Serving as CISO for an enterprise isn't an easy undertaking. As a result, the tenure for a CISO is relatively short—ranging somewhere between two and four years. When asked why they left their previous roles, CISOs cite corporate cultures that lacked an emphasis on security (36%), the inability to gain executive management visibility (34%), and inadequate security budgets and resources (31%) at the top of the list. And of course, termination is all too often another reason for a CISO’s departure.
Beyond vetting new CISO opportunities carefully and sifting out those where the above elements are missing, new CISOs must lay a foundation that will enable them to hit the ground running right out of the gate.
The following are eight recommendations that can help lay the groundwork for a long and successful tenure:
Digital transformation includes technology trends such as cloud adoption, the Internet of Things (IoT), and mobile user connectivity that have erased the traditional network perimeter, exposing enterprise environments to unanticipated risks.
The attack surface is broader, more dynamic, and far harder to assess than conventional IT environments with reliably static borders. Multi-cloud deployments introduce complexity in the form of security silos. IoT devices swell the ranks of enterprise endpoints but typically don't support conventional endpoint security. DevOps create highly mobile and dynamic workloads that can bypass security controls that aren't built into the application stack. Mobile users keep the geographic footprint in continuous flux and challenge the limits of centralized policy enforcement. Shadow IT adds a vast undercover footprint that is off the security team's radar by design.
Given these trends, developing a comprehensive understanding of your attack surface is a critical starting point for every new CISO.
Takeaway: You cannot protect what you don’t know needs to be protected.
Understanding the full range of security standards and mandates that bear on an organization is nearly as important as knowing its vulnerabilities. Compliance obligations may originate in industry standards such as the Payment Card Industry Data Security Standard (PCI-DSS) or government regulations such the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), or the European Union's General Data Protection Regulation (GDPR). They can also pertain to security frameworks that provide a proven set of practice and process templates such as the National Institute of Standards and Technologies SP 800 series (NIST SP 800 Series), the Control Objectives for Information and Related Technologies (COBIT), or ISO27001.
With a long list of compliance requirements and an executive team that expects you to keep tabs on them and provide them with real-time status, new CISOs need to get a quick lay of the land when it comes to what needs to be tracked and reported upon. An organization’s audit and compliance regime will vary depending on the industries in which it participates, its geographic footprint, and the security standards it has adopted. Plus, with boards of directors, CEOs, and other executives lacking cybersecurity technical wherewithal, a new CISO must communicate in a compliance language they understand.
Takeaway: Compliance can be used as a strategic business enabler, or it can become a headwind that thwarts business acceleration.
The threat landscape is rapidly evolving and changing in ways that make it impossible to predict and prepare for. Cyber crime is being commoditized with the growth of Ransomware-as-a-Service and Malware-as-a-Service as successful criminal commercial markets. IoT botnets have already cycled through several malware generations, gaining intelligence, sophisticated exploits, and advanced abilities to detect and disable defenses and to adapt on the fly.
These changes in the threat landscape are evident in the number of exploits being detected by each firm—an 82% increase in Q42017 over the previous quarter. It is also apparent based on the increase in previously unknown exploits; 11% higher in Q12018 over the prior quarter.
Prevention and detection of these threats requires advanced threat protection; the ability to proactively identify threats before they exploit vulnerabilities. Per a recent Forrester study, over three-quarters of CISOs with a proactive threat intelligence approach have not experienced a breach.
Takeaway: Integrated sandboxing and real-time threat intelligence sharing between each of the security elements is a requisite to defend against advanced threats.
No two organizations have exactly the same relationship with risk. Gaining an understanding of how much risk and what types of risk your new organization is willing to accept is a critical. This information will guide your prioritization of security iniatitives and what—and what not to—focus on. In addition to your board of directors and CEO, your line-of-business leaders hold valuable insights on the company’s risk appetite. Your information-gathering can concurrently serve as an opportunity to educate the various leaders on the importance of cybersecurity.
Takeaway: A company’s risk appetite determines its security investments and how it approaches the threat landscape.
Relationships are critical for any executive, and this includes the role of the CISO. New CISOs need to start building network connections that encompass everyone from the boardroom, to the executive team, to various members of the network and security teams.
When it comes to CISO relationships, their extent and nature depend on the role the CISO assumes. Deloitte spells out four distinct CISO roles:
The nature of these relationships—indeed the nature of the CISO position itself—is evolving rapidly as organizations confront the existential risk of a major IT security failure. Reporting lines are shifting as the position becomes more strategic and assumes a more multi-faceted role. The reality is that the function of a successful CISO shifts from that of a delivery executive to business enabler.
