‘Leading Up & Down The Chain of Command’ As A CISO​

'Leading Up & Down The Chain of Command' As A CISO​

I was listening to the audiobook “Extreme Ownership by Jocko Willink and Leif Babin”, sharing their experience as navy seals commanders and how to transform this experience to the realm of business.

I did not know what to expect from the book, Yes I know that many Cyber Professionals (including yours truly) love to consider themselves as “warriors of cyber”, fighting against the ‘bad guys’ and so many more battle metaphors.

But still, I had no clue to the level or the extent that a specific part of the book resonated with me, with my experience in the cyber managerial realm. One chapter specifically (Leading up and down the chain of command) really stood out and resonated with my experience as a cyber manager.

I was shocked at the level of similarity, and more importantly, the level of clarity and pragmatic approach this book can give cyber professionals to deal with our daily ‘missions.’

CISO’s and other managerial cyber professionals are currently in a challenging position in which they need to ‘lead’ both up and down the chain. They need to manage their teams and they need to also ‘manage’ their management and decision-makers.

So, I wanted to share a real-life experience that I have encountered whilst working as a Cyber Security Consultant to share what ‘managing up and down the chain of command’ means for me.

Background:

I was brought by the Chairman of The Board to an organization that had a strong and capable IT department, but no proper security team at the time. I was acting as a temporary CISO and project owner in a post-data breach situation to build a complete security methodology and team that would work together with the CTO and the IT team.

After several Board Level meetings, it was decided the entire overhaul project would be framed around GDPR compliance. The organization would have GDPR best practices including data encryption, DLP, SOC team, a new DPO role (and much more) as the company was post-breach. I was acting under the ‘command’ of the chairman, the board approved the entire plan and we officially started the project.

Challenges – Phase 1:

Following several planning sessions with the CTO and the IT team leader we understood that the company had a HUGE amount of legacy software and hardware (something I see in many companies – old computers running outdated operating systems, or an ERP system with compatibility issues.)

Newer computers running newer operation systems were a mandatory requirement to run the newest security tools, so the IT department had a huge challenge of upgrading the entire company and get the infrastructure ready for the security tools.

The CTO and the IT Team leader understood the scope of it and said they could do it.

Challenges – Managing down the chain of command:

The replacement of Legacy IT software and hardware started and the entire IT team was working nonstop, and of course, problems started to occur:

  • The upgrade project was taking more time than initially anticipated mostly because several “top-ranking” departments were adding more challenges to the process. E.g ‘not allowing an upgrade to a specific department because they are working on the budget of that quarter and no one can interfere’, or ‘delaying an upgrade of specific software because they did not have time or will to train the new mid-level managers on the newer version’ etc.
  • The IT team were avoided because staff didn’t want their computer and software changed (because who likes change….?)
In a meeting, I had with the team I remember hearing sentences like:
  • The new project is taking so many resources we barely have resources to keep the day-to-day running and this is making our users angry about our service.
  • Before this project we had it stable, we had it calm, people liked us.
  • Before this project, we had no issues with Head of Departments and now we need to “fight” in order to get this project moving.

The IT team started to “hate the project”

I remember stopping and asking the IT team very directly, ‘what is the purpose of this project?’

They hesitated a bit and then replied ‘to get the company GDPR compliant, that annoying regulation/compliance thing.’

And I remember that I thought to myself, this is MY ERROR, I did not communicate the big picture well enough. They were so focused on the micro tasks they were not seeing the big picture, I did not communicate it as I should have.

I sat down with the team and explained to them very clearly that we all knew that the company suffered a data breach. They were lucky and the exposure was minimal but it could have been much worse, so bad it could have ‘killed the company.’ The Chairman of the Board got me in to make sure it will not happen again, this is my clear mandate.

The purpose of the project was to protect the company, to protect all the different departments, to protect the people, to protect their families whose livelihoods depend on the company. It was a real “fight for home”. The true purpose of the project was to protect the company so it will continue to be a home for many years to come.

I also explained that without the IT department being “all in”, we couldn’t get to the next phase of installing the security software, and without it, we will not be achieving a secure company.

As leaders, it’s our job and our responsibility to make sure that every person we are in charge of knows exactly what he/she is doing, and most importantly WHY. It isn’t just to “tick some regulation box”, it’s to secure the company that is a home and livelihood to most of the employees.

It’s all about communication, explaining why we do the things we do.

I also understood that my next task was to ‘manage upwards’ because the same issue was happening with the C-Suite and the heads of departments.

Challenges – Managing up the chain of command:

In the next Board meeting, I came down “hard” on several of the Department heads about them “not allowing” the work of IT.

