CISO – Page 7 – Cyber Security Leadership

How to be a trusted advisor

Being a security leader is first and foremost acting as a trusted advisor to the business. This includes understanding its objectives and aligning your efforts to support and enable delivery on the wider strategy.

It is also about articulating cyber risks and opportunities and working with the executive team on managing them. This doesn’t mean, however, that your role is to highlight security weaknesses and leave it to the board to figure it all out. Instead, being someone they can turn to for advice is the best way to influence the direction and make the organisation more resilient in combating cyber threats.

For your advice to be effective, you first need to earn the right to offer it. One of the best books I’ve read on the subject is The Trusted Advisor by David H. Maister. It’s not a new book and it’s written from the perspective of a professional services firm but that doesn’t mean the lessons from it can’t be applied in the security context. It covers the mindset, attributes and principles of a trusted advisor.

Unsurprisingly, the major focus of this work is on developing trust. The author summarises his views on this subject in the trust equation:

Trust = (Credibility + Reliability + Intimacy) / Self-Orientation

It’s a simple yet powerful representation of what contributes to and hinders the trust building process.

It’s hard to trust someone’s recommendations when they don’t put our interests first and instead are preoccupied with being right or jump to solutions without fully understanding the problem.

Equally, as important credibility is, the long list of your professional qualifications and previous experience on its own is not sufficient to be trustworthy. Having courage and integrity, following through on your promises and active listening, among other things are key. In the words of Maister, “it is not enough to be right, you must also be helpful”.

How to apply FBI’s behavioural change stairway to security

Unlike the FBI’s Hostage Negotiation Team, cyber security professionals are rarely involved in high-stakes negotiations involving human life. But that doesn’t mean they can’t use some of the techniques developed by them to apply it to improve security culture, overcome resistance and guide organisational change.

Behind the apparent simplicity, this model is a tried and tested way to influence human behaviour over time. The crux of it is that you can’t skip any steps as consecutive efforts build on the previous ones. The common mistake many cyber security professionals make is they jump straight to Influence or Behavioral change with phishing simulations or security awareness campaigns but this can be counterproductive.

As explained in the original paper, it is recommended to invest time in active listening, empathy and establishing rapport first. In the security context, this might mean working with the business stakeholders to understand their objectives and concerns, rather than sowing fear of security breaches and regulatory fines.

All of this doesn’t mean you have to treat every interaction like a hostile negotiation or treat your business executives as violent felons. The aim is to build trust to be able to best support the business not manipulate your way into getting your increased budget signed off.I cover some techniques in The Psychology of Information Security – feel free to check it out if you would like to learn more.

How to assess security risks using the bow tie method

Bow tie risk diagrams are used in safety critical environments, like aviation, chemicals and oil and gas. They visualise potential causes and consequences of hazardous events and allow for preventative and recovery controls to be highlighted.

You don’t have to be a gas engineer or work for a rail operator to benefit from this tool, however. Cyber security professionals can use simplified bow tie diagrams to communicate security risks to non-technical audiences as they succinctly capture business consequences and their precursors on a single slide.

If you work for one of the safety critical industries already, using this technique to represent cyber risks has an added benefit of aligning to the risk assessment patterns your engineers likely already use, increasing the adoption and harmonising the terminology.

There are templates available online and, depending on the purpose of the exercise, they can vary in complexity. However, if you are new to the technique and want to focus on improving your business communication when talking about cyber risk, I suggest starting with a simple PowerPoint slide.

Feel free to refer to my example diagram above where I walk through a sensitive data exposure scenario. For example, it can occur through either a phishing attempt or a credential stuffing attack (supply chain and web application/infrastructure exposure being another vector) leading to a variety of business consequences ranging from a loss of funds to reputational damage. The figure also incorporates potential preventative barriers and recovery controls that are applicable before and after the incident respectively.

Business alignment framework for security

In my previous blogs on the role of the CISO, CISO’s first 100 days and developing security strategy and architecture, I described some of the points a security leader should consider initially while formulating an approach to supporting an organisation. I wanted to build on this and summarise some of the business parameters in a high-level framework that can be used as a guide to learn about the company in order to tailor a security strategy accordingly.

This framework can also be used as a due diligence cheat sheet while deciding on or prioritising potential opportunities – feel free to adapt it to your needs.

