Many CISOs aren’t successful in their jobs. Few last very long, and those that do usually simply survive rather than thrive. If you read the industry trade news, the average tenure of a CISO is just a little over two years. Year 1 is a grace period. Year 2 is a bilateral epiphany between the company and yourself that you’re not the right person for the job. Year 3, the company is in discussions about how to replace you, while you’re updating your resume and searching for a new position. Sound familiar? I see and hear about it all the time.
Time and again, I’ve seen CISOs pushed out of their jobs because of their approach to security or because they were overly insular and territorial about their work. I’ve been consistently amazed at the number of security professionals who are well intended in their approach but completely misguided or misaligned with their organizations. They’re aliens to the company’s culture, spending their time trying to move the company in a direction it doesn’t want to go, all in the name of security. Despite all their good intentions, they view themselves as martyrs, believing they’re fighting the right fight, while what they’re actually doing is wasting their time and their employer’s resources.
Is there a secret to thriving and not just surviving as a CISO or security leader? I believe so. Regardless of your tenure, you can apply the concepts of my seven-step process and improve your team’s approach to InfoSec while strengthening customer relationships.
In this chapter, I’ll speak directly to you about the fundamentals of your job beyond the seven steps, which are really focused on building and sustaining an InfoSec program. Some of what I propose might shake your foundations a bit, but I hope you’re willing to challenge your models. Helping you and your team become a valued and respected asset to your organization depends entirely on your willingness to examine your current approach and possibly change the way you work to move your company toward a shared model of InfoSec.
Seeing the CISO as a Cultural Change Agent
As the CISO, your primary job is one of cultural change through education and adjusting people’s attitudes about InfoSec. Your job is not to secure the company’s information assets for the company, but to get the company employees to secure their information assets that support their business process.
You’ll never be properly resourced to secure the company’s information assets, and I’m recommending you not attempt to do so anyway. You don’t own any business systems. Only the departments do. Only department management and their supporting IT staff can agree to partner with the InfoSec team to secure their systems. Without their consent, you’re dead in the water.
To get in and partner with them, you have to approach them and have something to offer. So how do you influence each department to partner with you?
Your job is to influence and educate every department to take appropriate steps to secure their information assets. This can take some time, but it won’t happen unless you get out of your office and knock on doors. This is a very different approach from the one that assumes that your job is to secure those assets.
Although you have to own the process of securing assets to get it done, the foundation of your job is to enlist others in the process. This applies to everyone in the company. The IT engineer, the gate guard, the HR rep, the scientist, the sales representative—every person needs to know their responsibilities toward protecting the digital assets of the company. If they don’t know them, we can’t expect they’ll do their part. The big question for you becomes, “How do I enlist others?” How do you tweak their interest enough so they’ll want to do their part?
An important concept to keep central to all your efforts is that your fundamental approach to effective InfoSec is based on relationships. This is the bedrock. Regardless of how your company views relationships, you have to be willing to make them foremost. In my experience, success won’t come your way without really positive working relationships, so they have to be your focus.
If you’re a CISO who wields a big stick, the clock is ticking on your tenure. Enjoy the ride ’cause it ain’t gonna last. As the agent of change for your organization, you need to be the motivational speaker, the evangelist, and the catalyst for getting your company pointed in the right direction regarding real information security. You may not personally possess all the skills to be that kind of an up-front charismatic leader, but what you value, and where you invest your time, money, and staff, can make you a leader who can create a security culture in your organization. And if you choose to enter into this process, I can almost guarantee that you’ll be around for a long time and will see the fruits of your efforts.
Most employees believe that somebody else is keeping their information safe, that security is somebody else’s job. They believe the IT department is protecting our systems and our data. It’s not, however. The IT department is providing some general security controls, but they have no idea where your data resides, or who has access to it, or how long you’d like to keep it around, or where it gets stored. This is beyond their job purview. Many staff members are just unaware of the threats to their information, the value of computer resources, and their own role to keep them safe.
As an agent of cultural change, you must shape the company’s values and shift people’s attitudes about InfoSec. You do this by helping people understand that the most important asset a company owns is the information resources used by its staff members. While this statement may seem broad and overarching, this task can be effectively accomplished through the steps discussed throughout the book: building relationships, broadening awareness and education, training staff, and never letting up on communicating the message of security. You’ll notice there’s not one technical pursuit in the foregoing list.
