Hack like a CISO

Developing the security officers' processes, strategies and techniques for managing their time, resources and teams.

multi tasking running executive race speed internet mobile laptop
Thinkstock

I have written several times over the last couple of years about how the role of today’s CISOs have changed and are now more tuned to support business activities and the management of enterprise risk. Serving an organization as their most senior security executive requires one to be creative and flexible on how to approach issues. Part of this creativity that many CISOs develop over time is specific processes or “hacks” that they have found useful to grow their security programs and use resources efficiently.

A hack has multiple definitions; it can be defined as a piece of computer code providing a quick or inelegant technique to solve a particular problem. It also can be what I believe is a more appropriate definition for CISOs – a process, strategy or technique for managing one’s time, resources, teams or program more efficiently.

As a CISO for different organizations over the last ten years, I have developed hacks on how I approach my role, develop my security program, manage my security teams and protect my organization. I developed each of the following hacks through trial and error; I never got it right the first time. As an executive, you have to be comfortable with failure, so you can learn from it and succeed the next time. I hope you find these hacks useful and they provide some benefit to you and your organization.

Hack no. 1: Interview team members and document services

One of the first things I recommend as a new CISO is to spend time with your new team, and document exactly what processes they are doing that benefit the company. I view my cybersecurity program as a service-oriented department, so I first document all of the services that we provide – this should be more than just answering trouble calls. With this list of services, I then begin to map out the security technologies and the required technical skills and soft skills to support this portfolio of services. Once this is done, I now have a good map of my current “security stack,” and I have a list of technical and soft skills that are required for my security program.

With this type of information, I can now ask my HR department to update the job descriptions of my current staff, and if we are recruiting, I can make sure we recruit for the current skills my team requires. I can also use this information to review my security stack and highlight technologies that may be end of life and require replacement or need upgrading. Finally, the last thing I can use this hack for is to create a training matrix to list all of my team members and assess them to the identified technical and soft skills we require. This also allows me to develop an individual career training program designed for each of my staff members. I have found doing this last training hack results in more well-rounded team members, who are energized to work as part of your team due to this investment in them as a person.

Hack no. 2: Request a list of all contracts your department is responsible for and those that renew soon

I have found requesting a copy of all contracts your department is currently assigned will provide you, as the CISO, long hours of reading but good insight into your new programs responsibilities to its partners and third-party vendors. As you read, be sure to document the SLAs that measure how your vendors are delivering service and also document your responsibilities to them. Use this information to create a timeline of which services and technologies will need to be renewed within the next six to 12 months and schedule them for review. This is where having the security stack information from the first hack becomes useful, because it will help you when assessing what technologies or services to keep, which ones to upgrade and finally which ones will need to be replaced.

I have also used this hack to negotiate better terms on renewing a contract. When you have insight into the technologies and services your team requires, you can develop a list of alternatives. With this list, you are better prepared to renegotiate any upcoming renewals, and be prepared to cut a vendor loose if they refuse to work with you. What is important is protecting your business and if you have established a working relationship with the vendor, they should understand your priorities and work with you to an effective compromise.

Hack no. 3: Inventory provides the visibility you need as a CISO to survive

This hack should be a CISO mandate; it is intertwined into many of the processes an effective CISO and security program will need to be successful. I first start this hack by collecting copies of current network maps, security diagrams, data flows, security contracts, budgets, and previous assessments. I also will review current security projects that are underway and will review their documentation. All of this information I will collect and put into a CISO runbook, which is a current state view of my organization and where my program and role fits into its business operations.

The data collected in this hack will feed into almost everything you do as a CISO. Just understand it will take time to collect the information, you will need to keep it updated and as it is sensitive information, you will need to protect it continually. One last thought before we move on: This information helps the CISO understand how the organization is using its networks for business and provides context into how security is currently supporting these operations. With this current state view, as CISO, you can now adjust security to your view on managing risk and continue to mature your security program with a better frame of reference on how you want to support the company.

Hack no. 4: Conduct my own internal risk assessment

I typically do this after I have completed my inventory hack. Even if a third-party assessment were done recently, I would still do my own internal risk assessment. I do this so I can meet the various stakeholders in the organization and better understand how the networks, applications and business data are used by them to support the business. When starting an assessment, I will use the CIS 20 as the initial assessment framework to review my organization’s maturity with regards to its security controls and managing risk. If at the end of the assessment my company scores a 70 percent or better, I will drop using the CIS 20 and transfer the results to either the NIST Cybersecurity Framework or ISO 27001 framework. The reason is if my company scores over a 70 percent completion, they are at a high enough maturity level to use a more in-depth compliance framework to manage risk.

Once I have transferred the CIS 20 data to either NIST or ISO, I will continue to document any shortcoming and compare the results to the recent third-party audit. With both results, I verify if anything was missed, review the current budget to see if it was addressing any of the identified issues and tailor a strategic plan to mitigate any gaps. As a new CISO, remember this process takes time; you will reach across numerous departments and business units for information, so be patient and get to know your stakeholders because they will become the customers and champions of your security program if treated with respect.

Hack no. 5: Your security teams are your best asset; it’s all about customer service

Cybersecurity does not provide revenue to an organization, but it does provide a valuable service – continuous risk management. I have found as the CISO you will need to organize your teams around a help desk or subject matter expert (SME) framework to provide quality customer service. When I approach this challenge, I use data from the first hack I collected on the security technologies that are used by my teams to support my organization. I review these technologies and identify an SME and alternate SME for each technology. Each team member will be assigned as an SME to an equivalent number of technologies. Once this is established, I then create a watch rotation where a team member will be assigned as the queue manager for the week. They will handle trouble tickets that come in and if there are ones for a specific security technology or service, those tickets can be quickly routed to a specific SME team member for resolution.

I have used this methodology so that every team member will spend a week at a time working with customers. Without these customers, there wouldn’t be a security program, so it is crucial for my teams to understand how to support our employees, assist with projects and respond to their requests promptly. This help desk/SME rotation can also be used to help facilitate the types of training your staff will need, and it helps with assigning the SMEs to create runbooks for their assigned technologies. These runbooks become critical assets when your program matures, and you look to implement orchestration or automation.

Conclusion

This is only a small subset of hacks I have developed as a CISO building security programs. As a servant leader, I feel it is imperative to share these types of hacks for the improvement of our community and to help train new CISOs as they build their first security programs. Cybersecurity is not meant to be implemented and managed in secret; I believe our community matures when CISOs collaborate and assist each other.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.