To start with, here’s some background about me and why I consider myself to be in a position to suggest these steps. And as a word of warning, I will do it the “CISO” way, no “background sales noise” but straight forward and to the point:
Why does all this matter?
As a vCISO and a consultant I usually need to achieve results very quickly, even in some cases within a month. So I built a methodology to “speed things up” – it’s either you sink or swim in our profession, so these are my 5 recommended steps:
Most of the CISO’s I met tell me that one of the hardest things they encounter is the “lack of clarity” about their role and the expectations from the business.
As a result, it makes authority unclear and it difficult to make any actionable changes. That’s one of the reasons (in my experience) why CISO roles have such a high staff turnover rate.
I suggest that the first step is having a meeting with the C-SUITE and asking them VERY clearly “What are you expecting from me + what are my goals from the perspective of the business”
I have encountered the following scenarios to “why we need a CISO”, I am sure you have encountered MANY others:
In each scenario, you need to make sure that your success criteria are crystal clear, for example :
YES – they are hard to quantify but this is part of our job and I will discuss it in the next steps.
In many cases, you will need to set your own performance criteria because your C-SUITE / Board won’t have any for your role, I always like to use the “For every year we kept the company safe without a major incident I get 10 “Victory Points” and for each major incident minus 30 “Breach points” gamification.
This approach shows decision-makers the “long game” and makes them appreciate every year without a breach, and YES – you need to reach that 3 years mark to be relatively “safe”.
Ultimately, if you don’t quantify – you leave yourself vulnerable as a scapegoat. “The CISO got fired after a single phishing incident” rather than, our CISO has kept our organization incident-free for over 8 years so they are too valuable to get rid of.
Usually, Step 1 or Step 2 is Risk Assessment, BUT – how can we assess something we do not understand yet?
We need to understand what function or several functions really drive the business, which functions are the main catalyst, is it R&D or Sales or is it Marketing?
You need the see the entire company FLOW, and you may be surprised but the flow will look a bit different depending on whom you ask.
It’s our Job to “attach” all the different pieces or perspectives into one and then link it with the “expectations” section of ” part 1″
This step will also allow you to avoid a common mistake which is not seeing/figuring out who “is really” the department that carries more decision power.
(CISO’s – We have all been there: a great plan, great solutions but … it doesn’t meet EXACTLY what department X wants and so the CEO dismisses it… don’t go there … )
If you are awoken at 2 AM at night and asked” which is the department that you need to “sell” first to get all the rest inline” – you need to be able to answer without thinking – that’s true visibility in the flow of the company.
I won’t go deep in the micro of “how to do a risk assessment plan” but here are several important tips:
(I’ll discuss this in the next steps. Hint: it’s either you have skin in the game or you don’t have a say regarding the Budget! )
What is the point of a risk assessment plan if you don’t have a plan to mitigate those risk? In order to mitigate those risks you need MONEY and resources! (People / Tools / Both )
I created a tool to do EXACTLY this – www.boardish.io ( last promotion in the article I promise )
Remember step 1? – you are usually put in the organization to make it more secure, and making it more secure costs money.
Some departments / C-Suites / Boards will push back and say “it’s too much, we are not responsible for this, it needs to come from IT and not from our department and so on”
Yes you need to be cost-efficient but you also need to be very strict with your professional assessment, for example:
I already hear you saying “BUT – Eli you are not being realistic – they don’t listen to us … and many more excuses.”
Yes – Being a CISO is a VERY HARD JOB, you need to be both professional and to have highly evolved people skills to be able to cope with big changes. A CISO is a much more managerial role than “techy” in my view.
But remember that if you “cave” and accept a “No” and you own the risk – it’s just a matter of time that this risk will happen (Data Breach) and you will be at fault. It’s your risk and you did not fight hard enough to get your budget approved.
CISO’s are in new waters, Deep waters, waters with different tides, and the occasional tsunami, so it’s time to sink or swim.
Quantify into financial impact figures…