Their feedback was very similar to the feedback of the IT team and was focused on their specific projects, their budgets, their tight schedules or goals etc. And most of them did not understand how their behavior was actually impacting the project itself. (They honestly didn’t make a connection with how can my “department slow down this entire project? it doesn’t make sense.”)

They knew the big picture, they knew the purpose of the project but they did not fully understand the steps that were required to “get us there” and again I understood it’s my responsibility to communicate clearly WHAT we are doing, and WHY.

So, I sat down the CFO, IT team leader, IT department and showed all the different steps in the checklist of installing ONE new computer. Getting it with all the required software etc. and all of this while keeping the user working on a temporary terminal.

I will never forget what the CFO said…”Wow – you do this WITH EVERY SINGLE USER” and the Team leader said “of course – we need to make sure all works 100% before we hand it over”

I used this opportunity to remind the CFO that all of this, all of this “hassle” is to keep the company secure. The same goal, exactly the same goal I explained to the IT team, the same goal that the Chairman of the Board told us to execute.

and following that, I requested (demanded) several things:

  1. No department will slow down the project no matter what.
  2. If there is a critical need for a “unique” scenario, the CFO will provide an additional budget for additional IT resources so upgraded can be done during nights or weekends.

The Bottom line – no one is too “special” to bypass our timeline. If more time is required – we “Buy it”!

The CFO agreed and during the project, additional budget resources were supplied and an external company was used to help with the new software installation, mostly during weekends, making sure there was zero impact on employees.

The ROI for the CFO was clear, all he needed is the understanding of “what is happening and why”.

In my role as the temporary CISO / Project owner, I needed to constantly make sure that I was ensuring clear communication and expectations between the team I was managing and between my “management”.

All must be aligned to the same goal and it was my responsibility to keep them aligned.

My experience has shown me that if you communicate clearly, make it goal originated, remove ego and be pragmatic, you will get both teams on your side.

The project was a big success and the company itself is a showcase for technological methodologies like “full encryption for non-structured information” and a global SOC team that mitigates most incidents before they have any serious impacts.

Plus, IT and the new Cyber team are working together better than ever. Both being able to get budget requirements from the board by communicating clearly their needs, the main goal, the steps to getting there and most importantly “what is the exact expectations of IT and Cyber from the Board”

Bringing it all together

Ultimately, when a CISO takes responsibility for a project, task, risk, or anything. There needs to be a very clear definition of WHAT THEY ARE RESPONSIBLE FOR and WHAT IS THE END GOAL?

And this needs to happen at board/decision-maker level before approval. Because ultimately, a CISO needs to be able to manage up, down (and sideways) to take ownership of challenges and correct issues as they arise. This can’t be done without very clear and explicit understanding.

In this instance I was able (and was given the authority) to ‘sit down’ members of high management, ‘demand’ from the C-suite because there was clear quantification before I took the project on. I knew exactly what the end goal was and it was my responsibility to communicate effectively to make it happen. But, without this clear ownership, it would have allowed delays, and potentially the abandonment of the project when some resistance was met.

You’ll always get resistance (people hate change even for their own good), but with the right ownership, you can be empowered to forge ahead and lead up and down the chain of command!

Eli Migdal – Co – Founder – Boardish

Help Communicate Up The Command

Explain solutions, exposure, and risk you’re responsible for! 

The 5-Step Framework For CISOs Starting in a New Company (If you want to stay longer than 6-12 months)

The 5-Step Framework For CISOs Starting in a New Company (If you want to stay longer than 6-12 months)

To start with, here’s some background about me and why I consider myself to be in a position to suggest these steps. And as a word of warning, I will do it the “CISO” way, no “background sales noise” but straight forward and to the point:

  1. I’ve been working in IT for over 15 years, 8 of them in Cyber.
  2. I’ve created successful companies and products for both IT and Cyber
  3. I’ve acted as a vCISO, Cyber Consultant, and auditor for over 50 organizations globally. From Micro to Enterprise (From 5 employees to Global Banks) business.
  4. I’m the co-founder and creator of Boardish which is a specific CISO “Risk To Financial figures” tool to help the connection between the CISO and Board.
  5. I listen a lot to David Spark and other amazing professionals in the industry who know their stuff. I don’t think the CISO world starts and ends with me! 🙂

Why does all this matter?

As a vCISO and a consultant I usually need to achieve results very quickly, even in some cases within a month. So I built a methodology to “speed things up” – it’s either you sink or swim in our profession, so these are my 5 recommended steps:

Step 1: Get / Request / Demand ! Clear expectations regarding “Why you are there”

Most of the CISO’s I met tell me that one of the hardest things they encounter is the “lack of clarity” about their role and the expectations from the business.

