How to be a trusted advisor

Being a security leader is first and foremost acting as a trusted advisor to the business. This includes understanding its objectives and aligning your efforts to support and enable delivery on the wider strategy.

It is also about articulating cyber risks and opportunities and working with the executive team on managing them. This doesn’t mean, however, that your role is to highlight security weaknesses and leave it to the board to figure it all out. Instead, being someone they can turn to for advice is the best way to influence the direction and make the organisation more resilient in combating cyber threats.

For your advice to be effective, you first need to earn the right to offer it. One of the best books I’ve read on the subject is The Trusted Advisor by David H. Maister. It’s not a new book and it’s written from the perspective of a professional services firm but that doesn’t mean the lessons from it can’t be applied in the security context. It covers the mindset, attributes and principles of a trusted advisor.

Unsurprisingly, the major focus of this work is on developing trust. The author summarises his views on this subject in the trust equation:

Trust = (Credibility + Reliability + Intimacy) / Self-Orientation

It’s a simple yet powerful representation of what contributes to and hinders the trust building process.

It’s hard to trust someone’s recommendations when they don’t put our interests first and instead are preoccupied with being right or jump to solutions without fully understanding the problem.

Equally, as important credibility is, the long list of your professional qualifications and previous experience on its own is not sufficient to be trustworthy. Having courage and integrity, following through on your promises and active listening, among other things are key. In the words of Maister, “it is not enough to be right, you must also be helpful”.

Business alignment framework for security

In my previous blogs on the role of the CISO, CISO’s first 100 days and developing security strategy and architecture, I described some of the points a security leader should consider initially while formulating an approach to supporting an organisation. I wanted to build on this and summarise some of the business parameters in a high-level framework that can be used as a guide to learn about the company in order to tailor a security strategy accordingly.

This framework can also be used as a due diligence cheat sheet while deciding on or prioritising potential opportunities – feel free to adapt it to your needs.

More

The role of a CISO

I’m often asked what the responsibilities of a CISO or Head of Information Security are. Regardless of the title, the remit of a security leadership role varies from organisation to organisation. At its core, however, they have one thing in common – they enable the businesses to operate securely. Protecting the company brand, managing risk and building customer trust through safeguarding the data they entrusted you with are key.

There are various frameworks out there that can help structure a security programme but it is a job of a security leader to understand the business context and prioritise activities accordingly. I put the below diagram together (inspired by Rafeeq Rehman) to give an idea of some of the key initiatives and responsibilities you could consider. Feel free to adapt and tailor to the needs of your organisation.

You might also find my previous blogs on the first 100 days as a CISO and developing an information security strategy useful.

More

One year in: a look back

In the past year I had the opportunity to help a tech startup shape its culture and make security a brand differentiator. As the Head of Information Security, I was responsible for driving the resilience, governance and compliance agenda, adjusting to the needs of a dynamic and growing business.

More

What can a US Army General teach us about security?

General

General Douglas MacMarthur said “never give an order that can’t be obeyed”. This is sound advice, as doing so can diminish the commander’s authority. If people want to do what you are asking them to do, but can’t, they would doubt your judgement in the future.

Despite the fact that most of us operate in commercial organisations rather than the US Army, there are some lessons to be learned from this.

Security professionals don’t need to rally their troops and rarely operate in command-and-control environments. Their role has largely shifted to the one of an advisor to the business when it comes to managing cyber risk. Yet all too often advice they give is misguided. In an effort to protect the business they sometimes fail to grasp the wider context in which it operates. More importantly, they rarely consider their colleagues who will have to follow their guidance.

Angela Sasse gives a brilliant example of this when she talks about phishing. Security professionals expect people to be able to identify a phishing email in order to keep the company secure. Through numerous awareness sessions they tell them how dangerous it is to click on a link in a phishing email.

Although it makes sense to some extent, it’s not helpful to expect people to be able to recognise a phishing email 100% of the times. In fact, a lot of information security professionals might struggle to make that distinction themselves, especially when it comes to more sophisticated cases of spear phishing. So how can we expect people who are not information security specialists to measure up?

