Articles

Begin with the end in mind: A CISO’s guide to leading with strategy

At Check Point Software Technologies, Cindi is a Chief Information Security Officer in the Office of the CISO, committed to helping other CISOs achieve success in both strategic and tactical initiatives. Cindi possesses a firm grasp of the challenges surrounding the security, privacy, and risk management landscape, and is a trusted advisor within Check Point as well as for our customers. More recently, Cindi was the CISO for IntSights Cyber Threat Intelligence; Cindi also served as VP and Chief Security Officer at MedeAnalytics; and prior to that Cindi was the Deputy Chief Information Security Officer at Blue Cross and Blue Shield of Kansas City. Cindi is also the founding president of Women in Security- Kansas City, and has been honored as part of SC Media magazine’s “Women to Watch in Cyber Security” list and in Cybersecurity Venture’s book “Women Know Cyber: 100 Fascinating Females Fighting Cyber Crime.”

In this interview, Cindi discusses how CISOs can develop highly effective security strategies while contending with a confluence of divergent demands. From starting meaningful conversations with business leaders to competently creating sustainable security risk management frameworks, this interview offers distinguished expertise that can help organizations foster agile, adaptive and robust security and risk management policies and practices.

If newly promoted to the CISO role, what questions should beginning CISOs ask?

One of the things that I believe when it comes to being a first-time CISO is that, regardless of prior work experiences, the CISO journey is unique.

Broadly speaking, CISOs need to understand the overarching operational structure of the business. This helps when exploring and evaluating shadow IT or even shadow security.

First and foremost, CISOs need to understand exactly how their organization uses data, the type of data used, and must quickly uncover the areas in which there may be technical or security debt, as that knowledge will help when developing a strategy for managing cyber risk. Secondly, forge relationships with teams across the organization and ask leaders, “What cyber security concerns do you have?” Listen with the intent to understand; this information is crucial input to creating and executing your strategy. Initiating these types of conversations with internal business leaders can help a CISO quickly absorb what needs to be secured and the organization’s risk appetite. Lastly, ask yourself this question: “Do you want to be right or do you want to make a difference?”

Due to the breadth of challenges to address, CISOs need to have a dynamic set of skills. Some CISOs have prior technical roles, others from business backgrounds, and even others come from risk management backgrounds. To excel in the role, a CISO really needs to lead all three of those aspects and more. In areas where they are not as proficient, CISOs should leverage internal talent, and/or seek a trusted colleague or partner. The ability to understand your audience cannot be emphasized enough; CISOs need to adjust their ways of speaking in accordance with the individuals whom they’re addressing. For example, citing technology terms is not the best way to educate the Board about the organization’s cyber risk. The key to making conversations go well is making them relevant to the audience that’s receiving the information.

It can be overwhelming to navigate the transition from a contributor to manager to leader, and it’s important to give yourself time to settle into your new role. The title alone does not make you a leader; as the organization’s head of security, the CISO needs to be able to influence the organization to meet cyber security goals.

How can CISOs understand the business that they are supporting and the “business of their data”?

It’s important to ask questions! CISOs need to learn what’s important to key stakeholders, the areas of innovation that leaders have prioritized, major new initiatives that the business intends to introduce, and where security can fit in to support those efforts.

Every CISO needs to understand the business of their data. And what I mean by that is: In every organization -whether it’s the finance team, human resources, or your social media team- every team uses data differently. In turn, you need to understand how the data is being used. Is it being shared among third-parties? Fourth-parties? An understanding of how the data is being used opens up new conversations around cyber security risk management.

To better understand the business and the data, it’s very important to establish relationships across the business. Introduce yourself as the CISO to all of the folks who are handling core aspects of the business and corresponding data. Share the cyber security strategy & initiatives, and likewise ask to review theirs. As you make introductions, take care to ensure that data-owners understand that the security team exists to enable the business; it is not the department of “No”. Rather, the security team’s goal is to keep the business data safe, and to ensure that the data has the appropriate protections for privacy and security.

Budgeting: Cyber vs IT

“It doesn’t matter how much you spend, you could still get breached.” Stating the cyber security budget as a percentage of IT budget is an unrealistic ratio for justifying [additional] spend. While metrics do matter, the CISO needs to raise a point for helping the organization understand the cause and action (investment) to take place. Stated another way, manage expectations with costs and risk exposure.

As an example, look at the IT budget for technologies and the vendors who supply them that can also further the cyber security agenda. With a strong IT partnership, the CISO can influence these leaders to factor the cyber security costs into their budget, while fostering accountability across the organization to deliver products and services that are secure from the start.

How can CISOs proactively assess an organization’s risk appetite?

Building on my previous answer – One of the things that CISOs can do, while learning the business of their data, includes asking internal business leaders about the areas where security gaps might exist. For example, there may be someone who comes forward and says ‘you know, we share this specific type of data across our digital systems and I’m not sure that it’s shared securely’. Initiating these types of conversations with internal business leaders across the organization can help a CISO quickly absorb what needs to be secured and what an organization’s cyber security risk appetite looks like.

CISOs need a way to communicate cyber risk to an organization’s management team:

— Does the current security posture align with common security standards?

— Do the existing security controls complement the business needs?

— Does the existing security infrastructure address all the business risks?

— How to reduce TCO and operational efforts while enhancing the level of security?

— How to implement new security innovations to support the wider business?

Risk Management Frameworks

SABSA (Sherwood Applied Business Security Architecture) is one of the most widely recognized security architectural methodologies. Its framework allows security architects to develop a business requirement into a security design, and then to manage implementation in a controlled manner while maintaining a business-driven focus. ZeroTrust has become a mainstay of enterprise architecture. Both of these open frameworks are widely used and respected by the security industry for their approach and relevance. They are by their nature, both broad and, relevant to all disciplines of security and support building security into every aspect of the business.

As the CISO gains knowledge of the business and its data, as well as potential technology or security gaps, the strategy begins to take shape.

For additional premium cyber security insights, analysis and resources, subscribe to our newsletter.

Back to top button