As a result, it makes authority unclear and it difficult to make any actionable changes. That’s one of the reasons (in my experience) why CISO roles have such a high staff turnover rate.

I suggest that the first step is having a meeting with the C-SUITE and asking them VERY clearly “What are you expecting from me + what are my goals from the perspective of the business”

I have encountered the following scenarios to “why we need a CISO”, I am sure you have encountered MANY others:

  1. Make the company more secure after a breach (usually the most common one for CISO’s)
  2. Protect the company against regulation and compliance fines
  3. We “Need” a CISO “in place” DUE to regulation and compliance – This is often the hardest for a CISO because it doesn’t mean “Anything” regarding goals. You then have to set your own criteria and clarify.
  4. To make a product/software (sometimes its the Product and not the company) more secure ( usually software companies ).

In each scenario, you need to make sure that your success criteria are crystal clear, for example :

  1. Reducing the risk of a Data breach by 50%
  2. Increase our overall security posture by 30%
  3. Reduce our recovery time from a cyber incident by 30%

YES – they are hard to quantify but this is part of our job and I will discuss it in the next steps.

In many cases, you will need to set your own performance criteria because your C-SUITE / Board won’t have any for your role, I always like to use the “For every year we kept the company safe without a major incident I get 10 “Victory Points” and for each major incident minus 30 “Breach points” gamification.

This approach shows decision-makers the “long game” and makes them appreciate every year without a breach, and YES – you need to reach that 3 years mark to be relatively “safe”.

Ultimately, if you don’t quantify – you leave yourself vulnerable as a scapegoat. “The CISO got fired after a single phishing incident” rather than, our CISO has kept our organization incident-free for over 8 years so they are too valuable to get rid of.

Step 2: Get to know all the other risk owners and gain visibility to what they do and how it impacts the business, AKA “Know thy business”

Usually, Step 1 or Step 2 is Risk Assessment, BUT – how can we assess something we do not understand yet?

We need to understand what function or several functions really drive the business, which functions are the main catalyst, is it R&D or Sales or is it Marketing?

You need the see the entire company FLOW, and you may be surprised but the flow will look a bit different depending on whom you ask.

It’s our Job to “attach” all the different pieces or perspectives into one and then link it with the “expectations” section of ” part 1″

This step will also allow you to avoid a common mistake which is not seeing/figuring out who “is really” the department that carries more decision power.

(CISO’s – We have all been there: a great plan, great solutions but … it doesn’t meet EXACTLY what department X wants and so the CEO dismisses it… don’t go there … )

If you are awoken at 2 AM at night and asked” which is the department that you need to “sell” first to get all the rest inline” – you need to be able to answer without thinking – that’s true visibility in the flow of the company.

Step 3: Build a Risk Assessment plan + Attach an OWNER TO EACH RISK

I won’t go deep in the micro of “how to do a risk assessment plan” but here are several important tips:

  1. Get as many people from different departments, power users, or ambassadors and involve them in the process! In most cases they can see risk in places which you still cant (because you are new to the organization).
  2. Use tools – there are some great CISO tools for Risk Assessments which use all the relevant frameworks like NIST, FAIR, and more. USE TECHNOLOGY to streamline the process, I am still a bit confused when I see CISO’s using “Excel”, we are “the Tech Gods!” – the ambassadors of “making tech more efficient for the process” – lead by example and save yourself time and errors.
  3. When assigning risk scores – make sure that most ( it’s not usually all ) of the people involved will agree, or at least won’t argue against your assessment. If you value something as low risk and most of the participants consider it to be high risk, you need to do the deeper due diligence. I usually use Risk Assessment on Risk Assessment, if the Risk is not certain – this is a risk by itself so I “increase it up a level”.
  4. Risk Ownership – Each risk NEEDS to have an owner. In some cases, it’s more obvious like with a DPO or CCO, in other cases you as the CISO will be the risk owner. But something to be aware of is that in my experience other departments will try to “reduce” / “Manipulate” the risk. e.g. “Protecting the website from SQL Injections is not really the Marketing / Sales departments’ issue even though 100% of sales are done via the site” You need to be very assertive in nominating Risk Owners if the people nominated don’t agree with your nomination – then Risk can be transferred.

(I’ll discuss this in the next steps. Hint: it’s either you have skin in the game or you don’t have a say regarding the Budget! )

Step 4: Build a mitigation plan and Quantify it to actual financial numbers! 