Bug bounty programmes are becoming the norm in larger software organisations but it doesn’t mean you have to be Google or Facebook to run one for continuous security testing and engaging with the security community..

Setting it up can be easier than you might think as there are multiple platforms like HackerOne, BugCrowd or similar out there that can help with centralised management. They also offer an option to introduce it gradually through private participation first before opening it to the whole world.

At a minimum, you can have a dedicated email address (e.g. security@yourexamplecompanyname) that security researchers can use to report security issues. Having a page transparently explaining the participation terms, scope and payout rate also helps. Additionally, it’s good to have appropriate tooling to track issues and verify fixes.

Even if you don’t have any of the above, security researchers can still find vulnerabilities in your product and report them to you responsibly, so you effectively get free testing but can exercise limited control over it. Therefore, it’s a good idea to have a process in place to keep them happy enough to avoid them disclosing issues publicly.

There is probably nothing more frustrating for a security researcher than receiving no response (apart perhaps from being threatened legal action), so communication is key. At the very least, thank them and request more information to help verify their finding while you kick off the investigation internally. Bonus points for keeping them in the loop when it comes to plans for remediation, if appropriate.

There are some prerequisites for setting up the bug bounty programme though. Beyond the obvious budget requirement for paying researchers for the vulnerabilities they discover, there is a broader need for engineering resources being available to analyse reported issues and work on improving the security of your products and services. What’s the point of setting up a bug bounty programme if no one is looking at the findings?

Many companies, therefore, might feel they are not ready for a bug bounty programme. They may have too many known issues already and fear they will be overwhelmed with duplicate submissions. These might indeed be problematic to manage, so such organisations are better off focusing their efforts on remediating known vulnerabilities and implementing measures to prevent them (e.g. setting up a Content Security Policy).

They could also consider introducing security tests in the pipeline as this will help catch potential vulnerabilities much earlier in the process, so the bug bounty programme can be used as a fall back mechanism, not the primary way for identifying security issues.

The role of a CISO

I’m often asked what the responsibilities of a CISO or Head of Information Security are. Regardless of the title, the remit of a security leadership role varies from organisation to organisation. At its core, however, they have one thing in common – they enable the businesses to operate securely. Protecting the company brand, managing risk and building customer trust through safeguarding the data they entrusted you with are key.

There are various frameworks out there that can help structure a security programme but it is a job of a security leader to understand the business context and prioritise activities accordingly. I put the below diagram together (inspired by Rafeeq Rehman) to give an idea of some of the key initiatives and responsibilities you could consider. Feel free to adapt and tailor to the needs of your organisation.

You might also find my previous blogs on the first 100 days as a CISO and developing an information security strategy useful.

How to select cyber insurance

I wrote previously about how cyber insurance can be a useful addition to your risk management program.

Unlike more established insurance products, cyber doesn’t have the same amount of historical data, so approaches to underwriting this risk can vary. Models to quantify it usually rely on a number of high-level factors (the industry your organisation is in, geography, applicable regulation, annual revenue, number of customers and employees, etc.) and questions aimed at evaluating your security capabilities.

You are usually asked to complete a self-assessment questionnaire to help the underwriter quantify the risk and come up with an appropriate policy. Make sure the responses you provide are accurate as discrepancies in the answers can invalidate the policy. It’s also a good idea to involve your Legal team to review the wording.

While you can’t do much about the wider organisational factors, you could potentially reduce the premium, if you are able to demonstrate the level of security hygiene in your company that correlates with risk reduction.

To achieve this, consider implementing measures aimed at mitigating some of the more costly cyber risks. What can you do to prevent and recover from a ransomware attack, for example? Developing and testing business continuity and disaster recovery plans, enabling multi factor authentication, patching your systems and training your staff all make good sense from the security perspective. They can also save your business money when it comes to buying cyber insurance.

If possible, offer to take the underwriter through your security measures in more detail and play around with excess and deductibles. Additionally, higher cover limits will also mean higher premiums and these are not always necessary. Know what drives your business to get cyber cover in the first place. Perhaps, your organisation can’t afford to hire a full time incident response manager to coordinate the activities in the event of a breach or manage internal and external communication. These are often included in cyber insurance products, so taking advantage of them doesn’t necessarily mean you need to pay for a high limit. While it is tempting to seek insurance against theft of funds and compensation for business interruption, these can drive the premium up significantly.