The CISO who operates as a cultural change agent takes a fully different approach to their work than those who are merely focused on the technical components of our trade. For the CISO focused on cultural change, each and every meeting becomes an opportunity to move staff in the direction of greater degrees of security awareness, and to educate those in the meetings on the threats associated with the information assets under their control.
One day, I was approached by a young woman who attended our two-day InfoSec conference. She said she saw the conference advertised in the company’s weekly newsletter and had attended the whole event. She was excited about what she learned and was eager to get our help. I asked what she needed from my team and was taken aback by what she said.
She was in charge of a team of auditors who worked in the research department to ensure third-party research firms were living up to their contracts and protecting the results of research appropriately. The work her team (of about 10 people) was performing was basic InfoSec work, and they needed help. What she wanted was education for her staff, a CISSP-like course.
I couldn’t believe her request. She stated she was uncomfortable with the data security practices of the other firms she audited, but she and her team didn’t always have enough knowledge to identify poor InfoSec practices. She wanted customized training for the then 10 domains so her staff could do a better job and hold these other companies to their contract agreements.
We developed a training program for her. We gave the training to her staff in multiple sessions over several weeks. This was a huge win for the InfoSec team and a huge win for the company. All of this transpired because we held a security conference in the company’s conference center and brought in industry-leading speakers and security professionals.
The point of my story is this: here was someone in the far reaches of the company who attended one of our security events, and the education she received would lead to the education of all her staff and improve the overall security for the company. These results are hard to refute. Everyone wins. This is the type of cultural influence that is part of your job description. We established a great partnership with her team going forward as they attended every training class we offered.
It’s examples like this that reinforce the seven steps and my belief that the CISO’s primary role is one of cultural change agent. If it was an isolated incident, I wouldn’t hold this belief about our role, but the multiplicative effect security training can have far outweighs the value of any technology implementation. Whether we like it or not, we’re cultural change agents.
Keeping Your Sword Sharp
Throughout my career, I’ve been blessed to work with talented engineers. I’ve loved working with these security hobbyists, whom we pay to perform their hobby at work. These types love to play with new technologies and are always learning. I’ve learned so much from them.
As a manager and leader, I’m always trying to improve my game. To do so, I read various trade magazines or management journals from leading educational institutes, as I need to stay on top of the technology and changes in management science. Both help me to think of creative ways to apply the leadership and management principles to the discipline of InfoSec.
Probably the smartest guy I’ve ever worked with is Ron Dilley, who worked with me as the security team’s technical lead for over 10 years. I’ve learned more from Ron than anyone else in our industry. I’m grateful he took the time to explain all the technical stuff in simple terms I could understand. I was fortunate he worked with me as long as he did; he could’ve worked anywhere, and for more money than I was able to pay him. Try to surround yourself with people like Ron. They have a lot to teach you.
As the CISO, if you’re not a technologist, you need to learn the basics of the profession. Whatever it takes, learn the technology. Read everything in the SANS reading room. Watch their webcasts. There is so much free education available on YouTube; dive in. You don’t have to be a techie god, but you should be familiar with all the basic tools and processes your team is working with: firewalls/VPCs, network switching, the Open Systems Interconnection (OSI) stack, VoIP, wireless networking, encryption and key management, databases, operating systems/SD-WAN, programming languages, IDS/IPS, network scanners, hacking tools, virtual systems, malware, SDLC/Agile development/DevSecOps, code analysis tools, and more. My advice to you is to do whatever it takes to learn the tools of our trade. Your team will respect you for it.
Second, don’t try to play a technologist if you’re not. Stay in your lane. Know your place on your team. Your job as the CISO, as I’ve stated, is really evangelism and moving the culture to be more sensitive to InfoSec. My staff members know way more than I ever will. It’s why I hired them. I always listen to them and their recommendations. Respect their recommendations. Your role is to ensure that their recommendations are well implemented and staffed, and that the proper groups are involved in the decisions your team is making.
Your last skill is to be a great communicator, facilitator, listener, and speaker. You have to carry the message before the team ever will. You have to be front and center. You have to set the example on collaboration, modeling what it means to be a good corporate citizen, evangelizing staff in the name of security, leading training sessions, and more. Staff members have to see you doing it before they’ll follow and do it themselves. If you’re asking them to man a table in the company cafeteria, you better be there with them handing out the brochures and talking to people. I’m a big fan of Level 5 leadership practices. If you don’t know anything about them, bone up on the leadership model developed by Jim Collins in his book Good to Great (HarperBusiness) The team is more likely to follow you if you’re coming from a place of kindness and humility.
