Posted on Behalf of Gary Hayslip, CISO, Softbank Investment advisor]
I have been writing and speaking about the role of the Chief Information Security Officer (CISO) for the last several years, and as I have continually acknowledged, the job is not for the faint of heart. The role at times can be brutal and stress filled taking a toll on its incumbents resulting in medical issues, career burnout, and a continuous shortage of senior security executives. This role I feel, continues to mature, and besides the technical requirements of the job it also requires CISOs to work with corporate stakeholders like Legal, Risk, and Compliance teams, interpreting the applicability of numerous Federal and State Laws, Regulations, and Compliance regimes. It is with these daunting requirements in mind that leads me to write this article and discuss with you, the reader, a methodology I developed over the years through trial and error that I believe can help new security leaders.
As we begin, I want to introduce myself. I have been in the Information Technology and Cybersecurity fields for over 25 years and have been a CISO for the last fifteen years. It is this experience that helped me develop my five-step approach to improve my organization’s Cybersecurity strategy and protect its enterprise networks and critical business assets. This process can be used by security professionals taking their first role who need to assess the current health of their security program or by more seasoned professionals who wish to enhance and upgrade a security program they are currently managing. As mentioned, this methodology has five steps, and they are as follows: Meet & Greet, Inventory, Assessment, Planning, and finally Communicating.
Meet & Greet - “Let’s Take a Walk About”: I usually begin this first step by having several in-depth security team meetings and then continue with walking about the organization to meet critical business stakeholders and executive leadership team members. When meeting with the team for the first time, I recommend using this as an opportunity to verbalize the security strategy that you as the CISO want to implement, and through the resulting dialogue with team members, assess their current skillsets and experience. This assessment and further one-to-one meetings with team members will help you understand if the team currently possesses the skills and expertise to implement your strategy and future projects. If your team lacks experience, you may have to contract a 3rd-party vendor to provide the professional services you require or train team personnel to improve their technical capabilities. Next, in meeting with crucial stakeholder personnel, I recommend that you be quiet and listen to them talk and be open to their issues. Keep in mind that as the CISO, they are your customers. You provide them a service, and you need to be mindful that they may have had problems with past CISOs or with how your team has performed. These meetings with stakeholders are the chance for you to hear of any current issues and also learn from them what technology, services, data, personnel, etc. is critical for their operations. Use these meetings to establish a relationship and begin to build trust in your team and security program. Finally, in meeting with executive leadership again, I would be quiet and let them talk. In these discussions with executive leadership you need to visualize how you fit into the overall business culture, how are you going to support current operations, and if you can help manage any key business concerns. Try to bring across to them that cybersecurity is a business enabler; it provides a secure foundation for them to innovate and develop new services for the organization. As you finish your walkabout, make sure to spend time with your boss. Whether it’s the CIO or another executive, you want to have a good working relationship with them, so you understand the scope of your responsibilities and limitations on your department or budget. It is tough to lead a security team and manage an enterprise cybersecurity program if there is some ambiguity on the CISOs role or responsibilities. So now, as we finish the first step, the business knows who you are, and your vision for the security program. Now its time in the next step to educate yourself on the internal components of the business, its technology stack, and your new security portfolio.
Inventory: This step is all about visibility into people, reports, metrics, budgets, work processes, and policies. Here as the CISO, you will take a more in-depth look at your team and assess their skillsets and experiences; you will look at contractors that fall under your purview and the services they provide (review contracts & SLA metrics). Here you will also look at your current budget and previous security budgets; I have used this exercise to look for trend analysis. If I see increases in costs, but little to no increases in new services, that’s a red flag, and I need to review those anomalies. If you want to understand how the business views your security program, it’s all in this budget analysis where you will gain some perspective into whether cybersecurity is leveraged to grow the business or seen as a cost center with little value. When you are reviewing your program’s budget, I would recommend you also look at your departments and your overall business budgets if available. This information provides you as the senior security leader of the company a more well-rounded viewpoint into the financial health of your organization, and it will aid you in your plans for the security program and future projects. One of the last things you will do in this step is also one of the most time-consuming. You will need to assess the current network and security architectures, work processes, and standing policies. This part of the process is where you will determine the “Cyber Hygiene” baseline of your organization. Don’t be surprised; you will find policies and procedures that will need to be improved upon and possible architectural changes that may need to be implemented to reduce new risk exposures to the business. You will need to collect and verify you have updated network documentation such as network maps, subnet and VLAN lists, and asset management documentation. These documents will provide you visibility into how your network and security suite is configured or identify areas for improvement. I have found from my own experience that many times companies believe one thing about their networks or applications. However, when the data is collected and delved into, the reality can be quite different such as unknown network architectures, data processes by unauthorized personnel, or critical work processes that have never been adequately documented. By the time you reach the end of this step, it’s highly recommended that you take a break and review your notes on what has been found and then proceed to review any predecessor’s records, emails, and documents. The reason I suggest that you wait until the end of this step to review any previous predecessor’s information is that waiting allows you to approach his/her data with a more informed perspective as you compare their notes with your findings.
