[Posted on behalf of Gary Hayslip CISO Softbank Investment advisor]
Recently, I addressed a group of security professionals, and our discussion was on how CISOs develop their strategy. I found many in the audience had no idea how security executives develop strategy, nor were they comfortable that strategic plans could be changed or quickly discarded.
As I sit in an airplane flying to London, I am thinking about my answers that evening. In speaking to the audience, I tried to explain that strategy in itself is not fixed and that CISOs use different approaches when needed. My answers that evening didn't answer everyone's questions, so I want to address this topic for our community.
Strategy, by definition, is a "plan, method, or series of maneuvers or stratagems for obtaining a specific goal or result." In general, it is a process on how to approach a given roadblock or issue, and through experience, one hopes to receive a specific outcome. I have written numerous articles on the acceleration of threats and risks that organizations face today and the ever-changing roles CISOs now operate in as their businesses' security and risk management executives. The disparity of threats, risks and changing roles is now raising challenges for CISOs, and I find those who are effective today are ones who embrace the idea that strategy is iterative and malleable, not fixed.
I view strategy, as it pertains to cybersecurity, through multiple lenses. It’s a matter of approach based on factors such as the maturity of the current security program, the business culture within the organization and the current threats/risks facing the business. Because these factors are different for each organization, I have developed multiple approaches that I have used over the years to create a strategy for my security program. Several strategic approaches I have used are as follows:
1. Assessment First
This is an approach where you have been tasked within your first 30 days to provide a “top five” plan. When operating under this approach, I start with the Center for Internet Security's CIS 20 to do a quick security control assessment. A rule of thumb I have used over the years, if my organization scores at least a 65% or better, then we are mature enough for an in-depth framework like ISO 27001 or NIST CSF. If we don’t score that high, then we have some foundational issues we need to focus on first. This approach is good in helping put together a quick strategic plan; however, I recommend as the CISO you include other business unit stakeholders in reviewing your assessment finding. Including peers helps you find champions for your security program. This strategic approach is focused on using industry standards to build a starting point.
2. Data Gatherer
I have operated in this approach several times when the company and its security controls and architecture are a sprawling collection of issues. This happens as an organization grows over time and the technology/security portfolio is not well-documented. As a CISO coming into this environment, it is better to let operations run for a while as you collect information on factors such as business operations, security stack technologies, current enterprise infrastructure, compliance/regulation requirements, etc.
Putting a strategy in play here is very hard at the beginning because of the fear of making changes in one area may impact another. So the strategic approach is about building a clear picture. It requires gathering information, developing the operational picture around the security program and then with the understanding of your role as CISO, you develop your strategic plan to help the business by using another approach.
This approach tends to be one where there typically is a mature security program in place, but due to the company’s business culture, most employees don’t understand the value of cybersecurity.
I have managed this challenge multiple times as a CISO and can state this is one of the harder challenges when the business is ambivalent to the need for cybersecurity. For a CISO to be effective in this environment, they will need to be an evangelist — they will need to partner with their peers in other business units assisting with projects to build trust. They will need to do lunch and learn to help employees and senior management understand why cybersecurity has value. They will need to explain the impact of new external regulations or changing business environments and current security initiatives in the works to meet these challenges.
This strategic approach involves making the security program visible and, through collaboration, helping the business accept security as part of its growing internal culture.
4. Architecture View
This approach is about the security stack. It's very technical, and I have seen it used by CISOs who must be hands-on with their security teams. Normally in this approach, the IT enterprise stack is known, and the security stack is immature, requiring a plan to grow and manage the security portfolio.
What is interesting in this approach is even though it is technical, it also requires collaboration. CISOs will need to work with other departments for buy-in and assistance in installing new security technologies. This approach is also more complicated because it will require the CISO to collaborate with peers to implement specific technologies.
The key point to remember here is to implement a strategic plan the CISO will need to communicate. They will also need to work with peers who may not feel cybersecurity is important. Be patient and stay focused.
The strategic approaches CISOs use depend on the life cycle of the company and the security program. I believe CISOs may start with one approach, and as the company and security program mature, they change to another. What is important is, as the CISO, you document your current approach and how it will benefit the company and then brief your teams and company leadership. Remember, a strategy is just your approach to execute your vision; it needs to be flexible, and you need to share it so everyone can help you succeed.