For two years, I did all of the new-hire presentations every week. Each 10-minute session had anywhere from 15 to 30 people, and it was a good way to set the tone on day one for new hires. I made it a habit to take one of our team members with me to mentor them on public speaking. For public speaking to be effective, it must meet the three “F’s.” It must be funny, factual, and fast. I took our junior folks so they could see how I did it, including the jokes I used, how I answered questions, and the style I employed.
After a few presentations, all of them wanted to go it alone (an indication I’d hired correctly). I’d let them run the new-hire presentations for a couple weeks and then train another. It was a wonderful model, and our team learned how to give presentations through the new-hire sessions.
I still take courses on public speaking and push myself to speak at conferences and industry events. I often don’t have the time, or necessarily want to address a particular audience, or speak on a certain subject, but I force myself to do it anyway. I’ve found over time that my best talks are humorous and to the point. This is my style: funny, fast, and factual. No one wants to listen to me. I keep this in mind. I don’t have much to say, so I’d better say it quickly and leave them laughing if I ever hope they’ll remember any of it. Public speaking will be one of the keys to your success. Refine the skill and don’t ever stop working on it.
One of the CEOs at a company where I worked said the greatest business skill a leader can develop is public speaking. The CEO also said it was the one skill that enabled a person to get promoted faster. If you’re able to stand in front of a group and communicate clearly and influence them, the sky is the limit for you, the CEO said. This message has stuck with me. I’ve done team-building exercises where we record our presentations and then watch them as a group. This is super humbling, and fun. Team members who can help each other and laugh at each other form close bonds. Evangelism is fundamental to your job description. Therefore, the art of public speaking can’t be ignored.
Hiring Techies
Who to hire, who to fire? Putting together a team of real professionals is difficult work. Knowing the type of people to hire requires some consideration as to the journey ahead and the type of security program you want to build. If your department were just about the technology, hiring would be an easy task. You’d hire very technical people, deploy rock-solid systems, and provide insightful analysis for the company—end of story.
But the task in front of you is not that narrowly defined. You and your team must reach out to every group in the company and provide services that vary from team to team. The job description for most IT or engineering teams is straightforward. It usually involves providing the same service to different customer groups. For example, the team responsible for supporting mail/messaging services has one platform to support, and it’s the same platform for everyone in the company. The desktop team provides the same or a limited number of desktop clients to the company. These groups provide the same or a few platforms to everyone. Window administrators provide the same build over and over, followed by system administration.
Regardless of the IT group you look at, you will find a tightly defined job description. This is simply not the case for the security team. To the legal department, your team is the investigative arm they use to retrieve data from any system in the company. You’re also the source of knowledge for policies the company desperately needs. To the operations center, you are the leaders of every security incident, providing analysis for all incidents. To the network services team, you co-own the many network security tools in the environment. To corporate security, you are the forensic team. To the desktop team, you provide consulting on the latest endpoint security suites and encryption tools. You provide continual pentest services to all departments, and the results are often of interest to the legal and audit departments. The financial control team looks to you for SOX compliance, and the Health Insurance Portability and Accountability Act (HIPAA) squad wants general computer controls (GCCs) to protect health-care information.
To all system owners, you provide many services, from patch management to encryption. The list goes on and on, and as I discussed in Chapter 1, probably no one outside your team appreciates the variety of services and the depth of knowledge required to be successful.
No other IT group has to adjust its approach and be subject-matter experts to such a diverse set of audiences. In light of this, do you really want to hire individuals who are merely technologists? Do you really want a heavy-headed employee who lacks interpersonal skills? I don’t.
When hiring, I follow a few simple principles that protect me from making a bad decision, and I’ve rarely made a mistake in hiring. Following my process, you can get through resumes quickly and conduct phone screens in five minutes.
Rule number one: new hires must have a technical degree (for example, computer science, electrical engineering, math, or physics) from a school you can drive to. If you hire people with solid degrees, they will easily grasp the concepts needed to go anywhere in the IT security space. They’ll have the underlying theory of how computer systems work.