Assessment: In the previous step, as the CISO for your organization, you received visibility into the company’s technology and security portfolio’s as you conducted an inventory, but now it’s time to get dirty. As the senior security professional for your organization, it is critical that you get a better understanding of how the network and cybersecurity stacks are constructed, how data flows throughout this architecture, and how employees use corporate data. It’s in this step that the CISO must assess the health of the cybersecurity suite, looking at installed technologies such as firewalls, AV solutions, IDS/IPS sensors, etc., and security procedures such as patch management and incident response to name a few. The newly upgraded network diagrams and documentation will be used in this step to help build a roadmap for follow-on assessment projects. In this stage, the CISO and security team will assess the effectiveness of the present cybersecurity program and annotate areas for improvement. From experience, I tend to use the NIST and ISO frameworks as templates for the security controls that will be assessed and verify their applicability to my existing network and security architecture. It is in this step where CISOs will want to break out previous 3rd party assessments, vulnerability assessments, and penetration tests. The CISO and security team will want to review each of these report’s findings and the recommendations for remediation and verify if the recommendations were ever implemented. This stage is the most technical of the five; it is not uncommon for the CISO to request 3rd-party vendor assistance to conduct these assessments and provide an executive report listing areas for improvement. By the end of the assessment step, you, as the CISO should now have a list of security gaps; these will become future projects that should be prioritized based on the risk exposure or business impact to the company. The process of prioritizing this list and turning it into a strategic plan is discussed next.
Planning: This step can run in parallel with “Assessment;” I have found it to be a continuous process. In “Planning” is where the CISO and security team begin to build their program's strategic plan or what others may call its roadmap. This plan can be brand new, or it can be an enhancement to a current plan drafted to layout the CISOs vision for upgrading the organization’s cybersecurity strategy based on the latest assessment findings. This stage is where the CISO, security team, and business stakeholders come together and collaborate, analyzing the issues identified during the previous assessment phase. They, as a committee, will look at the security program as a whole and any current identified challenges such as a lack of executive support, incomplete inventories (e.g. organizational blind spots related to hardware, software, and systems), audit gaps, or incorrect security processes. By the end of this process, they will have created quite the list of prioritized issues that will need to be addressed. The CISO will review the prioritization, ensuring the problems are correctly ranked based on their impact on business operations, increased risk exposure to the business, or required by regulations/compliance regimes. Once this review is completed, you as the CISO will want to identify low hanging fruit, i.e. what security gaps or issues from the prioritized list that can be addressed quickly. Why this matters here is that as a new CISO, you want some wins under your belt to build trust in your security program as you move forward in developing your long term strategy. This strategy will be based on taking the prioritized list of issues and weighing them against the current resources your security program has to remediate them. As you can imagine you will not have enough funds or people to do everything, so it will be incumbent on you as the CISO to break the list up over a specific timeline (1-3 years) and use it as a roadmap for improvement. I have, in the past, taken this roadmap and used it to create my security budget based on remediation projects. I have found linking the strategic plan (roadmap), and security budget to how they will provide new services for stakeholders, reduce operational, legal, and regulatory risks, or meet regulatory certification requirements provides the business an understanding of my security program's value. It is this value I believe you as the CISO can drive home, in the final step of “Communicating,” that the cybersecurity program and team are core components of the business culture and, when properly supported, enable the company to grow and meet its strategic goals.
Communicating: So now we come to the final step, we have collected all of our notes and findings and have developed our new budget and strategic vision for upgrading the organization’s cybersecurity program. This strategy, with its prioritized list of security issues, will now need to be socialized because, as the CISO, you will need support for implementing the changes that many of your initiatives will require the business to make and change is not accepted easily by most employees so this support is crucial. As the CISO, I would start with first communicating the assessment findings – “Where we are presently” from an overall cyber perspective, and then add your vision “Where we want to go.” Explain how the identified gaps and issues will be the difference between these two pictures, and it is these gaps that we need to socialize to the business, so our employees understand the business value in correcting these issues. Expect in this final phase that you will do a lot of talking and events to let people know who you are. With that said, make sure to also listen to your customers – many times, they will have good ideas to help your security team and you will find as your team mission, and its value becomes visible you will be accepted as part of the business culture.
In the end, all of these steps take time, and they are a continuous process. As the CISO, you will be sifting through and collecting large amounts of information in assessing the company's cybersecurity program; it’s ok to ask for help. I have found it is good to remember you can’t do it all immediately; use your team, reach out to peers for advice, and develop those relationships with stakeholders; they are your customers. I have found being a CISO is an awesome job, I thoroughly enjoy the challenges it brings, and hope this roadmap I have shared with you will help as you take on new challenges - good luck!