CISO Stories Podcast: Which Approach Wins - Compliance or Risk?
Regulations provide the necessary motivation for many organizations to implement security controls that may not otherwise be present, but is this enough? Is it really security?
Purchasing tools and implementing technology are just part of a security program. For a truly successful program, security leaders need to connect with their C-suite colleagues. That requires conveying the message that information security is there to enable, not hinder, business, said David Bryant, CISO of PSCU, the nation’s leading credit union services organization, serving more than 850 Member-Owner credit unions.
“The more the C-suite understands we’re all in this together, the more open they will be to discussion and supporting the information security program,” said Bryant, who took over as CISO in September.
One thing that helped Bryant transition to the CISO role: having a mentor, which he called the key to success. Security executives should look for a mentor who understands what security can offer a business and who can offer advice on how to make security part of a business’s function.
“When you make a mistake [in the information security space], it could lead to a breach. It could lead to something career limiting or damaging to the company. You want to make sure you have a really good, smart person who can help guide not just your career but also your path to success.”
Read on for Bryant’s advice on how security leaders can help boards better understand cybersecurity and how he’s seen the industry change during his 18-year career.
The CISO job is one of those unique positions. It can be a challenge no matter what company for which you work. I’ve been in the security space for around 18 years. I started off as an analyst and worked my way up from there. I’ve seen and experienced a lot of what the CISO job has to offer, both the good and the bad, and from the practitioner side as well as the operational and management sides. I was lucky and had a great mentor in Gene Fredriksen [PSCU’s newly appointed Chief Information Security Strategist], who showed me the ropes and helped me deal with challenges along the way. He made sure when the CISO opportunity was available, I was ready and able to handle it.
Also, the biggest appeal to me was to own that program so I had the ability to make an impact. The culture at PSCU is driven by our CIO, Dave Stafford, which makes all the difference. PSCU has a strong emphasis on information security and compliance and highly values the CISO position, which is very important.
The perception of policies holding back the business usually stems from the business not understanding the need for cybersecurity, as well as failure of the security group to understand the needs of the business. It’s a two-way street. By working together and actually having a dialogue, a lot of these issues can be prevented up front.
As far as the blame game issue goes, it’s always going to be a challenge to manage. The CISO position is the public face for security, so you’re going to tend to get the lion’s share of the fallout from a public event. Unfortunately, there’s not much you can do except just try to be as prepared for it as you can.
It’s the key to success. You can find your way along your career path by yourself, making mistakes and learning from them, or you can have a mentor to say, “Look, I’ve already made these mistakes. This is the way you should go.” It provides you with a much better path to success and prevents you from repeating history.
In the information security space, you’ve got to be careful. When you make a mistake, it could lead to a breach. It could lead to something very career limiting or damaging to the company. You want to make sure you have a really good, smart person who can help guide not just your career but also your path to success.
You want experience. You want somebody who has already been there, and you want somebody who understands the job. By “understands the job,” I mean somebody who understands not just the job requirements — the stuff you see on an HR job requisition — but who actually understands the importance of what information security brings to the table, the importance of how to work with the business and how to make sure the security message becomes ingrained as part of the entire business function, and someone who has the best interest of the company and the employees at heart.
You’re going to have those situations where there’s tension between the CIO and the CISO, especially when the job is fairly new to the CIO, meaning it’s potentially the first time a CISO is reporting to them or a new CIO is on the job. It’s important to develop a rapport with that person. You should have regular dialogue with the CIO, strive to understand the challenges he or she is facing, and offer to help. This helps to reduce tension and ensure the CISO and CIO are more aligned, on message and driving toward a common goal.
Make sure you understand the challenges for which the CIO is trying to solve. Be the security representative who can say, “I see your challenge. Here’s a security solution that may make it easier to solve,” or “Here’s a business process problem on which the CIO is working. We know a way to solve it from the business side, but there’s a security application to it.” Make sure you’re plugged in there, and you’re acting as a resource for the CIO to help answer those questions.
The single biggest thing you could do is to keep an open dialogue with those folks. Make sure you’re talking to the C-suite regularly. The more they understand we’re all in this together, the more open they will be to discussion and supporting the information security program. If you foster an image of information security being there to help them and couch the message in terms of business rather than raw technology, you’ll be much more successful, which will help them understand your message.
