The role of a Chief Information Security Officer (CISO) is not to manage technology, although information and communication technology is in the heart of corporate digital transformation. The crown jewel is information, and the role of a CISO is to manage risk that could prevent organizations and people from making value out of information.
Whether you are starting a new job, or engaging with a new customer in the role of a CISO-as-a-Service you are facing the challenge of how to effectively and efficiently identify areas of critical importance, how to establish partnership with key stakeholders, how to identify crown jewels within organizational value chain, how to map business risk to technology risk, and finally, how to define and implement sound information security strategy that would foster security as a business enabler and not an obstacle.
Day “Zero” – Prepare thoroughly
Before you embark on your new role as a CISO you have to build a knowledge about crown jewels of your future organization. Begin with the organizational mission statement. It highlights the core values and what is to be achieved. Learn about organizational core activities, its products, services, research and development, intellectual properties, mergers and acquisitions. Identify key stakeholders, those that are defining and implementing organizational strategy. Learn about current and former key stakeholders as that would help you learn how the organization evolved. Research through publicly available information on organizational financial statements, press releases, news, audit statements, data breaches, patents…
Day “One” – Assess ISMS process maturity
Information Security Management System (ISMS) is a business process. Therefore, it is a set of rules (policies), workflows (procedures), roles (people), tools (decision support systems, data,…), and activities (communication, risk assessments, data analysis, stress tests, audits, education,…) that transform inputs from other business processes into outputs for risk based decision making so that organization can fulfill its mission objectives. ISO/IEC 27001 is an international standard that provides requirements for an ISMS.
Initial set of activities for the new CISO would be to assess current organizational maturity of ISMS components. From the plan-do-check-act process methodology this would be the part of planning phase. If you prefer different cycles for your ISMS process, you may call this phase orient for an o-o-d-a loop, or sprint planning for an agile loop. The most important aspect is time and not the label of the phase. You have to manage time efficiently and align dynamics of ISMS process with that of other organizational business processes and, of course, align with dynamics of relevant risks.
To assess current ISMS process maturity, a CISO has to review existing policies and to discuss their effectiveness and adequacy with key stakeholders (identified during day “zero” phase). The scope of process has to be also reviewed. Does it cover all relevant information flows and business processes (relevant to achieving the mission!)? Think and act out of a silo (of your department, geographic location, reporting lines). The ISMS has an organization-wide scope, and not department-wide.
Identify the most relevant key performance indicators (KPIs) for the ISMS in your organization, establish the current levels and start measuring. Ensure that KPIs include all resources for the ISMS (human resources and financial resources). Start identifying what is working and what isn’t. Assess the current status of work-plan activities, of implementation of audit recommendations, of active security events and related response.
Now you are equipped with early knowledge and management tools to identify areas for potential improvements (both in short and long term). As we are addressing the first 100 days of CISO’s role we want to identify “low hanging fruits” as well as elements for strategic decisions.
Day “Two” – Meet your key partners
Fellow CISO’s don’t dream that our role is central in the organization despite all the media hype on data breaches and cybersecurity. The above diagram illustrates that no matter where is a CISO positioned in the organizational hierarchy to be effective she/he has to act as “information broker” and as a partner with all these key organizational decision makers. They are all business process owners, data owners, and therefore risk owners. You have to establish formal and informal communication with these roles so that the organization can move forward strategically in achievement of its mission.
The effective communication with these roles has to follow process governance, and frameworks. Identify any cross-cutting issues, such as “shadow IT” or “bring your own device”, that are difficult to resolve effectively across large organizations. Your diplomatic approach to risk management , as a negotiator, could help reaching consensus for cross-cutting issues.
Identify decision making committees/boards where your participation could be mutually beneficial, such as risk committee, audit committee, business continuity working group, personal data protection working group, and similar. Make sure that you are invited to the next meeting of those groups.
Establish dotted reporting lines. For example, information security assessment reports should be shared with internal audit. Another example, could be sharing awareness reports with the HR development and training unit.
Identify how other processes could provide feedback to the ISMS process. For example, status reports on audit recommendations implementation could be very useful input for prioritizing security assessments. Contract agreements from the procurement could be useful to prioritize assessing and establishing controls with third parties.
