Two weeks ago,m Baseline Magazine published the results of a survey regarding executives' views toward the CISO position. The results were less than encouraging:
- 74% of the C-Level executives surveyed believe that CISOs should not be a part of organizational leadership teams
- 44% view the primary role of the CISO as "being accountable for any organizational data breaches."
These results are not surprising to most practitioners. In many companies, the title ‘CSO’ stands for “chief scapegoat officer” even to this day. CSOs and CISOs live in fear of the inevitable breach, because such an event will lead to accusations and recriminations versus investigation and remediation. Ironically, this attitude by the organization's executives actually reduces the efficacy of the security team. In addition to creating an undertone of survival and us-against-the-world within the CISO organization, the senior security executive now feels compelled to spend a goodly portion of their time covering themselves (i.e., "creating the paper trail") and focusing on tactical issues versus strategically driving the security program.
While many of my brethren will focus on the aforementioned results, this survey reveals a more telling statistic: 68% of the executives surveyed feel CISOs lack broad awareness of organizational objectives and business needs. Despite our best efforts, and despite certifications that preach otherwise, we are clearly failing to adequately link ourselves to the businesses we support. While there are no silver bullet answers out there, here are a couple of tips and pointers that I've found effective in bridging the "business gap" over the years:
- Ask The Key Question. When I assume the role of CSO/CISO in any organization, I make it a point to meet every business line leader and their direct reports within the first two weeks of my arrival. The first question that I pose to each of them is always the same: "How do you make money?" Not "what do you do for a living," but how does that business unit generate revenue for the organization? When they answer me, I keep probing and asking questions until I truly have at least a high-level understanding of the services and products offered and how they contribute to the company's bottom line. Once you understand how the business makes money, it becomes exponentially easier to understand where security controls are appropriate -- and, more importantly, the potentially negative impact a specific control can have on the revenue picture.
Note that I used the terms "money" and "revenue" instead of "profit." Even non-profit and not-for-profit organizations generate revenue to pay the bills. While the mission/purpose of any organization is critical, that mission must generate some level of revenue in order to succeed at its efforts.
- Have A Strategy. Sounds simple, right? Yet to this day a significant portion of CSOs do not have a documented strategy. Those who have documented their strategies tend to link their objectives solely toward risk reduction and mitigation versus achieving the business' objectives -- which leaves an impression with executives that security is something that they "have to do" that is diverting expenditures away from revenue-generating efforts.
I'm an old Common Criteria (CC) tester and evaluator. The one thing that I loved about the CC was its structured approach regarding requirements. Functional requirements led to technical functional requirements which in turn logically led to security functional requirements. I take a similar approach when structuring my strategic imperatives. The business wants to do something; that "something" will require a specific operational and technical capabilities. Creating those capabilities at a risk level consistent with current risk levels requires us to enable/enhance/create these specific security capabilities. This linkage helps intrinsically tie your security endeavors to the business.Understand that there are times that you will need to drive compliance and/or risk reduction activities purely for the sake of compliance/risk reduction; but never forget that being compliant is a business requirement and that you are reducing risk to a level acceptable to the business. Say those things in your strategy.
- Educate Your Teams. You can't be the only one that understands the business; every member of your team needs this level of understanding as well. Not only will it change the optics re: your team as they interface with the business, but it will also enable them to bring more business-appropriate solutions to the table as they problem solve in the security space.
It would be easy for us to make a bit of a chicken-and-egg argument here and claim that we security warriors can't start thinking strategically and better integrate security with the business because we fear recriminations when something goes wrong. If this survey is any indication, though, we are collectively limiting -- if not damaging -- the profession by not aggressively focusing on relating our activities to the our organizations' strategic imperatives. If we are living in an era where massive breaches are becoming commonplace and we cannot guarantee that a breach will not occur, then a lack of a strategically-driven security program that is intrinsically linked to business objectives only justifies the opinions listed above.
My two cents...