Over the past 25 years, I’ve consulted for hundreds of executives on cybersecurity issues including direct support to dozens of CISOs working to effectively manage cyber risk in a wide variety of organizations.  With this post, I’ve attempted to capture some of the best practices from the most effective CISOs I know. In future articles, we’ll look at each of the 10 habits in greater detail, including direct input from the CISO community.  As always, we welcome your feedback. Are their habits we’ve missed? Something here you disagree with? Please let me know at [email protected].

In the meantime, here are the 11 Habits of Effective CISOs:

Understand what is critical to your organization

Most organizations try to take a holistic approach to cybersecurity and treat all systems and users as requiring equal protection.  To adapt an old saying from the intelligence community on strategic warning, “when you protect everything, you protect nothing.” Given that cyber risk needs to be managed like other business risks, it is important that you actually identify which systems are the most critical to your organization.  In my years as a red teamer, I would ask which systems, if compromised, would cause catastrophic or consequential harm to the organization. Those are the systems you must protect first, and are the systems that should be afforded the highest levels of protection in your security hierarchy.  

Identifying critical systems is a deliberate and thoughtful process that may require multiple iterations.  It was not uncommon for customers to put 50% of systems in the critical bucket to start and wind up with only 5% of the systems at the end of the exercise.  

If you know what is most critical, you are now capable of reducing aggregate or concentrated pools of risk and disproportionately improve your security posture (e.g. $1 of defense spent on a high risk system is more effective than $1 spend on a low risk one). 

Seek Security Alpha

In cybersecurity, it has long been assumed that the attacker has the advantage and that defenders must deploy a disproportionate amount of resources (time, money, etc.) to even try and maintain some parity.  

In the financial industry, there is a term called “seeking alpha” for those investment managers looking to exceed standard performance on a risk-adjusted basis.  Recent work by the New York Cyber Task Force implies that CISOs can seek security alpha as well – that is spend a dollar on defense that causes an attacker to spend a disproportionate amount on offense.

In seeking security alpha you should be deploying strategies and solutions that increase the cost to the attacker and provide you with maximum security return-on-investment for the threats and risks your organization faces.

Measure what matters

Jack Welch, the world famous CEO of General Electric and management guru was a huge proponent of measuring what matters in organizations and highlighted that “you get the behavior that you measure and reward.”  This is an essential question for your security program effectiveness and the Return on Investment you are getting from your deployed technologies. Is your security program best measured through a decrease in the number of vulnerabilities detected in a Nessus scan or a reduction in the time to detection for a critical attack?

Red team

As Mike Tyson famously quipped, “Everyone has a plan until you punch them in the mouth.”  Red teaming needs to be an essential element of your security strategy as it is where you can validate that your security implementation matches your security aspirations.  Your red teaming initiatives should:

1. Include external and independent third parties
2. Build upon realistic threat models, attacker tactics, techniques, and procedures (TTP), and mimic attacker decision trees (e.g. what are they trying to accomplish in the compromise).
3. Not impose restrictions that you can’t impose on real attackers (except for do-no-harm requirements)
4. Be conducted as no-notice exercises for your security monitoring and response teams to determine when they detect an attack and how they respond.

Be a Security Translator

I once worked with a Board of Directors that claimed they were “technological hostages” to the CISO as he introduced so much technology and security-insider terminology that they couldn’t understand what he was trying to convey, the real risks to the organization, and their strategy for managing those risks.  He was fired six months later.

Great CISOs understand the importance of translating cyber risk issues into business context for the executive management team and Board of Directors.  The develop meaningful metrics and educate the board not just on the risks they reduce, but the risks that have been accepted in the interest of business operations.  They regularly include the board in their incident response exercises and develop recurring mechanisms to educate the board on current and emerging cybersecurity issues.