There are many documents and organizational records that could provide insights to critical business processes and related informational crown jewels. One of the most useful is a Business Impact Analysis report(s) from Business Continuity Planning process. It should contain Recovery Time Objectives for every business process. That information would be your baseline to measure adequacy of incident response. It would also help managing the scope of ISMS and managing your work-plan priorities. There are many useful risk management documents such as risk registers and asset inventories. They are indispensable starting point for aligning the ISMS with the risk management framework. Procurement records and in particular Total Cost of Ownership (TCO) questionnaires (sometimes within the Project Management Office and their process) provide a lot of inputs from business owners and data owners about their requirements, but also financial data and contractual data for assessing potential impact on projects and related systems and data. Audit reports highlight gaps in governance, performance, reporting. Certification assessment reports, such as ISO related, identify gaps in process quality and performance. All of them show also where is the organization focusing its efforts, what are the areas of critical importance.
While performing all these activities it might help if you apply traditional approach of gathering facts by answering questions from the following illustration:
Day “Three” – Identify strategic risks
“Strategic risks” are those risks that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization.
Ref: Strategic Risk Management: A Primer for Directors, Mark Frigo, Matteo Tonello, Richard Anderson, The Conference Board
It is time to identify those strategic risks for your organization, and to map relevant information security risks. There are however certain assumptions as prerequisite for effective strategic risk identification. Firstly, Enterprise Risk Management should be aligned with organizational strategy and performance management. This means that strategic outcomes, that are key performance indicators in a work-plan of each organizational unit, are mapped to the risk appetite. The assumption is also that Key Risk Indicators (KRIs) are monitored alongside Key Performance Indicators (KPIs). Another important assumption is that the Business Continuity Planning results in annual review and adjustment of enterprise risk resilience. That leads into annual updates of crisis management planning and increase of organizational capacity to cope with emerging risks. It would be of a great help if risk stress tests are performed annually on emerging risks. Last but not least, even non-critical repeating risks should be monitored for measuring cumulative impact effect on strategic objectives.
If any of these is not in place, or not effective, then you should raise it with appropriate stakeholders.
“D” Day – Time to Act
When all the previous activities have been accomplished you may set your updates ISMS strategy in motion. Make some tactical decisions. Position individual team members within your security team just like a football coach does before the match. Launch your communication program to reach out to every unit and corner of the organization. Start spending your budget (and track it thoroughly!). Launch updated process governance. Listen to feedback from your partners (remember the figure from day two!).
How to build a successful security team?
This topic could be a whole new article, but here are some few useful hints. Improve visibility of the team. Information security people are usually shy, sitting quietly behind many screens (sometimes one screen to many virtual machines and remote sessions). No they are not all in hoodies… Just like fighter jet pilots in the above photo they could be stealth when needed but also very visible when asked to be. As a CISO you could organize an “air show” to let your time wave to their colleagues. Everyone could be proud to be part of such a team, and to know that the organization has such a team! Ensure transparency as the core value for information security. That helps to build and maintain trust. And security is all about trust and confidence. Be a good coach, work on self esteem with your team. Help filling skill gaps. Be supportive of training, knowledge sharing and building partnerships. Start with yourself. I personally like to apply Eric Schmidt’s 70/20/10 time management model. It helps innovation and capacity building. And you can be proactive in information security only if you constantly innovate, together with your team.
Effective communication examples with key partners
There will be many more articles on this topic that is so broad. But here are some hints for your first 100 days.
Information security risks usually span multiple strategic risk categories. Highlight that aspect in your risk analysis reports and communicate them to all relevant stakeholders.
Map information security risks to business risk and formulate them in the business context rather than traditional information security risk registers. Presented them in the form of visual heat maps with risk velocity indicated. This is what triggers business owners’ attention. Focus on effectively communicating risk intelligence than just key risk indicators. Risk intelligence should give early warning signals on growing strategic risks (or falling, there might be areas for business opportunities!). Monitor and share Key Risk Indexes rather than indicators they should highlight trends in critical risk factors.
Key takeaways – The first 100 days of the CISO
The key takeaway is your agility to dynamically address above actions, get organized, and communicate, communicate, communicate. Let the below figure be your timeline for planning and organizing all discussed phases during the first 100 days. And remember, after summarizing results of your first 100 days you should improve the ISMS and move on to the future.
In the title I wrote: “the next generation CISO”. The next generation CISO leverages innovative technologies and management practices. Innovative technologies such as machine learning could help you be more agile, and to focus on solutions rather than on problems. The next generation CISO is in cybersymbiosis with next generation technologies and uses it to identify the most important business activities, trends in behaviors, to put information security risks into business context, to simulate, model, and prototype solutions. The next generation CISO uses modern technologies responsibly, in a transparent and auditable manner. Again, the security is all about trust and confidence. I will write much more on these topics.
This article is based on my talk at CISO 360 Congress organized by Pulse Conferences in Barcelona in July 2017. At this year’s CISO 360 Congress I will talk on innovative technologies and CISO challenges to manage innovation.