To make matters worse, most of modern enterprises depend on email with links to be productive. It is considered normal and part of business as usual to receive an email and click on the link in it. I heard of a scenario where a company hired an external agency and paid good money for surveying their employees. Despite advance warnings, the level of engagement with this survey was reduced as people were reporting these external emails as “phishing attempts”. The communications team was not pleased and that certainly didn’t help establish the productive relationship with the security team.

The bottom line is that if your defences depend on people not clicking on links, you can do better than that. The aim is not to punish people when they make a mistake, but to build trust. The security team should therefore be there to support people and recognise their challenges rather than police them.

After all, when someone does eventually click on a malicious link, it’s much better if they pick up the phone to the security team and admit their mistake rather than hope it doesn’t get noticed. Not only does this speed-up incident response, it fosters the role of the security professional as a business enabler, rather than a commander who keeps giving orders that can’t be obeyed.

Developing Global Cyber Services

UNADJUSTEDNONRAW_thumb_3078

Over the past year I’ve worked as a core part of the KPMG’s Global Cyber Strategic Growth Initiative as the lead for service development activities, with a focus on working with member firms to deploy capabilities in order to ensure consistent delivery and quality across key growth areas.

I was responsible for the roll-out of cyber security services that included developing sales and delivery accelerators, accreditation requirements, learning pathways, vendor ecosystem and quality and risk management principles across EMEA, APAC and Americas.

To achieve this, I created a service development framework and worked with numerous stakeholders across the firm’s network: global deployment, service development leads, acquisition leads, risk management and key member firm cyber representatives and regional leads.

I also developed a method for the in-country adoption of deployed capabilities and supported both global and in-country risk team members in the evaluation of risk when taking services for client use.

I ensured the sustainability of deployed capabilities through the implementation and use of delivery frameworks and tools, and assigned ownership for the upkeep of deployed capabilities. I worked with member firms to promote the adoption of prioritised services; developed adoption timelines and targets for deployed service.

One of the existing aspects of the role was alliance, acquisition and investment integration support where I collaborated with the relevant stakeholders to deploy and embed offerings obtained through alliances to member firms while monitoring progress against agreed budgets, milestones, deliverables and benefits for capabilities being deployed.

By the end of the programme, I deployed Cyber Maturity Assessment, Identity and Access Management, Industrial Internet of Things Cyber Security, Privacy and Cyber Incident Response services to 19 countries around the world.

This resulted in achieving significant revenue and market share growth for cyber security services of my firm globally. KPMG International was also named a leader in information security consulting services in 2016 and 2017 according to Forrester Research.

cq5dam.web.512.99999

Is consulting changing?

As David Maister famously puts in his timeless book The Trusted Advisor, “it’s not enough to be right, you must also be helpful”. You first need to earn your client’s trust, and with it, right to offer advice and be critical of the way things are right now.

What do clients want? You need to demonstrate that you understand them and you are transparent with them. It’s unhelpful to try and bamboozle your clients with jargon and numbers, instead tell what these numbers mean for them.

Consulting has traditionally thrived on information asymmetry: consultants used to know more than clients but this is going away. Not only do we need to shift to provide insight rather than just information, we need to disrupt our own industry to remain relevant. I’m talking, of course, about automation.

Yes, there will always be cases were clients hire consultants when they have already made up their mind and just want to rubber stamp their agenda. But these situations are becoming rare.

From my experience, clients are increasingly reluctant to pay for glossy PowerPoint decks. Managed services and post-implementation support might be some viable options to remain relevant and, therefore, profitable.

The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour

ITGP

In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.

Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.

This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.

I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:

  • Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
  • Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
  • Give advice on aligning a security programme with wider organisational objectives.
  • Manage and communicate these changes within an organisation.

Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.

The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.

It’s now available for pre-order on the UK, EU or US websites.

Change Management

Information security professionals not only have to deal with change, more often than not they represent change. It might be changing the way a company manages access to its systems, works with third-parties or anything else.

To be effective with the change management process, security professionals should work with the business, demonstrating the value of security.

John Kotter in his book Our Iceberg is Melting tells a story about a penguin colony, which demonstrates basic principles of successful change management:

  1. Establish a sense of urgency
  2. Create a guiding coalition
  3. Develop a change vision
  4. Communicate the vision for buy-in
  5. Empower broad-based action
  6. Generate short-term wins
  7. Never let up
  8. Anchor new approaches into the culture