The preceding chapter focused on the importance of establishing and maintaining good working relationships—step 1. This chapter discusses the need to listen and learn from those relationships in order to design the InfoSec program the company wants. You can’t build a program misaligned with the values of the many people who will be your partners in securing the company’s information assets. So, as you initiate and build those relationships, start to get a feel for the company’s culture and attitudes toward InfoSec. Establishing this alignment is step 2.
What I Mean by Alignment
Put simply, alignment means being the security person your company wants you to be. Not the security person you think you should be or the security person you were at your last company. Alignment means operating in step with the company’s values and beliefs toward InfoSec and being comfortable doing so.
To get aligned, you’ll have to get a read on the company’s culture as well as its appetite for risk and information loss. This is where those relationships come in handy. If you get this information from your colleagues, you’ll have what you need to adjust your approach to InfoSec. This takes time and requires you to exercise some emotional quotient, or emotional intelligence, and finesse in dealing with others. Failure to align is often at the root of why CISOs get fired.
I’ve also seen many CISOs who know very little about InfoSec, but who are able to align with the company and get along with others—and they’re quite successful. It’s odd how simply aligning to culture and the attitudes toward InfoSec can trump security knowledge and experience.
Choosing Where to Start on Alignment
So how do you go about aligning yourself and your team’s approach to InfoSec? Where do you begin? I suggest during your early tenure as you meet with people across the organization, you ask a lot of questions to get a feel for the company’s attitudes toward InfoSec. The answers you receive will provide “roadside signs” pointing you in the direction of alignment.
For example, ask if the company cares about a data breach. If the responses indicate that the “company doesn’t care” much about information loss, then you’ve been given valuable data. I once worked for a company that didn’t care much about data breaches. It took me a while to align with this prevailing sentiment, but once I did, things went much better for the InfoSec team, and the company got the security team it wanted.
Another consideration is to assess the company’s level of investment in InfoSec. If the company isn’t investing much, InfoSec isn’t a highly valued function. Ask if information or process owners are involved with the protection of their information assets. If they’re not, it’s an indicator that even the information owner is indifferent about information protection.
These are just a few of the types of questions whose responses will guide you into aligning with your company’s tolerance for information loss. If you’re able to glean responses to these simple questions and align your attitude and approach, you’ve begun to align yourself with what the company wants from your position.
Seeing Alignment as the Starting Point
The alignment process is the starting point for all your work. You can’t write your team’s charter without first aligning your approach and attitudes. You can’t write a company security policy without alignment. You can’t develop a road map for your security architecture without alignment. And you can’t craft security awareness and training messages without understanding the company’s attitude about InfoSec.
It may shock you, but it has to be said: as an outcome of reading this book, your company’s information assets may become less secure than they are today or less secure than you’d like them to be. Although I believe following these steps will result in making your company more secure, this book is not about improving the security of your company’s assets. Improved security is merely the intended byproduct of this process. This book is about helping you become more effective as an InfoSec professional in the company where you work. And the starting point for that is alignment.
Determining Your Company’s Risk Profile
A risk profile reflects a company’s tolerance for information loss. This tolerance is determined by the tipping point at which the controllers of money start to care that information loss is impacting the bottom line. To find your company’s tipping point, you need to determine your company’s tolerance for data breaches that lead to information loss. This point is different at every company.
The best indicator of your company’s risk profile is to consider your last breach or set of security incidents. The company’s reaction to security incidents is the best source of data for determining where your risk needle is pointed. Did senior management get notified of the incident? Did the incident cause the company to invest more in the InfoSec team? Did anyone really care? Was anyone held accountable, and how so? The answers to each of these questions are indicators regarding your risk needle.
If you haven’t had a data breach recently (lucky you), you can look at any recent security incident and get a pretty good read on your risk profile. Did the latest piece of malware disrupt business systems? If so, how high up the company did the post-incident report travel? Think back to an information disclosure incident: what were the consequences, and what did it cost the company in the marketplace? What level of manager cared? What was the company’s follow-up response? Did more resources for InfoSec follow? Did InfoSec management have to report to senior management on the root cause and steps to remediate the incident? Answers to these types of questions will help you determine your company’s position on the risk profile scale.