Too often, you get into a situation where information security is thought of as a pure technology-driven issue, but people and process are just as important. I’ve seen instances where CISOs come into the job thinking they’ve got tools to buy and technology to implement, and that’s the extent of their program. The C-suite is more concerned with how the business is running. Security is an attribute of the business, so you’ve got to make sure you’re plugged into the proper framework. Then the C-suite becomes much more supportive of the security message.
A CISO needs to talk about what the business needs as it moves forward. You’ve got solutions for which to solve. You’ve got business processes trying to work. The more touch points the information security folks have with the different business communities, the better understanding both parties will have about issues at hand.
As the business moves forward, security comes along and is there supporting all of the different business initiatives, so you’ve got to have those touch points. You’ve got to have dialogue with not just your peers within an information security space but also within the normal business product space. If you all get together and coordinate your messages, it makes things much simpler.
Being able to communicate with your colleagues is one of the key strengths you need to bring to the table as a CISO. As a CISO, you need to be fluent not only in the language of technology but also in the language of your business. As you’re speaking to those people who are on the technology side, you can speak their language and understand their challenges. Then when you’re talking to the business folks, you can understand those challenges and figure out what synergy exists in both of those areas. That’s how you become successful. Being able to speak to both types of people and sometimes translating between the two is an absolutely critical skill.
I hesitate to use the term “key phrases” because it implies there are certain templates you should use. I believe it’s less rigid. You need to be able to put frameworks together on the fly, if you will. You’ve got to understand every solution is not necessarily going to have a black and white component – it’s going to have shades of gray. And you’re going to have to think on your feet to say, “Well, if this is the challenge the C-suite is seeing, I can pull bits of information from Budget A and also from Budget B from the business. I’ve got these technology controls to solve this problem in the security space and help alleviate some of the pain in the C-suite.” You’ve got to be able to develop a thought process and a mentality whereby you’re less of a trouble shooter and more of a process enabler. When you get to process enablement with security, you’ve crossed into an area likely to capture the C-suite’s attention.
When it comes to allowing the business to use technology, I’ve always felt it’s more of a “yes, but” situation. There needs to be an understanding that you can’t just say “no” across the board. You’ve got to say, “If you want to do this, yes, we can do it; but we need to include these technology controls or these process controls or this compliance control. We need to have some security attribute in the system, and then we can use it.”
Now, maybe it becomes an issue of the security control or process costing too much, and there’s no way to implement security without it. Then maybe you don’t do it, or some other unplanned situation comes into play. It’s always disingenuous to say “no” without good reason. You should always listen to what the business or C-suite is looking to solve and say, “Yes, we can do this, but here are the controls we need to have around it.” Make sure they’re aware you’re there as a processor enabler, not as a process hindrance.
Innovation happens at a rapid pace, and it can be a challenge for security to keep up with it. The business is steaming along and wants to introduce new products or services. Try to get security baked in from the process side; making sure information security is plugged into the business helps quite a bit. Help maintain the balance by making security part of the ingredients the business uses to build that new product or service. Be forward thinking by making sure you know what new projects are on the road map.
As a security leader, it’s your responsibility to understand how to facilitate a culture of security within your organizational restraints. Every business is going to be different, so the vertical you’re in may have different requirements.
You have all these different things to think about, but you’ve also got to understand the best way to interface with your culture to make any changes. The best way you can do that is just by listening. Take the temperature of the organization, see what’s going on around you. Then think of ways as a leader to say, “How would I want to affect change if I was in the other seat? If I were in the CIO position, how would I want a security message brought to me?”
Empathize with other positions. Try to understand their challenges, and then build your message around those challenges. Then you’ll start to see the culture begin to change. It goes back also to an enablement mentality. When you’re not seen as a department of “no” but instead as a business enabler, you automatically get included in a lot more, and there are far, far fewer surprises.
Unfortunately, there is no easy fix for this. It comes down to the experience of the person who’s injecting the information and just an innate sense of what intel you need. Over the course of a career, you learn what’s important and what sources to trust, but you keep looking for data that makes sense and developing those sources you can trust. There are some extremely smart people out there, very dedicated folks that are good sources of information. Seek them and lean on them. And talk to your peers. They may have some sources or data you haven’t thought of or some things you haven’t been exposed to that could help narrow down critical information.
The problem with security, in this respect, is there’s so much going on at such a fast pace. It could be easy to miss things. It comes down to knowing which things are most concerning.