NOTE
I’m leery of the Management Information Systems (MIS) degrees, or any of those flavors, because these degrees end up being a curriculum of all introductory courses. They lack depth in any one discipline and contain little theory about what’s happening on the wire, disk, or software.
I also like to hire engineers who have worked for companies with name-brand recognition. I’ve found that those who work at bigger companies know the rules of the road required to navigate big company environments. Change management is a huge consideration in every project that people from small companies don’t get exposed to. Likewise, decisions made at headquarters need to be thought through for various countries, laws, and cultures. Engineers from small companies don’t have this level of experience.
If they have those two boxes checked—a technical degree and big-company work experience—I schedule a 10-minute phone screen for my drive home. I use this phone call to ascertain whether a candidate has solid communication skills. From the initial greeting, I can usually tell whether they’re confident, outgoing, and positive. I ask them a few nontechnical things, and then we delve into some technical areas. From this short call, I can tell if I’d like to meet them in person.
One of my best hires was someone I may work for one day. They’re that kind of a natural leader—engaging with a great wit. They’re comfortable in any setting and have a gift for making people laugh. The real kicker is they’re also very technical; they love the geek stuff! I’ve often said that if I had three folks just like them, I could go anywhere and be hugely successful. They like to snowboard and take a lot of sick days in the winter; funny how they always get sick after a storm dumps four feet of powder in the Sierras. They’re so talented, though, they can have all the sick days they want. They happens to also love their job and the work I ask them to do for the company.
I make sure my team members know the hiring process well. I recommend you develop the hiring criteria as a team. It can be fun team-building exercise, and the discussion among the team helps reinforce why we hire the talent we do. It becomes a source of pride on the team when they realize we have some of the most capable people in the company. I remind them of this often. If you hire with those two traits in mind, you increase your chances of putting together a team that is capable of living by the values I’ve laid out in this book.
NOTE
Even with this simple set of hiring principles, I typically screen about 40 people before I find a promising candidate. There are lots of posers in our field. Hiring is that important, 40:1. It takes time to find talent, so don’t ever stop looking—even when you don’t have any openings.
Hiring people who can “go anywhere” is critical to your success. There’s not a person on our team who I wouldn’t let go talk to the CEO by themselves. Even our new college hires are confident, personable, and technical enough to be left on their own. They all know the importance of listening first, not speaking down to anyone, and gently influencing to achieve a goal.
I can rest knowing my team will be out all over the company, and will be great ambassadors for our InfoSec team and our program. I’m confident of it. It wasn’t long ago that the most junior member of the InfoSec team taught a class to 50+ staff members on “Wireless Security at Home.” Unbeknownst to us, the CIO was in attendance. When the class ended, they sent me an email about how much they enjoyed the class and how good the teacher was. The CIO had no idea this guy was only a year out of college. They asked to meet the young man one-on-one. This was proof that our hiring process works! How many 23-year-olds get the chance to provide training to the CIO of a Fortune 100? Not many.
Utilising Lunches
Anyone who has ever worked with me knows that I love the power of team lunches with other groups. Every InfoSec budget I’ve ever submitted has a line item for lunches. Three per week is 150 lunches per year, at $150 each, for a budget of $22,500. This will honestly be your best money spent.
There is no more powerful tool than breaking bread together. Do it as often as you can and use the time to connect with others on a personal level. Find out about their lives outside of work, their interests, where they used to work, places they’ve lived. Listen and ask lots of questions. People love to talk about themselves, so let them.
A good rule of thumb is that every new connection you make with another group in the company should be done over lunch. People throughout the company are a little leery to meet with the security team. Disarm them over food. After introductions around the table, ask everyone to share their favorite movie or Netflix series and you’ll begin to build the bonds of friendship. I remember more from these lunches than any conversation I have with people in the hallways. It’s also a great way to get a long list of must-watch Netflix shows. So do lunch with your colleagues.
Free Lunch Fridays
Here’s a practice that will come back to you in spades, and it’s easy to do. Vendors are knocking at your door to demo their products, so take them up on their offers but require that they host a lunch for whatever number of people you want. The vendors don’t care. They need to get in front of potential clients, so hosting a lunch at your company scores them big points on their side.
Show some wisdom in the companies you invite for lunch. If you’re trying to push the company in the direction of a certain technology, bring in the top players in that space to host lunches with those who would use the systems. This is just lunch, and you know how techies love to eat.