While various industries inherently have different risk profiles, you still should go through the alignment process so you can articulate back to the business the results of your early travels and what you heard the company told you regarding the value of InfoSec. Obviously, if you work in the financial services industry, your risk needle will no doubt lean higher than for those of us in less regulated industries.
The risks associated with losing customer account information in the financial sector are high. Therefore, we can assume that most financial institutions, and hopefully the ones where we bank, have a low to zero tolerance for information loss. These organizations must protect their information, and they should be investing in InfoSec to keep customer information safe. The InfoSec team should be front and center in the financial services industry. In fact, it’s quite possible that the InfoSec function is run by a business leader, not necessarily an InfoSec technologist.
All InfoSec professionals must understand their company’s risk profile. Knowing your company’s overall risk profile and unique departmental profiles allows you to align and calibrate your approach to InfoSec. Honestly, there are departments in the company whom I rarely meet with or speak to. They don’t have any sensitive information, and therefore don’t need much time or help from the InfoSec team.
What if you go down the alignment path and find your company has a risk profile of 3 on a scale of 0–10? If today all of your HR data was released on the internet, it might be predictable that the C-level executives just shrug their shoulders and dismiss the entire incident. Would that surprise you? Knowing your company’s risk profile means that it shouldn’t. Alignment keeps you from being surprised by the response of the company, since they will have already told you of the importance of your function and the value of the information you are protecting.
The Ideal Alignment
I was introduced to InfoSec as a young US Navy officer. The Navy’s InfoSec training and education was best in class. In my first assignment, one of my many responsibilities included managing a Honeywell DPS-6 mainframe. With it came a division of 25 sailors specially trained to support the system. When I started the job, I had no idea what I was doing. My only option was to learn quickly and to trust the team.
During my time on the job, my biggest education was not about the technical workings of the mainframe. Instead, it was about leadership and management, and how people tick—what kind of incentives and respect people need to perform, what motivates them, what people want from their jobs and their bosses. I’m still learning these things, and every day I see how complex people are and how their differences make every management situation unique and challenging.
Looking back, I’ve come to understand that my InfoSec jobs in the Navy were really easy. That’s right. Easy. They were easy because there was absolute alignment within the entire organization about the value of our information and the need to protect it. Up and down the chain of command, everyone understood and agreed. No one questioned the need to protect our systems or data. No one needed convincing. I didn’t have to sell it to anyone or ask for more money. The entire culture lived and breathed security. No one had to be taught its value because everyone understood the cost and risk of data breaches.
The Navy’s culture is homogeneous and well educated with regards to InfoSec. If you were to measure security and risk tolerance on a scale from 1 to 10, the Navy would be a solid 10. This is very different from what you find in the private sector. Few companies take security as seriously as any branch of the DoD. They don’t have to. The assets they’re protecting don’t have the same risk profile or value. And the mission doesn’t have the same level of national importance.
This reality is made clear in the DoD’s data classification system. In this classification system, all information is assigned various levels of sensitivity based on the risk of loss and the impact that loss would have to national security. The data classification schema is well thought out and represents years of work by bright people. For each classification level, certain security measures must be followed to protect the various levels of sensitive data. Different levels even have their own dedicated networks, often air-gapped from other classification levels. Top Secret information, for example, if released or disclosed, is said to have grave implications to national security.
In this type of system and culture, it’s easy to get support for security technologies, as the need for security controls is unquestioned and seen as a matter of national defense. The Navy, like the rest of the DoD, has a risk profile pegged at a 10. The entire DoD considers InfoSec of utmost importance, and aligning yourself to this approach is pretty easy.
But corporate America is a long way from the Navy. And your company will likely hold a vastly different view than the DoD when it comes to InfoSec. No doubt your company doesn’t come anywhere near a 10 on the risk profile scale. And this is where the work of alignment comes into play: finding exactly where your company’s risk needle is pointing. This work is going to require “left brain” muscles and not the technical side we all prefer to live in.
Understanding Your Company’s Unique Risk Profile
I learned many valuable lessons during my transition from the Navy to corporate America. One of those lessons was that InfoSec was usually a back-office function, and the last of the system requirements to be considered. It’s only been in the last 10 years or so, as a result of all the high-profile breaches across corporate America, that InfoSec has been given any consideration. Unfortunately, some of this new attention is little more than lip service.