Information sharing is a top tool. There are entire organizations dedicated to the credit union information security space. I like the saying that no one of us is as smart as all of us – it applies to the information security community at large. Credit unions are based on the premise of community, so the sharing mentality is at their very core. When you look at sharing in the information security community within the credit union industry, it’s already happening. We’re already talking to each other. This dialogue in the credit union industry is probably one of the most free-flowing of all the industries in which I’ve worked. Credit unions have an innate desire to share security intel to make sure the data is flowing.
Again, credit unions are based on community, guided by a philosophy of “people helping people.” The belief that we’re all in this together is baked into the core of the credit union space. There are also many situations in which a smaller credit union without a dedicated full-time information security person has a network engineer doubling as an information security person. In this case, the credit union needs to leverage the economy of scale to gather additional security information from their peers. Or let’s say a credit union is facing a particular security topic for the first time. The credit union can reach out to organizations like the NCU-ISAO [National Credit Union Information Sharing & Analysis Organization] or FS-ISAC [Financial Services Information Sharing and Analysis Center].
Security executives need regular touch points with board members, so they know who you are. Make sure they know who the security resource is, and then, with a regular cadence, start to talk about metrics and data points and other things of interest to the board, specifically when it comes to the return on security investment. Make sure you are available when they want to talk to somebody about security incidents and ideas, and facilitate a clear path for discussion.
Make sure you keep your message in plain English and free from technical jargon. You don’t want to walk into a board meeting and start throwing out a bunch of terminology no one understands. It’s the CISO’s job to deliver a message in an easy-to-understand way that gets to the point. Boards are busy. Once you’ve established a comfortable rapport, the dialogue will naturally flow from there.
When I first got into this field, information security consisted of things like antivirus and firewalls. If you had those few technology controls in place, you were pretty much good to go. Hackers were focused more on the notoriety of what they were doing and less so on the economic gain. Once they realized money could be made, things started to shift away from glory seekers toward people who hack for profit.
When that shift happened, the complexity of our jobs grew exponentially. We needed to make sure we were able to meet threats and protect our data. Old tools used to be pattern-based and structured around a specific set of criteria; we are now starting to see more and more intelligence built directly into tools. We are seeing the rise of machine learning. More machine intelligence is being applied to security data, making a big difference in what we do to combat threats. Maturation has come a long way, from your antivirus and firewalls to full-blown AI sitting on your server environment, analyzing all of your threat data and providing findings faster than any human ever could.
The one other point I want to make, especially from the CISO’s perspective, is the importance of being able to translate information security into business language. Don’t be dazzled by technology all the time, especially if you are interested in building a long-term security career. Understand security can also be a business process you need to understand, work within and help support.
It depends on a specific CISO’s background and experience. I’ve seen situations involving someone who was appointed CISO out of convenience. In other words, the company was in need of a CISO, picked somebody out of the management lineup and made him or her CISO. Unfortunately, a lack of experience in situations like this often leads to an exclusive focus on technology controls and omission of people and process.
On the other hand, people who have spent time in the information security and compliance space understand the needs and have the experience it takes to make a program successful. They understand innately the three-pronged approach of people, process and technology, making the CISO transition much easier.
The job of CISO is never going to be an easy one, no matter what we do. CISOs are always going to be on the hot seat. They’re always going to face the challenge of being aware of what’s going on all the time, 24/7, 365 days a year. There is pressure to be right 100 percent of the time. The bad guys only have to be right once. That’s a challenge we will always face. We have to acknowledge it, while simultaneously making sure we have the best controls and protections in place as possible.
A lot of folks don’t recognize the huge amount of pressure that comes along with a CISO role. For some people, it has to be baked into your personality to want the challenge and be able to thrive and find success under that type of pressure. The pressure can get to you. It can be all-consuming. It’s 24/7, 365 days a year, with no days off.
That’s why some CISO careers are so short-lived. You’re always chained to a phone. You’re always watching the news. It’s a very high-pressure, high-stakes job. But for the right people, it can also be very rewarding.
Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.
Regulations provide the necessary motivation for many organizations to implement security controls that may not otherwise be present, but is this enough? Is it really security?
Wayman Cummings, VP of Security Operations at Unisys, examines how industry stagnation impacts the security for our critical infrastructure, the value true public-private partnerships can bring and more - check it out...