At some point in the late 1990’s, we made a catastrophic error in corporate organization: we separated the information technology from the security. We decided it was a “conflict of interest”. We were focused more on audit than defensive security. Maybe there was an argument for drawing this line at the time, but, in retrospect, the mistake has been a glaringly obvious and irrational one.
The bottom line is this: the security team needs access to the IT department’s systems and data if it has any desire to secure anything at all. Problematically, IT departments tend to be protective with the access and the data they share with security—in fear of a bad finding or slap on the hand. Oftentimes, this dynamic leads to a self-perpetuating cycle of hostilities that wear away at the relationship between the teams that secure and maintain your network infrastructure—inevitably giving the adversary the advantage.
Getting security right on the org-chart
1. Tag-team with the CIO
The who-works-for-who argument has been going on since the creation of the CIO and CISO roles. Many different reporting structures exist, and, in the long-run, it shouldn’t matter as long as everyone gets along. Unfortunately, everyone doesn’t always get along, and there is friction between IT and security. Security asks for admin access to network gear; IT rejects the request. Security performs an audit of IT systems; IT takes offense and is less likely to grant access to data and systems in the future. Thusly the cycle of tech-on-tech violence continues, and we all lose as a result.
The CISO and the security team need data. Without data, you have poor visibility and you can’t make the budget-case for tools and staff, organize an educated defense, or understand where your company’s network is weak or strong. Unfortunately, the CIO and IT staff own the systems that gather the data that the security team needs. If the reporting structure is not a healthy one and the CEO does not see the security story clearly, the organization’s security will most likely fail. Either way, building a strong security posture requires that both leaders, the one in charge of security and the one in charge of the information systems where security will be managed, are on the same page, operating as a high performing team.
2. Present data-based evidence
Leveraging fear or overstating risk to the CEO and board almost always backfires. So too can accurately illustrating risk and appropriately characterizing the direness of the security situation if not accompanied by solid statistics and facts and a clear solution for fixing the problems that includes a budget. There’s also the danger of predicting an imminent breach that never comes, which can undermine your reliability to fellow leaders. The best way to establish credibility is to state what needs fixing, present the evidence, explain the repercussions of what will happen if the issue goes unchecked, and then ask for budget. It’s the CISOs job to accurately determine the cost of inaction.
For instance, the severity of a vulnerability in an internal or customer-facing application could be described in terms of cost-outcomes. CISOs can couch the cost of malware infections in terms of customer-related profit loss and new costs associated with staffing the remediation process and replacing equipment potentially damaged in the infection. In this way, you take an abstract conversation about bad code and turn it into a dollars-and-cents conversation that is important to the CEO.
Ultimately, it’s the CEO who allocates the funding for security, and the best way to get your share of that funding is to present a detailed, data-driven case-for-budget to the CEO. This is a team effort, as security problems are rarely security tool problems and almost always IT problems. Security can assist in finding issues and aiding IT in prioritizing what vulnerabilities need to be fixed based relevant attack techniques and tactics. In order to stay ahead of the adversary—as opposed to cleaning up behind the adversary—IT and security need to be working together with the same data.
3. Report to the board of directors
If the collective technical C-suite—the CIO, the CTO, and the CISO—come together and present the best way forward for the organization in a function, financial, innovative, and security- and business-focused way, then the CEO will have the optimal information to make the best decision for the organization. It is important to present both the collective view as well as the individual view of each executive to solidify the balance and business supporting view for both the board and the CEO.
In fact, regular security-to-executive communications are beneficial—even when the CIO, CTO, and CISO are in lock-step. Keeping the executive leadership team or the board of directors in the loop on matters of security increases the likelihood that they will understand matters of security when you most need them to and is especially helpful in cases of strife among the various business leaders.
CISOs can feel their responsibilities are too technical to be of concern to the board. This is a presentation issue—not a reality. While this was undoubtedly the case for many, many years, things have changed over the last decade. By and large, the board cares about security now—because security is no longer about protecting IT assets: it’s about protecting the business. It is important to resolve issues before they get to the board level. You have to use this audience to advance the security agenda, not to resolve petty arguments. Vision, statistically driven metrics, goals for improvement, cost understanding, and how each of these aligns with forward leaning IT policy that will improve the bottom line are the discussions that CISOs, CTOs, and CIOs need to be having at the board level.
4. Align security with business mission
The business is why we are here, but sometimes we all get caught up in sexy, press-driven events. Stop and focus: it’s all about the business. It is important to understand what your priorities are in security. How do you lower the volume of the noise so you can focus on those priorities? How do you reduce the noise of opportunistic malware that has little-to-no impact on the business? How do you show the metrics around improving hygiene and reducing noise, therefore not only saving money but protecting the business?
There is a clear need to understand the business and how it use IT to understand what the risks associated with attacks. Understanding the high-value systems, data stores, communications, and users is key to not only protecting, but monitoring for malicious behavior. It’s easy to be a security purist or a chicken little and have fear of all technology and insist upon locking it all up. It takes leadership and skill to be the security enabler that helps the business move forward and protect their forward lean.
Ultimately the CISO role is about separating the signal from the noise, creating awareness of security issues, and stating plainly—in business terms—the real risks posed by specific threats. MKACyber’s W@tchtower platform and SOC management philosophy are steeped in methodologies and repeatable processes that empower security staff, from the analyst to the CISO, to articulate security needs and concerns with data.