During my first corporate job, I was amazed at how often InfoSec was not only overlooked but flat-out rejected. Unless it related to compliance, it usually got overlooked in the name of speed or costs. Security was viewed as an unnecessary cost, an impediment to progress, and nonessential to the company.
Working in an environment with little to no support, you realize you’re a team of one. This is not a good place for any CISO to be. If you find yourself in that position, you want to get aligned quickly. Aligning yourself with your company’s attitude toward InfoSec will give you peace of mind (if you can accept it), and position you to build the security program your company wants from you.
Back to my first corporate InfoSec job. Wanting to get off to a good start, I thought an x-ray of the organization was the place to start, and this meant a pentest. The results would provide a picture of the effectiveness of our perimeter security controls. Running this test would provide a snapshot of the company’s cybersecurity defenses and potential weaknesses within its controls. It’s an x-ray of the patient, if you will, and a seemingly logical place to start for any security professional. I assumed the company leadership would value this information, and would take the appropriate action to address the results of the x-ray.
The pentest took about six weeks to complete. With the results in hand, I marched off to meet with the IT infrastructure leader. I was so excited to show them the results. Surely, they’d appreciate knowing the vulnerabilities within his systems, and what our perimeter looked like from the internet. I had no doubt they would respond favorably and gratefully to the information.
I could not have been more wrong—and naive. The manager wanted nothing to do with the findings in my report. Instead of a collaborative meeting, I was beaten up. The manager demanded to know why I had run the assessment in the first place. What was I hoping to accomplish? Why had I run the assessment without him and his team? What was my purpose? Was I out to make him look bad?
They found no value from the information and were even more concerned about who would see it. To them, it was just bad news, and I was the source of it. They flat-out told me I was not a team player and the wrong guy for the job. They said the CIO made a mistake putting me in the position and that I needed to keep the good of the company in mind.
Did I say beaten up? I felt bludgeoned. I’d chosen what I thought was a great way to ingratiate myself with my new colleagues. I wouldn’t have been surprised if they needed help interpreting the findings, or if they asked for help with what their next steps should be. Instead of connecting with a partner in securing the company’s assets, I was deemed an official enemy of the state. This was an example of classic misalignment.
I quickly learned I was a foreigner in a strange new land. My values toward InfoSec were so different from those of others at the company, I wondered if I’d be able to survive the job. I had a sick feeling in my stomach. Over the coming months, I would continue to learn many valuable lessons from this and other clashes throughout the company. These clashes were some of my early lessons about the critical component of alignment: Not everyone will be security minded. Everyone brings their own thoughts and biases about security to the table. Few will agree with me. Fewer will want to secure their systems or data without being prompted or told to do so by leadership.
As I licked my wounds and reflected on my new lot in life, I came to realize that most of the managers in the company shared this infrastructure leader’s point of view. This person wasn’t an outlier. They represented the prevailing culture. The managers in this company were cut from a different cloth than I was. Their experiences and education were different from mine. And they lived and operated in foreign waters, vastly different from the waters I’d previously sailed. This was my new reality.
These lessons helped me adjust my approach going forward. They taught me the value of alignment to the company’s ethos and values. It taught me that if misaligned, like a cancer in a body, antibodies would be formed against me, and the organization would develop a resistance toward me. As a result, I learned that I can care about InfoSec only a little bit more than the company does, or these antibodies will “remove” me. Once antibodies are formed, chances are high you won’t be around long.
For the first time, I realized that to be effective in securing the company’s information assets, I’d have to come up with a different approach. I had to align with the company’s culture and shared values toward InfoSec. I had to align to their views on InfoSec and abandon mine, or at least leave them in the parking lot every morning.
Although this is glaringly obvious now, it was new for me then. Security wasn’t in the fabric of the company. Its value and role were different at every level of the organization. Protecting the company’s information assets wasn’t a shared value, and it definitely wasn’t something that would help move the company forward.
I’m happy to say that once I and my team internalized the concept of alignment, and what it truly meant, we were able over the coming years to adjust our approach and take the company from a point where nobody cared, to having security a high-priority consideration. Alignment made this possible.