Focus your training and awareness initiatives on behavior change

An cyber-aware workforce is a huge asset for modern organizations, yet too often our security awareness and training programs focus on presenting information to employees in stale formats that aren’t retained or actionable.  The best security awareness and training programs focus on user behavior change through the use of incentives and gamification. I was first exposed to this type of program by tracking the work Masha Sedova was doing at Salesforce and was so impressed with the results, we invited her to keynote FedCyber and invested in Elevate Security when it was launched.

You can’t spell SECURITY without IT

Modern organizations often face the contradiction of trying to embrace innovation while at the same time supporting legacy systems and infrastructure upon which the business operates.  In both cases, the CISO needs to be a security partner for the IT department. Years ago, I was meeting with a client CEO of a large publicly traded company and we had the following conversation:

CEO:  “Matt, aren’t you proud of me?  I just approved $3m for our new network based intrusion detection system.  We are spending money on security now.”

Matt:  “Sir, I love the fact that you are focusing some of your budget on security, but buying that system will be like installing a new smoke detector in a school where every kid has a book of matches.”

I made that comment, because I had observed the $4m budget item for upgrading their local desktops from Windows XP (local admin) being denied for two years in a row.  The reality was, they would get more security value by making investments in their IT environment than they would from fancy security tools and that was the point I conveyed to the CEO.

Engage in Dynamic Remediation

Many organizations have structured their security programs around a static remediation model.  They conduct a vulnerability assessment and create a list of things to remediate and then revisit the assessment and the list a few times a year.  The vulnerability environment and their technology infrastructure, however, is not static – it is dynamic. As a result, you need to develop a dynamic remediation process that accounts for new threat and vulnerability developments as well as being anchored towards those systems that are most critical to your organization.  Not only should you engage in persistent scanning, but also adjust your remediation priorities based upon new risk intelligence.

Be Intelligence Driven

Intelligence, and in particular threat intelligence, should be a cornerstone of your security program as it provides a dynamic assessment of the threat and vulnerability environment.  Threat and vulnerabilities are two key components to managing risk in any organization and new information, intelligence, and data points should be dynamically integrated into your risk management program.

Security is an Infinite Game

Here is the bad news; security is not a problem you solve. It is a long-term business risk that must be managed.  It is important that your security program doesn’t focus just on short-term goals, but that you also play the long game.  As the CISO, you need to have a compass, not a map.

This also highlights the importance of building a security culture that identifies and implements lessons learned from security failures and successes.

Embrace the “ations”

Effective CISOs also know how to embrace the following:

Transformation – understanding the sweeping changes, not just in the security industry but within enterprise technology in general.  Understanding transformation allows for you to plan for security in those emerging environments and technology realities.

Automation – As we increase the speed and scale of data flows in our organizations, we also need to augment our human employees with automation and data science to keep pace.

Simulation – Your security program should include simulations that allow for you to collect and incorporate lessons learned.  For example, the SOC should be subjected to attack simulations, the board subjected to breach simulations, etc.

Education – While we can educate our workforce with new concepts like behavior change and gamification, it is also important that the CISO play the role of educating the board, developing strategies for educating customers, and also educating the market through outreach and public speaking.

Conclusion

Managing cyber risk is a complex endeavor and it is impossible to oversimplify it into basic rules, but this piece hopefully provides some useful guideposts, ideas, and high level strategies you can apply within your organization.  For further reading, check out the series of articles below.

https://oodaloop.com/archive/2019/06/10/key-to-a-defensible-cyberspace-a-look-at-the-work-of-jason-healey-and-the-ny-cyber-task-force/

https://oodaloop.com/archive/2019/07/02/cyber-sensemaking-essential-observations-for-the-next-five-years/

https://oodaloop.com/ooda-original/2015/10/22/10-red-teaming-lessons-learned-over-20-years/

https://oodaloop.com/archive/2019/07/09/cyber-sensemaking-part-two-management-lessons-learned-and-essential-actions/

https://oodaloop.com/archive/2019/01/09/the-five-modes-of-hackthink/