I always get on the phone with the vendor before the day of the lunch (Friday) and game the presentation a bit. We discuss the points they should hit and who will be in attendance. I also dictate the menu. Otherwise, everyone would bring pizza or sub sandwiches. No, I request PF Chang’s, Chipotle, Thai food, and other specialty foods beyond fast foods. The vendors love it, and meanwhile you’re influencing the dialogue with regards to a direction you believe another team should consider.
An example of a successful round of vendor lunches was with the data sciences team where I worked. I met with the team frequently, and each time we met, I got different answers regarding the management of the company’s sensitive data. As a security guy, these conversations are unnerving. I suggested we crawl some of the data stores, looking for sensitive data types, but couldn’t get any traction. It was frustrating.
The next move was to host a series of vendor lunches from the leading vendors in the data governance and data discovery space. I lined up three lunches over the course of a couple of months (never do them back-to-back). After the second vendor lunch, the data sciences team was signing up for a one-month proof of concept to test out the vendor’s tool. Voila! After the third vendor lunch, we were doing a bake-off among products and heading down the procurement path. This was InfoSec judo at its finest.
My rule of thumb for vendor lunches is this: I try to do 3 per month, or 36 for the year. Most happen on Fridays. I’ve used them to educate my team, influence other teams, and help steer discussions we’ve been having with other groups about directions we’d like to see them go. They’re easy to pull off, so go for it.
Pick the vendors that make sense, meaning those whose tools you’re interested in, or those whose tools would be good to learn about, and use the time for education in a specific area. These are free events that cost you only the transaction time to schedule the meeting with the vendor. As I said earlier, I always had pre-meetings with the vendors to set expectations, which ensured our time wasn’t wasted. I would also always invite people from across the company, and some lunches have upward of 20 people. The more, the better!
Lunches with Other Companies
Hopefully, you work in a geographical area that has a concentration of other large companies. (Most of my career, I was in Washington DC, Los Angeles, or Silicon Valley.) If so, they too have InfoSec teams you can connect with and learn from. When I worked in Silicon Valley, I was in heaven. The world’s leading tech companies were one or two exits away. I aimed to take my team to meet with eight other companies a year.
To set up these lunches, reach out to the CISO and propose a team meeting in which you bring some members of your team to their office with lunch in hand. Sit down with this other team for 90 minutes and benchmark all you’re doing against what they are doing. You’ll be amazed at how rewarding this time is.
While I worked in Silicon Valley, we met with many of the big-name companies. This was a huge win for my team as we got an inside look at other InfoSec teams from the likes of Facebook, Google, eBay, Netflix, Twitch, Splunk, Evernote, Box, Dropbox, Salesforce, Zynga, and many more. We were able to make great friendships with these teams. The benefit to you and your team is that you get to ask them lots of questions. Everyone we met with really helped us. We also learned a lot from top-notch engineers.
Through these meetings, I also met some wonderful mentors. I often would go back and have lunch with just the CISO to learn more from them. My all-time favorite meetings were with Rich Tener from Evernote. Rich taught me to how to use our bug bounty program for all our pentest needs. The guy is brilliant, so having lunch with him a couple of times a year was a no-brainer for me. I also think of Demetrios Lazarikos, “Laz,” the founder of Blue Lava, and previously the CISO at Sears. He’s been a mentor for years. To think I’m on a first-name basis with these individuals is humbling.
I also think of Joel Dela Garza, formerly at Box, now with Andreessen Horowitz, another mentor whom I followed up with after our team meetings. The list goes on of other CISOs who taught me a lot: Jason Chan from Netflix, Chris Deibler from Twitch and now Shopify, and Aanchal Gupta from Facebook and now Microsoft. All three spoke at our cybersecurity conferences, and I never would have met them if not for our team lunches. Make company team lunches a habit, and I promise that you and your team will be blessed for doing so.
Holding Cybersecurity Conferences
Remember that I said in Chapter 7 that education was your road to success? If you believe this, I suggest you host a cybersecurity conference at your company. They’re free and fairly easy to plan and execute. Your company’s staff will really enjoy them as well.
