Cybereason CISO Interview Series: Learning to speak the language of risk

To earn their spot among other c-suite executives, CISOs need to frame information security issues around risk, a topic that’s understood by all business managers. This will help CISOs shed their reputation of being overly technical people who only handle complicated security issues, said James Bruce, CISO of BruceConsultants. Bruce spoke to Cybereason about why CISOs need strong communication skills and the importance of having security executives report directly to the CEO.

You’ve worked with a variety of companies, from SMBs to multi-national corporations. Are there any common traits around establishing a successful security program?

It’s a combination of things. Security is a priority in the company. Everyone’s committed to it from an enterprise level. The best programs have a good framework in place to start and are flexible. Companies know their critical assets really well and know what they’re protecting. The CISO is experienced. They know how to manage people who can run scans, who can run assessments, the security team is well trained. They know how to respond to threats. They have the right tools and procedures in place. Successful programs include security awareness programs for all employees, especially the executives.

What soft skills do CISOs need to be successful?

One thing you’ll need not only during a security breach but in general is communication skills. During a breach you’re going to talk to everyone. You’re going to talk to your legal counsel, third parties, forensics companies, employees. You have to ask the right questions. You have to be a really good listener.

And use PowerPoint sparingly. Use three or four bullet points in a slide, and don’t go past that. If you’re going to explain security to a non-technical group, keep it at three or four sentences and that’s it. Don’t be complex.

You need leadership skills to inspire trust. You have to have the trust of your board. You have to have the trust of your employees, and trust from your team. You lead the company through not only developing a strong program but also through an security incident, how to manage it and how to get out of it.

Get to know everyone as well as you can, your employees, other executives, managers. Build your relationships. Everyone has their own kingdom, their own department. Learn what everyone does.

How can CISOs obtain their spot in the C-suite if they haven’t earned it yet?

In order to be an equal, you have to convey the importance of risk to other managers. Risk has to be viewed as a company-wide issue and not just an IT security issue. A lot of the other C-suite executives and management still see CISOs as technical people managing complex security subjects and projects that are too technical for anyone to understand besides CISOs who are usually relegated down, maybe under the CIO. Security is relegated to other low-level technical staff. Sometimes the board views the CISO as low-level technical staff, which is ironic. This happens a lot.

Successful CISOs know what everybody’s priorities are, and they find a way to integrate security into those priorities. In order to be an equal, you definitely have to move from being a technical person to being more strategic. You have to be really good at recommending and implementing change. You have to take some risks, and you’ve got to shake some things up a little bit to mature a company’s security posture.

For that, you need to be at equal footing with other executives. You can’t be buried under any other group. Companies who don’t have a mature program usually have the CISO reporting to a CIO or the chief risk officer and security is not a company-wide initiative. It has to come from the top down that security is important. It’s a priority, and the CISO being independent is very important because a CISO can audit all business units from an independent viewpoint. That’s a tricky one, though. Things are changing though and CISOs are becoming more partners instead of reporting to the CIO.

 

James Bruce

 

Why are CISOs being seen as equals to their peers?  

I think companies are seeing that when the CISO reports directly to the CEO, there’s less downtime when cyber security risk is more visible company-wide. For example, a client had an incident, brought in a major accounting firm and one of the discussions that we all had was that when the CISO has equal footing to other CXOs, the expense of the breach is not as high.

[The client] doesn’t have experience with that, but they’re having this major auditing firm tell them, ‘Make this change, and you will save money in the long run.’ It was a financial decision, and it helped to have this big four accounting firm come in and audit them. It was a tough lesson for them to learn, but they’re not going to make that error again of burying security under the CIO. Maybe this example will help other boards learn that security cannot be buried underneath another group. It has to be a top priority. We’re not just protecting IT. We’re protecting the entire business.

Do you find that successful CISOs understand their company’s business?

Every business has their priorities. They have their goals, and you have to know each goal individually. You have to know what’s going on in the business. Otherwise, I don’t know how you could do this work. Again, almost all CISOs I know who know the business really well are viewed as equals. They know it rock solid.

CISOs who know their company well don’t report to the CIO. They have equal footing with other executives. In that respect, it’s an issue of culture. There has to be a security culture that everyone shares responsibility for protecting the company’s data.

Can you offer any advice on how CISOs can stay calm under pressure after an incident has occurred, or is that just not possible?

First thing for a CISO is don’t panic. Hopefully, you’ve prepared for this day. Look at your playbook. Setting up an incident response plan should have been the first thing you did. The companies that I consult with are tired of spending all this money on security and getting breached. They’re frustrated and you are going to see their frustration. It is up to you to teach your board and other executives that breaches are going to happen.

I think most CISOs age during incidents. That’s also where they get all their gray hair. You don’t sleep. You think about this stuff all day. You bring it home to your family. But you just have to deal with it and try to relax. It can take several months to resolve an incident. You are in it for the long haul.

There are ways to reduce their stress in general, especially if they concentrate on detection and response, obviously don’t  drop prevention, as your priorities in your NIST’s Identify, Protect, Detect, Respond, Recover framework. Every day assume you are breached and assume that something’s there.

Sounds like having an incident response plan is critical.

I’m working with a company that had a security incident and the board is relaxed considering the magnitude of what happened because the board and their executives prepared for it. The person leading the incident response program prepared them for this day. They have a solid incident response plan in place that is current and updated. All the business units signed off on it and everyone has a stake in it. Because of this, the company’s going to come out of the incident pretty well. It’s really impressive that this company had this in place and was prepared.

Perhaps most important thing is that the company knew all their logs and data are easily accessible. It makes things a lot easier when dealing with legal counsel and third-party forensics companies. The company’s data mapping was perfect.

The Cybereason series Stories from the Front Lines of Security Leadership will present insights from CISOs, security leaders and IT executives on topics including what’s required to succeed as a security executive, how to convey the importance of security to an organization and how security leaders can advance their careers. Do you know a security executive who has great insights and would like to talk with us for this series? Email us at ciso.series@cybereason.com.

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.