It’s worth balancing the cost of the insurance with the opportunity cost of investing this sum in improving cyber security posture. You might not be able to hire additional security staff but you may be able to formulate a crisis communication plan, including various notification templates and better prepare with an incident simulation exercise, if you haven’t already. These are not mutually exclusive, however, and best used in conjunction.

Remember, risk ownership cannot be transferred: cyber insurance is not a substitute for security controls, so even the best cover should be treated as an emergency recovery measure.

Webinar: A CISO panel on weaving security into the business strategy

I had a lot of fun participating in a panel discussion with fellow CISOs exploring the link between cyber security and business strategy. It’s a subject that is very close to my heart and I don’t think it gets enough attention.

In the course of the debate we covered a number of topics, ranging from leveraging KPIs and metrics to aligning with the Board’s risk appetite. We didn’t always agree on everything but I believe that made the conversation more interesting.

As an added bonus, my book The Psychology of Information Security was highlighted as an example of things to consider while tackling this challenge and to improve communication.

You can watch the recording on BrightTalk.

How to secure a business in decline

Many business have felt the economic impact of the Covid pandemic. Depending on the industry, some managed to adapt and pivot to new models and ways of working, but not all were successful.

As a result, some companies were unable to continue to operate profitably and entered administration. The cause of financial troubles, however, doesn’t have to be pandemic-related to pose new security challenges.

In this blog I would like to share some of the priority areas for a security leader in a business in, sometimes rapid, decline.

As the business is failing, the leadership might not treat cyber security as their top priority. However, the organisation still has obligations to its customers who entrusted the company with their data and comply with relevant laws and regulations. It goes without saying that previously identified cyber security threats and risks are unlikely to disappear either.

If there is a chance of survival, a poorly managed security incident can be the last straw.

How should security teams adapt? What should they focus on?

Broadly speaking, there are two main areas a CISO can support the business: securing a potential rescue deal and managing the decline.

There are investors specialising in distressed businesses and part of the administration process might involve looking for a capital injection or an acquisition of a failing company.

Potential investors would understandably need to know what they might be buying which normally involves conducting due diligence on the target. Although circumstances are different, the process itself is very similar to an M&A scenario or a startup acquisition.

As a security leader, it’s your job to provide transparency on the matters related to data protection, past breaches and existing security controls and processes. If done right, it presents the business in a favourable light as a well-governed enterprise, increasing investors’ confidence and therefore chances of a successful rescue deal.

In many ways, this is comparable to overseeing a divestment. A lot of such conversations are confidential, so raising awareness of what can and can’t be shared externally (including on social media), and maintaining appropriate need-to-know access controls is paramount.

Some things, however, are outside of our control and sometimes all we can do is to make the best out of a bad situation.

There are a few key areas to pay attention to when it comes to embedding security for a business in downturn.

People. There will naturally be a lot of leavers, so having a robust joiner-mover-leaver process is key. All access permissions should be timely revoked when no longer required. In addition, data loss prevention controls and broader insider risks should be considered as the morale in the company worsens. On a positive note, people and a culture of security can significantly contribute to the company’s security posture, especially in the conditions of scarce resources (see next point).

Resources. Investment in security is going to understandably diminish. Some of the top talent will leave, so you will have to learn to do more with less. If your desired control to mitigate a particular risk is no longer affordable, what is the next best thing? Can this be done cheaper, or better still, for free? Business leadership should be made aware of the potential consequences of risk acceptances, and there will likely be a higher than usual number of these.

Data. There also might not be enough money to pay for non business critical systems and services. These should be decommissioned in the way that ensures that sensitive (including personal) data is destroyed securely in line with company’s retention policies. Having data maps and asset inventories is invaluable to maintain visibility.

Sustaining operational resilience in the face of cost pressure is challenging but not impossible. For many, it’s a unique learning experience regardless of the outcome.

Chief Information Security Officer Workshop Training

Chief Information Security Officer Workshop is a collection of on-demand videos and slide decks from Microsoft aimed to help CISOs defend a hybrid enterprise (that now includes cloud platforms) from increasingly sophisticated attacks.

Tag Archives: CISO