CISO Basics, Part 2

Leave a comment

In the last post, I looked at some of the less apparent activities upon becoming a new CISO, namely:

  1. Stop thinking that infosec is your business.
  2. Stop making technology purchases.
  3. Ask your vendors to explain what you have in your services inventory.

In this post, we will take this a step further and closer to actual business as usual and maintaining your security team as a functional part of the organisation.

Don’t say “NO!” to everything.

This is an obvious thing to do, but it is much harder to do in practice. The reality is that this requires a complete change in mindset from the traditional view of the everyday CISO. As a species, the CISO is a defensive creature who is often required to back up every decision and be the scapegoat of every mistake (see One CISO, Three Envelopes https://thomlangford.com/2014/12/01/three-envelopes-one-ciso/) and generally rubber-stamp choices that are out of their bailiwick and control.

The mindset shift requires a leap of faith wholly because of this perceived threat of blame and accountability when, in fact, it does just the reverse. 

It starts naturally enough with the language that is used by the CISO and the team, for instance, changing the Change Approval meeting to the Risk Review meeting and not communicating a yes/no or go/no-go response to changes but rather a level of risk associated with the request and alternative approaches as appropriate. There is a need to communicate this shift in the culture, of course, but people will see that they are accountable for decisions that affect the business, not the security team. Shifting the mindset away from being a gatekeeper to a security team that provides sensible and straightforward advice based upon clearly understood risk criteria is a fundamental step towards avoiding being known as the Business Prevention Unit. Politely correct other’s language when they mention an action that requires sign-off or approval from “Security” and help them understand their role in the business decision.

This approach does not require a snap of the fingers for 50% of the problems to go away. Still, carefully planning and educating your stakeholders alters the impact you can have on the business dramatically for the better. It also allows you to more easily draw a line between the activities of the security team and the company’s performance, all for the price of merely no longer saying “no”.

Stop Testing Your Perimeter

What? Are you serious?! 

Absolutely.

As you enter a new environment, you will be taking many critical pieces of information on trust and from people with vested interests in their careers, livelihoods and reputations. Your arrival upsets the status quo and has the potential to disrupt the equilibrium; all reasons to not always be forthcoming with every piece of information you request. It isn’t about people being dishonest or deliberately misleading you, but merely being complex, multi-faceted human beings with multiple drivers and influences.

Your perimeter is one of the fundamental pieces of your information security puzzle. Despite cries of “the perimeter is dead”, it remains a prominent place for attacks to happen and where you should feel fully confident that you know every node in that environment to the best of your ability.

Whatever your testing cycle is, suspend it for some time and conduct as complete an investigation as possible into precisely what your perimeter comprises. It can be done automatically with discovery tools, manually through interviews with those responsible, visually in data centres (where you have old school “tin” still being used, and any combination of the above. You will likely find devices that you, and probably existing team members, weren’t aware of, especially with the proliferation of the Internet of Things devices being used throughout the enterprise now. Did facilities install a new access control system or room booking system? Did they consult IT, or more to the point, you?

It sounds like the stuff of legend or the script to the Ocean’s 11 movies, but do you remember when a Las Vegas casino was broken into… through their fish tank? Knowing what devices are where on your network and perimeter is vital and must be considered table stakes in any decent security programme. An alternative is simply a form of security theatre that gives the impression of security and does nothing but create a false sense of security. A cycle of no testing is worth discovering what you don’t know because you can do something about it.

Building your plan

Now you have a grip on your environment in a relatively straightforward, simple, effective and quick way. Through this process, you will ascertain your stakeholders, advocates and even a few potential adversaries. Then, armed with this information, you can provide an accurate picture of the business to the business in a way that makes sense and displays a grasp of the fundamentals.

Building your plan will always start with your initial assessment and what needs to be done to become operational or steady-state. The trick, however, is to ensure that this baseline achievement is perceived as the end state of security but rather merely the first stepping stone to ever more impressive services, capabilities and ultimately, profit and growth for the company.

The plan itself, however? That is yours and yours alone. Although other posts in this Blog will help as you plot your course into the future, nothing will replace your understanding of the local culture, organisation and, ultimately, what you need to achieve to meet the expectations of the business leadership. Know what the rules of your organisation are, when to adhere to them, when to bend them, and most importantly, when to break them (but only when experience tells you it is the right thing to do):

“The young man knows the rules, but the old man knows the exceptions.” 

Oliver Wendell Holmes

Be the Old Man, be the CISO.

Links to other interesting stuff on the web (affiliate links)

5 Ways Penetration Testing Reduces Overall Security Costs

Avoiding Security Theater: When is a “Critical” Really a Critical?

Game of Life Security and Compliance Edition

Too Much of a Good Thing

Leave a comment

The one thing the current lockdown has taught me is that you really can eat too much chocolate… who knew?

Left to my own devices and without the distraction of a routine, regular work and people observing my unhealthy eating habits, my faulty brain tells me that more chocolate can only be a good thing and that I should continue to eat it until physical discomfort forces me to stop (in spite of my brain’s protestations.). It is an obsessive and compulsive behaviour that I recognise in myself, and do my best to contain, but it is a constant struggle arguing with myself that chocolate is not the most important thing in my life.

