In the past week, our companies have had to both remove a security team, including the CISO, and “attempt” to re-educate an entire IT department on why security is important. This wouldn’t be extraordinary apart from the fact that both organizations numbered their staff in the thousands and their revenue in the billions.
In one case, the security team held the company hostage. They had all the cards, they held all the ingress/egress controls for information flow and basically ruled by dictatorship, which obviously failed. In the other case, the CIO decided that patching slowed things down too much and that segmentation made their jobs harder.
Know the Landscape
Both organizations had incumbent teams that quite simply did not fit into the modern way of thinking when it comes to both IT and InfoSec. Both teams had quite simply failed to take their 80s or 90s mentality and apply it to today’s realities, which are arguably as follows:
- There’s too much FUD out there and sorting through it is becoming its own full-time job. As a security industry, we are shooting ourselves in the feet with both barrels and making it almost impossible for companies to work out what or whom to listen to.
- We, the InfoSec industry, still don’t fully realize or understand how to talk with the business about risk in the greater context of the organization. We have a hard time being able to level-set the risks we see with the rest of the enterprise’s risks (financial, physical, market, etc.). We still consider ourselves to be the special snowflakes that take priority over all others -- and that attitude must change.
- We, the IT folks don’t own the data. It’s not ours. It’s not ours to determine who gets access or who sees the data. Ours not to reason why ours but to do and die. A little dramatic but the point has to be made that our role is to ensure that the data is processed and managed correctly and securely. And once it’s reached the end of its life it’s destroyed in a safe and secure manner. The IT staff is integral to the whole information privacy process, but we don’t own the darn stuff.
- We don’t have a perimeter anymore. We really don’t, and we need to accept the fact that the days of the firewall, IDS/IPS, DLP and other static, reactive systems being our guardians are over. We have to come to terms with the fact that a lot of what’s being sold to us is about as much good as snake oil and that returning to a simpler time of security basics is the future. Ironic that to go forward we have to go backward and learn from the past; something at which humans don’t excel.
- It’s human nature to rather buy a new blinky light from a vendor than spend time and money training our user population. That very same population that arguably is responsible for the data -- for knowing who should and does have access to it. Those very board members and leadership folks whom we support and ultimately have to talk with a language they understand about IT and InfoSec -- especially when it comes to understanding how they fit into the GDPR model.
With all of the above and about 101 other points that could be made concerning the state of security and its inability to protect data, users, and organizations, we have to have the conversation about how these issues can be resolved. We need to figure out who can actually help us resolve problems and who is simply selling snake oil dressed up as, “We can fix your GDPR woes.”
What Type Of CISO Fits Your Needs?
That brings us to the point where we need to discuss what sort of CISO is needed for your organization.
The Tactical CISO: This is the CISO who comes in, looks around, rolls up their sleeves and pitches in to ensure the organization gets where they need to be, when they need to be there and arrives in a manner that delivers the necessary GDPR compliance roadmap and levels of maturity that is going to be necessary to survive in a regulated, audited European-centric world. This CISO isn’t likely to golf with the CEO or the board of directors, this CISO is more likely to be climbing the mountains, shooting the targets or hacking for charity on the weekend. This CISO is likely to ruffle feathers and likely want to taser or fire a number of folks and that’s good a thing. This is the CISO you need to effect change and get stuff done in a timely and organized manner. This is your problem-solver CISO. This is the CISO you bring in to get you on track no matter what.
The strategic CISO: This is the talker, the schmoozer and the golfing CISO. This is the CISO you can put in front of the board to talk about long-term strategies, tactics and roadmaps and can also bring them back a second time without fear of reprisal. This is the CISO who’s more likely to spend time inside the organization building bridges with the business units, the various arms of the enterprise, along with all the suppliers and third parties. This is the CISO you want to bring home to introduce to your parents. This is the CISO who talks about initiatives and fostering change. This CISO is the one that nurtures the relationships with legal, compliance, HR, and other areas of the organization to present a cohesive “face” to risk across the business. This is the CISO who’s going to keep you on track as long as you listen to them.
Now, there are some publications that break the CISO role down to three or four different flavors, and there’s one out there that describes seven different CISOs. I respect that, but I also respectfully disagree with them. We are not complicated enough to have more than two options; one tactical and one strategic.
The CISO role is one of coordination, collaboration and simply ensuring that from a technical and security standpoint the organization knows what data it has, where it is, who has access and what happens to it when folks don’t need it anymore. The CISO is also there to ensure all your third-parties, supply chain and trusted parties maintain data integrity, etc. That’s the role of the CISO inside your organization.
Now you need to take a long and hard introspective look at where you think your organization is and work out which of the CISOs best fits your needs. I’m going to argue, from an industry point-of-view that most of you need a tactical CISO for a couple of years and can then transition to a more strategic CISO when the dust settles, but be mindful that you, the company, your board, your leadership and all the folks working with and for you have actually listened to that CISO.
I hope this helps clear up a couple of questions about the need/use/justification for a CISO and then ultimately what the heck you would do with one when you get them. After all, we’re expensive, we take care and feeding, and we typically demand attention, time and money to help you become more effective, efficient, safe and secure.
Good luck with your journey. Adopt responsibly and treat your CISO with care. There are not enough of them to go around.
About the Author:
Chris Roberts is the Chief Security Architect at Acalvio. At Acalvio, Roberts helps drive technology innovation and product leadership. In addition, Roberts directs a portfolio of services within Acalvio designed to improve the physical and digital security posture of both enterprise, industrial and government clients.
