So you want to be a CISO? Perhaps you want to be a better CISO? In many cases, you could pick up a book, attend a conference or even talk to some peers and colleagues. Of course, there will be some good advice in these approaches too, but you don’t want to be just any CISO; you want to be THE CISO.
Across two blog posts, I will look at some of the more unexpected but necessary activities you can do from the moment you start in a new role or start with a new approach to being a CISO. Some may be counterintuitive; some may be a little odd, and you may even disagree with a few. But, whatever you feel about them, they should start you thinking about different ways to approach your role and how you see the contributions you make.
In summary, in this particular post, you will learn to:
- Stop thinking that infosec is your business.
- Stop making technology purchases.
- Ask your vendors to explain what you have in your services inventory.
Stop Thinking InfoSec is Your Business
As a CISO, your primary purpose is not to secure the business; as odd as that may sound, it simply isn’t. Instead, the objective of a company is to sell more stuff, increase profit and maximise shareholder value (there are exceptions such as charities, government and the like, but they still have goals that include maximising value nonetheless).
If that is the case, your purpose is to help it achieve that goal through your activities. However, if you put your (security) activities ahead of those of the business, you are, ergo, hindering its ability to achieve its goals. So flip the situation around and ensure that when you come into the picture, you are fully cognizant of what your organisation does, its goals, ambitions and vision. Then, look at how your security team can make that a reality. Simply slapping security measures onto the business without regard for its purpose and intent will, at best, cause friction and disgruntlement and, at worst, diminish its business operations.
Read the company report, talk to the CFO, talk to people on the shop floor, the road warriors, delivery leadership, and, wherever possible executive leadership. Understand where the business came from, its roots, its beginnings, the founding values and vision, and even how it has evolved (if at all) over the years. By doing this, you will understand how you and your security team can help. Then, and only then, can you start to build your services and security posture.
Stop Your Technology Purchases
Unless the ink is drying on the cheques, you should pause purchasing until you have a better idea of the business. This makes completing the first step all the more critical, as some of the purchases may be vital. However, purchasing something that aligns differently with your new way of thinking about the business makes no sense, and significant amounts of money can be wasted and misdirected.
You may find much pushback from various stakeholders in the business, mainly as their pet projects and mini-kingdoms rely on those purchases. As a result, you are stymying their efforts and potentially making them look bad. Your long-term security strategy, though, depends on solid business cases supporting sensible purchasing decisions that will actively help the company and its long-term goals. Anything else is a distraction and can drain the company’s resources.
Ask your vendors to explain what you have in your services inventory
Why would you ask your vendors what they have sold you? Surely you know that already. Probably not, actually, and it is down to human nature as to why.
Purchases and contracts entered into may have supported failed initiatives or even not been appropriately implemented at all. This so-called “shelfware” is an issue in many companies, supported by 451 Research in 2014 (https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdf), with an evident rise in the problem when it comes to larger organisations. Asking your vendors for a catalogue of services will reap more accurate results as they have a vested interest in maintaining correct records as they charge you for their services (even if you use them or not). Any vendor worth dealing with will happily sit down with you and discuss what they have sold you and what value it brings. If they don’t, alarm bells should be ringing!
Armed with this information, you can start to build a picture of technology services in the company and ascertain what is shelfware, what is used effectively, and what isn’t. At this point, and no earlier, should the old purchasing go live again, minus the services that provide little to no value to the company.
These basics will be challenging because you will be pushing against the weight of expectations from other people in the company or because it takes time and effort. That doesn’t mean that they shouldn’t be done, and in doing so, they will help set you up for the following three sets of basics that we will cover in the next blog. If you can’t wait until then, here is a little teaser:
- Don’t say no to everything
- Stop testing your perimeter
- Building your plan
Are you sufficiently intrigued?
Links to other interesting stuff on the web (affiliate links) How the Dark web is Embracing ChatGPT and Generative AI How To Upskill Your Cybersecurity Team A Trip to the Dark Side of ChatGPT
Thom Langford 
One thought on “CISO Basics, Part 1”