the security discipline in the company. This means that the minutiae of people management, budgeting and aligning to company priorities are the most important things they can be doing, from soft skills in the C-suite offices to hard financial skills with the G&A staff. All of this depends on talking and thinking about risk at a company level and understanding that many of your co-workers are also custodians of risk, including those who manage legal, market, financial, operational and other IT risks, the general counsel, CMO, CRO, CFO, COO, CIO and so on. Don’t be the CISO that waltz’s in and says “I am the enemy fighting risk guru, and I’m here to help.”
On the flip side, most of the business deals with first order risk outside security: risk that isn’t intelligently adaptive and doesn’t fight back. The weather is a good example of first order risk: how you take shelter from the storm doesn’t affect the path of the storm. However, like those in sales dealing with competitors and those in legal fighting other lawyers, security is a department that handles second order risk with an intelligent, motivated and capable opponent. In security, the storm definitely changes course based on what and how you protect the company. Many non-security executives feel a deep-seated frustration that the security problem hasn’t yet been solved or that there isn’t a simple solution to plug in and forget about.
The plain and simple truth is that there will always be a top issue in security. If by some chance you solve the top three issues, there will be the next three issues; and the priority order will change and shift. For a COO or a CIO or head of R&D who is used to a simple risk registry and then managing those down to acceptable levels with an arsenal of managerial tools and budgets, this can be deeply frustrating. The mindset of pursuing the five-nines of availability, for instance, becomes completely frustrated with a department that has an active and malicious ghost in the machine as enemy number one instead of quality in supply chain or process waste removal.
The answer to all of this is setting expectations. The newly minted CISO or the long-in-the-tooth CISO both need to set the expectation of a changing landscape of risk and an ongoing dialog with the business. KPIs are important, removing waste is important, automation is important; but they are secondary to being adaptive and flexible and focusing on how you improve in the moment. All of this demands that the CISO in fact not leap on all security items as they appear, which ostracises peers; and it demands that the CISO pay close attention to non-security issues and risks. The CISO must both encourage involvement and contribution by others in security and weigh in as a business person first on non-security items. In the end, the CISO must be an insider to the business in addition to the de facto role as the voice of and advocate of information security risk among all the other business risks at the C-level. Done right, the company can get the most insidious risks to acceptable levels and become a best-of-breed company focusing on the core business. Done wrong, the company will get blindsided and the CISO will fail in their primary mission of aligning the security department with their core business.
Author: Sam Curry, Chief Security Officer, Cybereason