In Monday's Salted Hash blog, Bill Brenner sends us to look at a "man on the street" video taken at last week's RSA Conference. In this video, InfoSec practitioners are asked what they would do if they were made CISO tomorrow. There were many amusing answers ("fall off the wagon;" "party hearty"), but there were also some well thought out responses amongst the contributors. The thing that stuck me most about this video, though is that answer that missing: understanding your business and its business model.
As a profession, we have preached for some time about the importance of understanding the business when constructing a security program. One of my esteemed colleagues has even been quoted as saying that CISOs should "stop fiddling with the firewalls and go talk to the business" -- a sentiment with which I could not agree more. Yet despite our efforts on this front, a random sampling of respondents (which included two CISOs) taken at one of the largest security conferences in the nation failed to recognize obtaining business knowledge as one of the first things that a CISO needs to do when taking the Chair.
There's no secret to obtaining business knowledge, folks. Often it is merely a matter of making the effort. Here are a few approaches that I have found to be helpful over the years...
Ask Questions. Day One for me as a CISO usually starts with me getting on the calendars of every executive leader in the company. During these meetings my goal is neither to persuade anyone of the importance of the CISO job nor even to gauge who my allies and enemies might be; I am simply looking for the answers to three questions:
1. How does your portion of the company make money? In nonprofit organizations, the question can be rephrased as how do you provide service/how do you help the company meet its objectives? Understanding what the business leaders see as driving revenue/value helps you understand what is important to protect...and where disruption might be perceived negatively.
2. What keeps you up at night from a security perspective? What are the leaders really worried about? On every occasion, I find myself surprised by at least one item that is on the minds of the business. Keeping this item on your radar -- and solving for it -- can create momentum and buy in for other parts of your program.
3. What is the one thing I can do to help you from a security perspective? Yes, you'll get the "eliminate the firewall" and "just go away" answers from some; but you'll also get some fairly direct and meaningful answers from leaders who do want to figure out how you fit within their organization. Again, this is an opportunity to receive meaningful guidance on how to achieve operational "win-wins" as you implement your program.
Listen. Be open shuttered and passive. Don't assume you have all the answers. Remember that the business, no matter how vulnerable, has managed to survive (if not thrive) before you came on board. You don't have to agree with everything everyone says, but only by listening can you begin to understand their perspectives and points of view.
I start every new encounter by informing people that I know exactly two things: that my wife & son love me unconditionally, and that I could be wrong about everything else. Keeping this perspective throughout a conversation helps ensure that I stay focused on my colleague and on understanding their issues.
Buy Coffee and Lunch. Everyone has to eat sooner or later...and most people will give you more of their time over a cup of coffee or a meal. Taking the time to break bread (or caffeine) together can instantly begin go defuse a tense situation. Meal meetings occur on neutral ground (i.e., not in anyone's office) and can be a great opportunity to get to know one another beyond the work roles that we assume. This even rudimentary relationship building can go a long way in helping you integrate into the business environment as well as create opportunities for dialogue and cooperation.
My personal of rule of thumb is that I set aside $1000 for coffees and lunches out of my own pocket when I take a new CISO job. My objective is to spend the entire amount within the first 45 days meeting with executives, peers, team members, and other key business personnel. I contend that this is the best investment a new CISO can make in his or her success.
Make no mistake; these pointers will not mean a painless journey for a new CISO; there will always be those for whom your role is nothing but a necessary evil. That being said, remembering to focus on the business can make a hard road somewhat less bumpy...and mayhap even enjoyable.
No comments:
Post a Comment