Takeaway: Today’s CISO must be not only fully conversant in cyber technologies and threats but also speak the language of the business.
All of the above factors will inform how you structure your existing team, and what skills you will look for with any new hires. Unfortunately, attracting and retaining talent is expected to be an increasing challenge going forward.
A recent report estimates there will be 3.5 million unfilled cybersecurity jobs by 2021, up from one million last year. This rapid increase has the potential to cause serious business disruption for companies.
A new CISO must quickly begin developing a talent pool of potential recruits who bring the right skills and thrive in the corporate culture. Each step in the recruiting process requires attention and care, from writing an effective job description to strategic job posting, shortlisting and interviewing candidates, then selecting and onboarding the winners.
Check out a new series of CISO Hiring Guides describes a disciplined, six-phase approach to recruiting highly in-demand security professionals.
Many organizations have determined that the best way to maximize the value of their cybersecurity investment is to engage with managed security services providers (MSSPs) to supplement an in-house team—or even to manage an entire program. The ability to enlist proven expertise to fill skills gaps, document compliance, or move to the next level of program maturity—without fighting the rest of the market for specialized talent—is a very attractive option for many organizations.
Takeaway: Having the right human talent to implement your strategy is crucial, and there are a number of ways to make that happen.
Since today’s corporate IT environments typically include both on-premises resources and diverse services delivered through multiple clouds—or a hybrid combination—the default state of security technology is a large number of siloed security tools. These products do not communicate well with each other and certainly do not provide a single, enterprise-wide view of a company’s security posture, enabling strategic and coordinated threat response.
Given that the threat landscape, your IT environment, and the direction of your business are dynamic, your security architecture must be adaptive. A security fabric approach deploys a common set of layered security tools across the entire on-premises and cloud environment. It provides a single pane of glass from which the company’s security posture at a given moment can be assessed and addressed.
Additionally, your security architecture must provide seamless integration between the different security elements. This enables organizations to automate various manual processes and workflows that allow security resources to focus on critical business requirements. It permits real-time threat intelligence sharing between each of the security elements as well, which is critical in the face of the advanced threat landscape where seconds literally count. Of course, automation also greatly simplifies compliance governance and documentation, audit preparation, and trend analysis and reporting.
Takeaway: Technology silos in security are just as prevalent today as they were a decade ago, and breaking the barriers between them is critical for driving efficiencies and building a better security posture.
Effective communication of results is important for anyone’s career development, and doubly important for the CISO. Data breaches tend to result in intense media coverage, but instances where your company prevented a threat do not make the headlines. It is important that these successes are known internally, and when threats go unaddressed due to insufficient resources, executive management needs to be clearly informed of this as well and the implications to your security posture (and the business).
An important starting point for tracking, measuring, and reporting results is to align business-security initiatives based on Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). These need to be developed jointly by the security team and internal business stakeholders. The latter may even include some involvement from your board of directors.
Compliance governance and management plays an important role in determining your KPIs and KRIs.
The EU’s GDPR changes the landscape for any organization conducting business in the EU. PCI DSS places governance responsibilities on any organizations involved with electronic transactions. The same can be said about the HIPAA and HITECH. The list is quite comprehensive.
Likewise, adoption of security standards such as NIST 800 SP risk framework and ISO27001, among others ensures that security organizations have a codified list of best practices that govern security processes, workflows, and even security architectural design. Here, new CISOs need to ensure they have the right tracking, measurement, and reporting mechanisms in place to provide transparent visibility and control across the entire attack surface. Integration of these also unlocks automation, which provides real-time visibility into security status and processes for an improved security posture while freeing up time-constrained security and network staff to focus on business-critical issues.
Takeaway: Objective measurement and communication of your company’s security posture vis-à-vis risk tolerance and business objectives—which includes industry, governmental, and security compliance—is critical to your success.
Aspiring to the CISO role in any organization is an invitation to challenge. Everything you will touch is evolving rapidly—from your job description to your company’s infrastructure to the nature and volume of threats.
Getting off to a fast start is important for almost any high profile role, but perhaps even more so for the CISO.
If a new CISO’s early work is tactical rather than strategic, you are positioning yourself for failure. The role of a CISO is a wonderful opportunity to do stimulating, fulfilling, and absolutely essential work, and with a disciplined approach, you can position yourself for success. Enjoy the ride!