I did my first conference back at Amgen in 2004; a Microsoft sales guy told me that Microsoft liked it so much, it started hosting its own conference every year, called BlueHat. I would get the best speakers possible: SANS instructors, local CISOs, FBI agents, and CISOs from a few of our key vendors. I would offer multiple tracks and breakout sessions. These conferences didn’t cost us any money, as I would ask one or two key vendors to pick up the tab, and preclude them from bringing any more than two guys. While at Amgen, we had about 15,000 staff members working at our Los Angeles campus, and about 1,000 of them attended at least one session from our conference.
These conferences can be a huge win for the company and your team. And the only investment you need to make is the time required to plan the event.
Meeting with Other CISOs
Here’s another no-brainer: get together with the CISOs in your local area. If you can get three or four of them, invite them for drinks at a local restaurant or hotel bar and just talk shop. I would prepare a list of topics to discuss and then meet them at a five-star hotel for drinks and hors d’oeuvres.
My all-time favorites are Jonathan Chow from NBC Universal and now Live Nation; Bentley Au from Toyota North America and now AEG; Craig Froelich, formerly at Countrywide, now at Bank of America; and Anne Kuhns from Disney. I look up to all these individuals, as they’ve taught me so much, and the price to me was a little LA traffic and a $150 bar tab. I met with them frequently throughout my 15-year stay in LA while working at Amgen, Warner Bros., and KPMG.
Meet with other local CISOs and pick their brains. Everyone likes to share what they’re doing. You can instantly benchmark your program against theirs, and you get an inside look at how to do things in a different, and often better, way. Also, if you hold these meetings regularly and spend a few hours together, you don’t need to go to any conferences, as this compressed amount of time investment will keep your skills sharp.
Conclusion
I don’t consider myself to be very smart, so I needed to come up with creative ways to differentiate myself. These tricks made a huge difference in my career and in the InfoSec programs where I’ve worked. I hope you find them useful. I have many more tricks up my sleeve, but to get them, you’ll have to contact me directly. Good luck on your professional journey.
Final Thoughts
I hope I wasn’t too much of a blowhard throughout the course of this book. I do get passionate about InfoSec and feel strongly about the seven steps I’ve laid out. However, not all of the steps are of equal importance. So if you have time to do only a few of them, focus on the following steps, for which anything less than excellent execution spells trouble for you and your program.
First, step 1, cultivating relationships, will determine the quality of the program you build, as you will be allowed to build only the program your relationships permit you to build. Let this point sink in. Relationships will, by and large, determine your tenure and your success at work. Those who don’t think highly of you are most likely actively undermining you. Your job is hard enough when everyone supports you, so having detractors will make the job grueling. If you have poor relationships with anyone, I recommend pulling out all the stops to mend those as soon as possible.
The next focus area should be step 2, ensuring alignment. If you’re not properly aligned with the company’s culture for risk, or the company’s ability to support your function, then you’re probably building a program the company doesn’t want or need. Being this misaligned will lead to heartache and pain for you and your team. Do your best to realign quickly, following the few simple suggestions I provided in Chapter 5.
Third is the importance and value of having a communications program, step 4. This area cannot be overemphasized. Strong communication allows you to reach areas of the company where you wouldn’t normally go, and to reach staff in ways you wouldn’t otherwise be able to. In the original writing of this book, the communications chapter was twice the size of the next longest chapter. That’s how much I value communications and know of the multiplicative effect it can have on your efforts and program.
Finally, one of the best things you can do to help your program succeed is to spend time thinking about this last domain, or the art of our trade. No doubt you spend most of your time in the eight domains already, so incorporating some of these softer pursuits can only add to the job you’re currently performing. I think you’ll find that the items I’ve highlighted will enhance your efforts within the eight domains and will be a win-win for you and those you’re partnered with.
Where to Go from Here
The beauty of my seven step-process is its simplicity. It touches all the essentials of your position and keeps the truly important elements, like relationships, at the forefront. Whether you’re just starting a new position or evaluating an existing InfoSec program, you can use these seven steps to ensure you’re focused on the right areas.
The questions going forward are: Where do you go from here? How do you apply the seven steps to your existing or new program? The seven steps are a road map for getting you up and running, a guide to keep you focused on what truly matters as you implement and grow your program over time. Using the seven steps, you can get a quick evaluation of the health of your program.
If you have a well-established InfoSec program, these seven steps can be used as a quick assessment of your fundamental processes. For those with mature organizations, here are some basic questions to ask yourself and your team:
Step 1, cultivate relationships:
· Do I have good working relationships across the organization?
· Are there relationships that need to be improved?
