Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Dec 16, 2015

The Realistic CISO

In information security, pessimism goes with the job.  It's one of hazards of our profession. It's pretty much expected of us in fact. As a general rule, we infosec types obsess about downsides - things going wrong; attacks, accidents and other incidents occurring; noncompliance; 'bad luck'. We are openly cynical or dismissive about claims or implications of perfection in our security tools. We sincerely doubt all bases are ever covered. We see little gaps and worry about dark, gaping holes in our defenses. We generally anticipate bad news, honestly believing that our adversaries carry most of the cards (including all the aces!). We long for better security metrics, while delivering a mish-mash of half-baked, partially irrelevant and largely distracting information to management in a failed attempt to compensate for our pessimistic outlook: we feel the need to be able to say "See, I told you so" when bad stuff [inevitably] happens. 

The realistic CISO is, first of all, sufficient self-aware to appreciate his/her inherent pessimism, hopefully well enough to accept that it might be a barrier to success in business and in the profession. We occasionally see little glimpses of light, for instance when we acknowledge that the flip side of risk is opportunity, and that there may be legitimate reasons for management accepting information risks that we personally find uncomfortable ... but then we drop the blinds by insisting that risk owners formally accept the risks, absolving us of all blame if bad stuff eventuates (and, by the way, forgoing a large part of the credit if things turn out OK after all).

Second, the realistic CISO anticipates that although a gazillion things could go wrong, things generally do work out OK, on the whole. The realistic CISO knows that good enough security is not only usually good enough, but way cheaper than striving for perfection (which, of course, is unattainable anyway). It's a pragmatic approach with a valuable bonus: good enough security is generally quicker and easier to implement than perfection, so while it may not achieve the maximum possible level of loss reduction, the benefits start to accumulate earlier and over a longer period while the implementation costs may be substantially lower. Good enough security may in fact be the optimal solution. Gosh, imagine that! Despite the oft-repeated mantra that the black hats only need to find and exploit the gaps with the implication that white hats need to close every gap, the realistic CISO focuses on closing the gaps that really matter, using multiple layers of control to deter, restrict and frustrate attackers and contain the damage within acceptable bounds, rather than forlornly trying to prevent all incidents.

Third, the realistic CISO is sensible enough to juggle competing priorities - not just preventive controls but early incident detection and sound incident management, a strong capability for business continuity (resilience and recovery and true contingency planning), systematic learning and continuous improvement, plus most importantly of all strategic alignment with business priorities. The realistic CISO appreciates that the infosec profession has high ideals with expectations that don't always match the organization's. The realistic CISO knows that the business has numerous objectives, goals and anti-goals, has disparate stakeholders with some conflicting expectations and requirements, and exists in a dynamic context. The realistic CISO is not merely plugged-in to senior management's social network but an integral part of it, helping to formulate strategy and drive the business forward as much as being being driven by it. That takes personal integrity, persuasive skills and aptitudes way beyond the sphere of cybersecurity.

Fourth, the realistic CISO isn't aghast to discover that colleagues may be willing to push things to or beyond the limit, perhaps exceeding the boundaries of ethical and legal behavior in the interests of taking advantage and exploiting opportunities.  

In summary, the realistic CISO is a mature, upbeat, self-aware pragmatist with a strong urge to look into and beyond the looming storm clouds to spot not just bolts of lightning but silver linings. I'm hinting at expunging the final vestiges of The No Department - you know, the security function whose immediate, default reaction to virtually every request or enquiry is a resounding "No!". 

"Instead of saying no to new technologies, ideas and capabilities in the name of security, try to find a way to say yes. Individuals within the organization often assume that the position of the risk and security professional or program is to restrict the use of new technologies, ideas and capabilities. A more effective approach is to embrace technological changes while at the same time educating the individuals who want to use new technologies about the appropriate information risk and security considerations, concerns and requirements that need to be accommodated as part of their use. This will empower individuals to able to make informed decisions about the use of these resources and, at the same time, ensure they are aware of their risk and security obligations."
John P. Pironti 

Whereas getting to "Yes!" as a stock response may be a step too far, the CISO who tends towards "Yes but ..." or "Yes provided ..." may turn out to be a boon to the organization rather than a barrier, which in turn will unlock some of those relationship benefits I've just mentioned, earning the respect and trust of senior management colleagues.