From how security departments can be brought into large projects early on to what are some the biggest career mistakes as CISO can make to what events should security leaders attend, Cybereason CSO Sam Curry fielded several questions on security leadership following a recent webinar he lead on the eight moments that can either make or break a CISO’s career. In this blog, we published some of the questions that Sam answered following the webinar.
What are some the biggest mistake you’ve seen a CISO make, and how can you avoid them?
The biggest mistake I’ve seen is that the CISO becomes very inward looking, and they do one of two things. They either try to demonstrate their hypercompetence at everything, almost to the point of it being a flaw. Relax. You’re a security person. You’re assumed to be the expert in the room. Don’t spend any time proving that. You don’t have to.
The second thing that I see involves working on the social dimension of the job. I know a CISO who’s borderline autistic and he worked really hard at the social dimension. As a result, he was excellent at it. Then I see other people who are actually quite gifted socially who stay in their office or in the SOC and stay with their own security guys, and they become irrelevant.
With large-scale projects, I always find out about them too late for security to make an impact. How can I change that?
I could imagine several causes for this. One, it’s hard to sit in meetings when you have emails to read, there are open tickets and there are a ton of demands on your time, in your personal life as well as your work life.
But if you don’t do the homework and attend the launch for the new marketing program, the ops meeting, the meeting on the state of the business, then you’re going to get blindsided. Generate a legitimate interest in the company. If you can’t do that, find a lieutenant who can. A very effective CISO I know has an excellent number two. She goes to every meeting, listens and tees up what the CISO needs to know about. This is a CISO who knew his weakness and figured out a way of staying abreast of what’s happening in the company. If not, he was going to find out until it was too late.
I remember at Microstrategy I was asked to review the move to Amazon’s cloud. I looked at the project and said, “Here are the risks, and here’s what we should do to get on there.” And the person who leading the project said, “Sam Curry said we can’t move to Amazon”, which was not what I said. I realized that if I didn’t treat this right, I wasn’t going to be asked to the second meeting. We needed to think about what the risks were and how to mitigate them, and this was a big cultural challenge. I had to work not to be seen as Doctor No because everything I said was assumed to be a no, and they would read the justification. So I tried to say “Yes, and” instead of “No, but.”
How do you balance risk, employee experience/client experience and business goals?
This is a tough one, because let’s say there are three kinds of teams. There are problem-solving teams, which are most management teams. The biggest problem they have is trust. There are creative teams, and the biggest problem they have is autonomy, the ability to do what they think is right And then there are operational teams. The biggest problem that leads to is lack of clarity.
I’m reminded last year of when people were talking about Equifax. They said, “Why didn’t they just patch those vulnerabilities?” But this isn’t GI Joe where knowing is half the battle. At the end of the day, there’s a clear reason why vulnerabilities in most companies are not patched, and nobody talks about it. It’s because they haven’t aligned on what the goals are. The CIO is thinking, the more patches that I allow, the less uptime I’m going to have, the more tickets are going to be opened, the longer they’re open, that worse that is for business.
The best thing you can do is be the voice of risk but make some concessions. Make sure that you all have the eyes on the same goal. It has to be based on common goals, or else people are going to be passive-aggressive about it. Somebody will strong-arm a solution, and you’re going to wind up in one of those bad situations.
How do we juggle auditor requirements with the pushback from IT on having to document standards?
I think this requires some unpeeling. There are a few problems here. One is having documented standards is an issue? Then, there’s the drift, so if I’m inferring in the question, there’s somebody who’s responsible for an intercompany negotiation of priorities for development. Somebody else is doing your dev work, and so somebody on perhaps your side is the product manager and on the other side is the R&D. In that case, you’re going to have to make sure that you’re really tight with the product management team and their priorities and that you’re really realizing that it’s rarely binary, but there are some things you’re going to have to do and some things you can’t do. You’re going to have to expose them to the pain you’re getting from the auditors so they feel it. Squeaky wheels get grease, and that you are negotiating, and if you can, attend the standups. Provide some value to them. They probably have some kind of standup if they’re agile. If not, they have a regular meeting, even in waterfall, with the external developers.
Make sure that the product owner in the other organization -- the person who runs the engineering team -- is aware of your concerns. Now, they’re secondary, but they’re aware, because what happens is, when you’re building something, some things take longer, some things take less time, but they will be thinking about how to solve the problem. Don’t go around the product manager. Make sure that the product manager feels your pain and really align your operational goals. Get clarity on them together. If you’re feeling pain, and you don’t have any ability to affect the change, you can’t reach across that divide, then try and understand why. Is it the product manager doesn’t care? Is it the contract with the external developer is a problem? Show up, participate, provide value and make them feel your pain.
What’s the average lifespan of a CISO in an organization?
Thirteen months. I’ve seen numbers as low as 11 and as high as 20. It’s 13 months plus or minus a couple, and it won’t get better until we actually solve this alignment problem. A couple of words of advice around this subject. Number one, we tend to tell a narrative about our past, why we succeeded or failed, and it’s not really validated when we change companies, so just be careful that you don’t believe your own BS, that you truly validate why you succeed or fail and know what you’re going to do in the new job. Two, nobody actually stays there 13 months. My experience is, most of us are somewhere for four or five years, and then we get a couple of really short gigs of six to 12 months, and then we go back and get the next one for four or five, but the average is 13.
What parallel tech trends, like SaaS and IoT, are exponentially raising security risks and causing CISOs to take a far more proactive posture?
The first one is cloud adoption. The way that we get integrity in our systems and individual workloads and in systems thinking is splitting into two different ones. Where before, everything was sort of converging in network and an endpoint, we’re now seeing both of these endpoint and network split, and so you’re getting discontinuities in process and stack. The one we’re all holding our breath for is IoT, and that’s all about volume. That’s a the-masses-are-coming type of situation. But perhaps the scariest for me is that we, in general, are developing more with shorter life cycles, and we still haven’t baked security in well.
I don’t think we’ve done enough to develop the state-of-the-art security and to make things generally harder to break from day one. Look at the Meltdown and Spectre vulnerabilities, but even more importantly. Believe it or not, there are some pretty good standards in technology down in the hardware, and so when IoT comes, nobody’s going to be leveraging, for instance, the trust zone and some of the technology stuff, even though it’s there. That’s because not enough people have done that essential bridging or making it useable by run-of-the-mill, average citizen-type developers.
The last one I’d point out is the general erosion of privacy and the ease of which we can obtain information about people. The cost of information about anyone is dropping. Relationships are exploitable, like who’s a friend of whom and who’s related to whom. I’d say those are the macrotrends that concern me, but I’d love to see us as an industry collectively beef up hardware-based security and start to develop some new standards for what it should look like regardless of infrastructure.
What conferences should new CISOs attend?
I would say don’t go to any event unless you know that the context is going to be something you’re interested in and you’re going to expand your network. You can learn a lot online without having to physically go somewhere, but if you’re going to pick up and go somewhere, do it for a purpose. Find great backup career choices, new employees, new partners, new information-sharing networks. When I go to conferences I refuse to go on show floors for more than about five minutes. On one occasion, I sent my poor wife off to find the best booth, because she’s not a security person, and she comes back and tells me where I should go, and I obviously go. Make sure you have a purpose for going and exercise your social muscles at these event. That’s the real value for me.
Want more security leadership insight from sam?
For more of Sam’s insight on how CISOs can successfully navigate the eight moments that can either hurt or help their career, read these two blog. One looks at the career challenges a CISO may face during a breach or a change in management and the other discusses how a merger or acquisition or the results of an audit can impact security leaders.