· If so, how?
Step 2, ensure alignment:
· Is the InfoSec program aligned with the risk tolerance of the company?
· Is the program supporting the various risk profiles of the individual business units?
· Am I, as a leader, aligned with the risk tolerance of the company and leadership?
· Does my request for resources align with what the company is willing to pay for InfoSec?
Step 3, use the four cornerstones:
· Do we have the proper foundational building blocks for an InfoSec program? What about documentation (policy, charter, SIRP)?
· Do we have the proper security architecture in place, and is there a road map going forward?
· Do I have adequate governance processes in place to stay aligned with the business and to keep the business side of the house involved in InfoSec decision making?
Step 4, create a plan for communications, education, and awareness:
· Do we have a communications plan for the year?
· Do we have a communications, education, and awareness program?
· Are all departments targeted with specific messages clearly spelled out?
· Does the communications plan include phishing?
· Do we offer technical training courses to the product and engineering teams?
· Do we have general communications targeting staff members?
· Are all the InfoSec team members involved in the communications plan?
Step 5, give your job away:
· Is the InfoSec team actively partnering with others throughout the company to secure the company’s information assets?
· Have you given InfoSec responsibilities to other teams?
· Is the InfoSec team regularly meeting with other teams to discuss industry frameworks?
· Are there any RACI charts for shared InfoSec responsibilities?
· When you review industry frameworks, do you acknowledge that InfoSec functions and responsibilities are “owned” by other engineering teams?
Step 6, build your team:
· Are all the team members good communicators?
· Do they have outstanding technical competencies?
· Are they assigned to various business units and technical teams?
Step 7, measure what matters:
· Are you capturing the metrics that matter to address the board and company leadership about the ROI made in InfoSec?
· Are you tracking the staff’s ability to respond to phishing emails?
· Can staff throughout the company recognize policy violations when they happen and know how to report them?
Asking just a few questions will give you a pretty good feel for the health of your program. Be honest with yourself, or better yet, take your team through these questions. If you score poorly in the relationships area, you should either update your resume or put together a plan for how to turn those relationships around.
If you follow my process, all the technical topics will surface during your “lunch tour” when you present the NIST, OWASP, CIS Top 20, or other industry framework to the IT and engineering teams. Then the road maps for each area will naturally fall into place and the path forward for both your team and the IT/engineering team will be codified.
Conclusion
An InfoSec department that values and pursues relationships gains trust from other departments by the value and respect the InfoSec team members extend to their colleagues. Contention won’t foster the atmosphere needed to work together and will be counterproductive to getting work done. Don’t allow any of your team members to be contentious. Defer to and advise the clients on security leading practices. Allow your business partners to make security decisions. The victory is that your client groups are implementing their own security controls. Hopefully, tomorrow they’ll take it even further. Strive for incremental progress while supporting the business.
My advice to you is don’t be the feared colleague whom people succumb to because they are afraid of what you might do. Be the person others trust and value, a trusted advisor willing to shine the light on others to make them look good as they move security forward.
If you’ve learned nothing else in this book, I hope you’ve at least come to understand that successful InfoSec requires just as much art as science. Perhaps you’ve noticed that nowhere in this entire book have I given advice about the technology needed to make your information assets more secure. That’s because you cannot secure the company’s information assets by simply buying better and more technology. All of the steps I’ve laid out in this book will do more for increasing the security of your information assets than any technology ever could.
This process has been effective for me because it applies a management art to an area requiring engineering science. It provides a well-defined process to help navigate the ill-defined job of leading an InfoSec function. The most difficult piece of this process is getting your team to quit seeking solutions in technology and to pivot to securing company assets through relationships, education, and awareness training.
I’ve learned these seven steps on the job. I still use them to this day—because they work. If you’re willing, you can do it too. It may require that you honestly examine your approach, let go of some old and possibly bad habits, listen to the feedback your team gets from the organization, and require that your team be open to change.
Finally, treat everyone with kindness. Kindness and humility working together go a long way. Overlook the invisible middle fingers. Go where you’re wanted. Work with those willing to work with you. View your work in terms of laps around a track. Remember, the InfoSec job is an uphill marathon. Bring in professional training courses to enhance the skill sets of others. Practice evangelism often.
If you practice just some of these, you’ll be acknowledged and valued for the positive contributions you make to the company. Others will notice. Good luck!