The same could be said to be true of many security professionals and their desire to roll out security practises to their organisations, implementing new procedures, standards, policies and ways of working that are designed to make the organisation very secure. They do this despite the protestations of the organisation itself telling them they have had enough, the new ways of working are too restrictive, difficult to follow and ultimately leave them with a security stomach ache.

This weeks Lost CISO episode talks about when too much security, like chocolate, is a bad thing.

This compulsion to think that security is the most important part of a business’ life is one that leads to users having security headaches all day and the business itself feeling slovenly, bloated and sluggish. (OK, that’s enough of the analogies.)

It is ultimately self-defeating, as users will do their best to work around draconian working practices, and the perception of a security organisation will be one of business prevention than vital service. I, and many others, have spoken about not being the department of “no”, but it goes well beyond just saying “yes”.

Agreeing to everything without thought of the consequences is potentially even more dangerous than saying no, especially in the short term. The vital distinction that needs to be made is that of a two way conversation between security and the end users and business. Finding out what is trying to be achieved is far more valuable than just focusing on what is being asked. Requests can be addressed in many different ways, not just by punching a whole in the firewall or switching off 2FA on the VPN, for instance.

In fact, this very conversation helps create even stronger relationships as it highlights two things:

  1. How seriously you take their request.
  2. How much you care about the organisation you both work for.

A great example of this in the above video is that of companies relaxing their security stance during the remote working ramp up of the lockdown. If the response was simply “no”, or even a straight “yes” with no consequences there would have been issues sooner or later. Working with the business, relaxing the standards for the initial growth and then methodically scaling and tightening the security once the initial growth is over is absolutely the right way to go.

So next time you feel yourself reaching for the chocolate wanting to say “no”, think beyond the the immediate consequences and how you can use security for the long term betterment of your organisation rather than your simple security stats.

And one bar of chocolate/security is always enough for everyone, right?

Do you need two re-align your security team to your business and don’t know where to start? (TL)2 Security has a proven track record helping security leaders and teams creat strtaegies and business plans that make real, competitive, differences to organisations. Contact (TL)2 to find out more.

Strategic Defense

Leave a comment

Most people who know me will understand when I say I am not technical in my field. Indeed, I have often spoken about how a CISO should not be technical; that doesn’t mean a CISO should not understand technology, but rather that is not the focus of the daily job. So what should a CISO focus on? I often talk about “Powerpoint and politics” and have even heard that expanded to …” and people” which makes sense really. Interestingly though, I used to say it as a joke, and then it came true. Huh.

This weeks video from The Lost CISO series talks about how to build a strategy. Or rather, it talks about how to build the platform upon which to build your strategy. One of the biggest mistakes I see organisations and CISO’s make is thinking that a security strategy comes from the roadmap of projects they will be rolling out over the next 1-3-5 years. Sure, they may feed into a strategy, but they play a small part of it.

Building a strategy requires knowing where you want to go, and what you are supporting. Essentially, it is a vision of the future, so no surprises for guessing that you start with a Vision statement. If, like me from 10 years ago, thought a Vision Statement was a way for expensive pony-tailed consultants to charge thousands a day to simply tell you to “strive to support our customers in a meaningful manner”, you may baulk at this starting point. Fully understandable, but also cynical, and let’s not allow past bad experiences taint our new approach.

The reason I say this is not because I have a ponytail, expensive or otherwise, but rather because a vision is effectively a rallying point around which your security team can focus on. If they do not know what they are working towards, you and your team will be in a perpetual state of fire fighting and reactive work. It doesn’t matter how many projects you have in place, or roadmaps printed nicely on A0 on the design teams plotter; if you don’t know what you are working towards how do you know if you are succeeding?

Make sure you know what the company vision is as well, otherwise you might create one that is pulling in the opposite direction, which helps no-one. Thom’s Top Tip: If you can create a security vision without the word “security” in it, you will definitely be on the right track (although this is by no means mandatory). Your vision, therefore, may look a little like this:

Delivering competitive advantage through trust and transparency.

It’s pretty high-level, doesn’t mention security, and gives people on the team some key pointers on how to consciously modify their behaviour towards a common goal.

But a Vision by itself isn’t enough, you also need some business outcomes to be achieved in order to achieve this Vision. Think of 3-5 or so outcomes that you want to achieve in order to fulfil your Vision, then add a metric (how you know it is being achieved) and an outcome (what benefit does it bring?). You then have one element of your 3-5 business outcomes that allow you to plan work, focus resources and (you will be glad to hear) add to your roadmap. So, for example, here is a business outcome, metric and value in support of the above Vision:

Business Outcome: Frictionless and scalable business processes.

Metric: Higher quality and faster outcomes.

Value: Standardisation resulting in increased efficiencies including easier decision making and better use of time, effort and money.

Add some more like this, and you have a robust vision upon which to build your strategy. Now you can think about how you are going to be doing that because you now have a better idea of what you need to do to achieve the company goals, what resources you need (including skills), and more importantly how you want to shape the future of your security team, and more importantly, your organisation. The whole point of a strategy is to ensure that your future is not an inevitability you have no control over, but rather you can invent it to be what you want and need it to be.

Looking to take your security team to the next level of productivity and business engagement? (TL)2 Security can help you define, establish and operationalise your strategy and vision ensuring you go beyond just keeping the lights on, and actually providing competitive advantage to your business. Contact us to find out more.