Creating Alignment Through Councils
When I refer to governance, as I introduced in Chapter 2, I’m referring to the management of decision making within InfoSec. This management is not necessarily the complete control of decision making, but using governance councils to influence and guide decision making so as to be aligned with the company.
This can be a scary concept because it implies the relinquishing of decision-making responsibilities from you and your team, to a broader constituency. This is not the case. The council will merely serve as an advisory board to weigh in on the decisions put before you and your team. The use of councils is a great way to get and stay aligned with the company.
Throughout the year, I work with three councils that meet at various frequencies to address issues confronting the company and InfoSec. Some councils meet monthly, and others meet every other month or quarterly.
Security business council
The first council put in place should be the SBC, with representatives from each business unit. This council allows the business representatives to voice their concerns, wishes, thoughts on culture, and the “goodness of fit” for the InfoSec issue brought to the council. This council will also serve as your board of directors, among whom you will bounce many components of your program. Through the SBC, you’ll run your entire InfoSec strategy, new purchases, your security architecture, InfoSec policy, plans for awareness and education, and your phishing program, to name a few.
A typical council agenda for the SBC might contain an item relating to phishing campaigns for the company. Ask the council to provide feedback on the following: How frequently do we phish the company? Do we target individual business units? How do we handle the chronic clickers? Is training provided to those who fail the phish? Do their managers get notified? For repeat, “unrepentant felons,” do we take any actions? Do we want a pop-up training window for those who fail the phish? You get the idea. Allowing the council members to shape your programs brings your clients into your world, allows your strategy and tools to be shaped by the business, and allows you to achieve alignment in the company.
As a security type, I have my own opinions about what the phishing program should look like, but this isn’t important. Instead, let the council members weigh in on the phishing program. This is alignment in action. It is also great education for the council members, who will very shortly start to own the phishing program and other items brought before them for feedback and shaping.
For the flip side of the previous example, can you imagine what kind of response you would get if your phishing program wasn’t shaped by a council? You might run phishing tests that were offensive, or maybe too difficult at first, or they might contain an inappropriate pop-up training window, or you may phish the company too frequently, or focus on the wrong kinds of phishing emails, or target certain groups too frequently. These are exactly the types of decisions you want the council representatives to weigh in on and make. It’s best to get the council to guide you through all these considerations and more before you begin to phish the company. This is a major decision for the company, and these should always have the appearance of a “committee stamp” on them.
Extended security council
The second council I recommend you establish is one consisting of the most technical people in the company. I like to call this the Extended security council (XSC). The members of this council are chosen because they are recognized as the technical leads in their areas. To this council, I bring the most difficult security topics, which I call the “tasty topics,” and include issues like these: Does zero trust extend to the data transfer between two entities after both ends have authenticated? Should all end users be allowed to be administrators of their workstations? If not, should anyone? If some, who?
Through the XSC, you will run all the technical components of your program. I recommend before each council meeting you meet with the most influential and technical council members—who are hopefully also the most vocal at the meetings—to run your agenda by them.
For example, this council will decide yes or no to local administrator privileges for end users, whether all systems must be hardened before placed into operations, whether security risk reviews or vulnerability scans are done before systems are deployed, whether to use two-factor authentication, and more. Discuss the outcomes you’d like to achieve at the next council meeting with these highly technical council members, and ask for their help in the discussions. You’ll find you quickly have an advocate for the topic so that when the topic is raised at the council meeting, these individuals will chime in and lead the discussion for you.
Executive security council
Another council that should be the bedrock of your program is the Executive security council (ESC). This council consists of the most-senior people from each department (willing to participate) in the company. I don’t always get the executive or senior vice president from every department, but usually each department will assign one of the VPs to attend and speak on its behalf. I’ve found that over time, and as the security function grows in the company, the most-senior members do eventually attend.
The ESC is presented the finished products or decisions that arise from one of the other working councils. For example, this council would get a presentation on the company’s phishing program—including the phishing metrics: The company average failure rate per phish. The time, usually in seconds, of the first responders. How the company’s scores compare to industry averages. The number of our incidents that originated from a phish, and the implications of phishing to, say, data breaches and ransomware.