 

What is the point of a risk assessment plan if you don’t have a plan to mitigate those risk? In order to mitigate those risks you need MONEY and resources! (People / Tools / Both )

  1. Quantify the Threats! – Translate / Convert / Quantify the Threat from “Risk Scores” to the financial impact. In the above example: SQL Injection is a High probability and High Impact? – Great but what does it really say to the other department heads and C-SUITE? Not a lot. Instead, saying, for example, an SQL Injection has a Threat impact of $50.5 Million on your organization, suddenly they will listen.
  2. Quantify the Solution – How much it will cost? Both the one time purchases, maintenance, human resources required – everything … a proper “total cost”.
  3. Show in MONEY what is the remaining exposure if your proposed plan is implemented.
  4. Show decision-makers your Risk Assessment plan and your mitigation plan – combined, don’t waste their time on Risk Scores – come with decision-making information and plans

I created a tool to do EXACTLY this – www.boardish.io ( last promotion in the article I promise )

Step 5: Negotiate Risk Owner VS the budget for your Mitigation plan

Remember step 1? – you are usually put in the organization to make it more secure, and making it more secure costs money.

Some departments / C-Suites / Boards will push back and say “it’s too much, we are not responsible for this, it needs to come from IT and not from our department and so on”

Yes you need to be cost-efficient but you also need to be very strict with your professional assessment, for example:

  1. You need $250K to fix the biggest issue which is “Data Breach” for the specific company.
  2. Your Board / decision-makers say “No” (it’s too expensive or any other reason)
  3. You say “Ok ” – BUT – when you’ve said “No” you become the owner of that Risk and not me the CISO. So when a data breach will occur its crystal clear that I planned how to mitigate it (you brought me in to do exactly this ) and you said no. You can’t force them to say yes to your proposal, but you can be very clear on risk ownership and that ‘no’ means they own the risk now.

I already hear you saying “BUT – Eli you are not being realistic – they don’t listen to us … and many more excuses.”

Yes – Being a CISO is a VERY HARD JOB, you need to be both professional and to have highly evolved people skills to be able to cope with big changes. A CISO is a much more managerial role than “techy” in my view.

But remember that if you “cave” and accept a “No” and you own the risk – it’s just a matter of time that this risk will happen (Data Breach) and you will be at fault. It’s your risk and you did not fight hard enough to get your budget approved.

CISO’s are in new waters, Deep waters, waters with different tides, and the occasional tsunami, so it’s time to sink or swim. 

Eli Migdal

Follow the framework with Boardish

Quantify into financial impact figures…

Boardish Partners with 360inControl®️

Boardish Partners with 360inControl®️

Boardish Partners with 360inControl®️

Boardish, a cyber risk quantification tool, and 360inControl®️, a new generation of internal control system (ICS), have announced the start of their partnership that will help provide a full risk management and control solution for CISOs around the globe. 

Bringing Together Risk Discovery and Risk Quantification

360inControl®️ helps companies create a detailed inventory of all information they have, classify it accordingly, and assess the current risk levels. Boardish, on the other hand, transforms this information into financial figures that help CISOs communicate risk and solutions effectively with the board and decision-makers.

Andreas von Grebmer, co-founder of 360inControl®️, Information Security & Risk Advisor, and CISO explains that the partnership is a step in the right direction: 

“It’s logical for 360inControl®️ and Boardish to work together, since our services complement each other rather than compete against one another. While 360inControl®️ offers risk assessment through master data management and defining values for likelihood and impact of various risks, Boardish complements this beautifully by putting actual figures on all threats and risk levels.”

Eli Migdal, co-founder of Boardish, greeted the business partnership: 

“Boardish has been particularly selective about who we work with, and so this just shows the calibre of 360inControl®️ and their product. They have a truly wholesome solution that detects and keeps track of all types of data the company works with, which makes risk assessment and quantification much easier.”

Bringing CISOs a Full Risk Management Solution

The most important point here is that the Boardish and 360inControl®️ will have no integration between each other currently, but will still be able to provide a full service to any CISO who needs a clearer picture of the cybersecurity landscape. 

The partnership between Boardish and 360inControl®️ encompasses the whole journey: from risk awareness and risk discovery, to clear communication with the board and fast-tracking their approval.

Full-service Partnership Is the Next Step 

The business partnership is just the start, with Andreas and Eli confirming they will likely become service partners as well. By becoming service partners, they would share resources, enabling them to get a better overview of cybersecurity and improve their tools even more. In addition, they would also release joint case studies for existing customers, helping CISOs get a good picture of just how much faster they could implement solutions by using these tools.

Ultimately ushering in a new age of vulnerability assessment and remediation process that is complete for CISOs.

Learn more about Boardish here

Learn more about 360inControl®️ here.

Get your complete risk assessment to remediation toolset

With Boardish & 360inControl®️