Other examples of finished decisions might be an understanding of how the company would handle a breach through customer notifications. I would present an overview of our IR process, the role of the legal team, the HR team, our communications team, and external counsel if we had to tap them for customer notifications. I let the ESC know that we’ve run multiple tabletop exercises with technical teams and with the managers all the way through breach notification so that we could get comfortable with everyone’s role in the process. I also use this council to preview any board presentations. The council meets four to six times per year, and I suggest meeting individually with each council member as the need dictates, but at a minimum quarterly.
If done well, the ESC will also provide you with a sufficient tone from the top to signal to others that InfoSec is important and to be taken seriously. I recommend that after every council meeting, you publish the decisions to the broader IT and engineering departments. This will close the loop on your decision-making process and set the tone for the next SBC meeting.
All of these councils allow you and your team to get in step with the company. I always take the InfoSec department’s strategic road map through several of these councils. This ensures that we get broad feedback on our plans, and allows the stakeholders to weigh in on our initiatives. When it’s time to present the InfoSec plan for the year, I will bring some of the council members with me to present the InfoSec road map to my management. The importance of councils can’t be overemphasized.
GETTING ALIGNED THE HARD WAY: A DATA BREACH AT A
FINANCIAL SERVICES COMPANY
I had a colleague who worked for a major financial services firm where a laptop was lost with customer data stored on it. We don’t know the particulars of the loss, but it was reported that the laptop was not encrypted. This was a bad day for the company. It lost billions in market share. It lost more in customer confidence.
If the laptop had been encrypted, this would have been a nonissue, with no need to report it to their customers. But somewhere within the history of management’s decision-making process, the decision was made to not encrypt laptops. Yikes.
I’m sure this financial firm discussed laptop encryption, its merits versus its costs. I also know that every security type in the industry wants end points encrypted. But somehow, someone ignored the recommendation of the InfoSec team and decided that encryption wasn’t worth it. Maybe it was too expensive. Perhaps the cost/benefit analysis didn’t tip the scale. Whatever the reasons, I was told this firm moved its security needle from a 3 to a 9 in a day, which is a tough way to learn a lesson like this.
On the day of the incident, while the news was reporting the story, senior leaders were posted at exits to the buildings to verify that laptops were encrypted before they left the premises. Upper-level management was personally involved in the security of their systems and data from that day forward. InfoSec was elevated within the organization and routinely put on the strategic agenda. The CISO was moved out from under the CIO.
This type of incident-led alignment is not the preferred path. It often proves career limiting for the CISO. It also comes with a lot of finger-pointing about past failures leading up to the incident, and assignment of blame. No CISO survives this type of incident and lives to brag about it. Forced alignment is never a good thing. So I urge you to get on the alignment process as early as possible in your tenure.
Recognizing Signs of Misalignment
Since the events of 9/11 in 2001, we’ve seen an increased focus on security in general. This has helped to promote InfoSec in many industries, but others still have a way to go. Only in the last five to seven years, as weekly news reports have announced yet another data breach, have companies responded with greater investments in InfoSec. All the media attention given to personal privacy and to the compromise of credit cards and other financial information has been our best ally in terms of upping the value for securing information assets. And, of course, the general public’s concern for protecting their personal information has increased now that it affects their pocketbooks and privacy.
The changes have been good for our industry and for the companies in which we work. Most companies have been victimized by information loss, whether by insiders or corporate espionage. As companies place more value on InfoSec, their risk needle on the security spectrum moves to the right, toward greater security. And your value goes up as a security leader.
Nothing represents misalignment more than when a CISO is the persona non grata around the company, shoving personal views on InfoSec down the unwilling throats of an organization. I hear about this far too often; for example, an InfoSec team that can’t wait for the audit department to blast someone because they didn’t want to listen to InfoSec. Using the audit department as a tool to beat up other departments is a sure sign of InfoSec misalignment. If the InfoSec team reports to IT, it stands with the IT staff members during an audit. They’re one team. The results reflect on the performance of the department as a whole.
Other signs of misalignment can be found by looking at your InfoSec group. Ask yourself these questions: Has this group been moved several times? Have there been multiple changes to the leadership over the past few years? Does the group suffer from long-standing differences with other areas of the business? How often do your customers call with a complaint or a request for your services? When an InfoSec group is approaching the job aligned with the company and its culture, managers and other professionals are calling to request security assistance.
Complaints, on the other hand, are clearly a bad sign. While talking with other InfoSec professionals, I’ve heard stories of InfoSec personnel getting flogged while trying to do the right thing. If you’re getting flogged, you’re not doing the right thing! You’re misaligned. So align quickly. It’s possible the company doesn’t want much security at all, and that’s why you have only a few staff members! The messages are there, often right before your eyes. But you have to be looking to see them.
Many of us still subscribe to traditional thinking, buying wholesale into InfoSec standard operating procedures and practicing an approach that barely worked even before everyone started caring about InfoSec. The problem for many of us is that we haven’t taken the time to understand what our companies really need from us. I’ve met few people who can articulate this. It’s sad this is the case, and that most InfoSec leaders don’t know how to get this information and calibrate their approach to align with the company’s wishes.
If you’re like most InfoSec professionals, myself included, you’re naturally between a 9 and a 10 with your personal security needle. Security is in our DNA. We live and breathe it. We would never deploy a system that wasn’t locked down hard. We believe all projects should address all the risks, or at least all the high risks. Our perimeter should be impenetrable. Mobile devices should have all the bells and whistles protecting the physical asset, the electronic transmissions, and the data on them.
We’re so committed to security that we often battle other groups (who have to manage and support these systems) to get them to see things our way and protect the company assets. We’re martyrs, believing that someday “they’ll see.” Someday our dire predictions will come true, our careful planning will pay off, and then everyone will recognize us as heroes and acknowledge the worth of our fights. Unfortunately, this never happens.
The CISO position has a fair amount of turnover, and that’s understandable. I listen to stories all the time from InfoSec folks who are not comfortable in their jobs. Many lack the professional and interpersonal skills required to navigate the subtleties of sensitive management situations, or the relationships and communication required for managing an InfoSec department. Alignment is often the missing ingredient keeping our colleagues from being successful. Alignment is key to your success and to the company’s intention for InfoSec.
If you build an InfoSec program that reflects the security values of your company, you will provide the level of protection the company wants from your team. Others won’t fight you. You won’t be at odds with other departments or system owners. There will be agreement and, for the most part, harmony. If you take this path, I believe that one day you will be acknowledged for the part you play in securing your company’s information assets.
Please understand my message: you will never be acknowledged for your work if you have not aligned yourself with your company’s risk profile. Instead, you’ll be alienated. Your job will give you an ulcer. You will find yourself in daily battles with your colleagues outside the InfoSec team. Eventually, you’ll suffer a martyr’s death and be walked to the door.
Sound familiar? I’ve seen it happen far too often and to well-intended InfoSec professionals. They know their job and have all the credentials. They understand the technologies and have solid experience from good companies, but many of them are enemies to the culture and the company they work for simply because they are misaligned.
Conclusion
I tell my team members all the time to be softer on security than our colleagues. That’s right. If your colleague is a 5, be just a little to the left of that. This will allow that person to own the security of their system and data. The employees will implement security after they know you’re not going to demand certain standards or cram it down their throats. It may feel counterintuitive, but it’s a good guide for your work. And I encourage all of my team members to live by it as well.
I view my team as backseat drivers. Our job is to whisper in the driver’s ear about the risks of the situation or decisions. It’s their choice whether to implement any security. It’s a business decision. We’re risk advisers, and nothing more, unless we’re invited to be so.
Corporate America lives on revenue and profits. Unless security contributes to profits, it’s just another burden on costs and part of the overhead bucket. At most companies, InfoSec is an add-on, considered at the end of everything else. And truthfully, most managers would rather not deal with security at all. Projects or processes would be much easier without having to consider InfoSec. If you’re fairly new to your company, the process of alignment will go hand in hand with building your base of relationships. As you meet with others, ask for their help and coaching. Indicate that you’d like to align with the company and build the security function the company wants.
If you ever hope to secure the company’s assets, align with your business partners quickly. This doesn’t mean you give up your desire for a more secure company. I’m advocating that you help your company be as secure as it desires to be. Only when you align with your customers can you partner with them to protect their information assets. It’s your only hope. And let this truth sink in: if you don’t align with the company, it will replace you with someone who will.