So you want to be a CISO, really? Business security, or the business of security, has evolved and is evolving, according to Todd Fitzgerald of Grant Thornton International, who shared his thoughts in his RSA Conference 2014 session, "So Why on Earth Would You WANT to Be a CISO?" Fitzgerald captured the challenge facing all who are thinking of moving into the CISO career track when he shared a two-page, densely worded job description. The only item missing from the job description seemed to be "and have the ability to bring about global peace."
Fitzgerald continued by identifying the DNA of the CISO job, which includes: security strategy, security policy, data privacy, auditing, investment, incident handling, laws and regulations, control frameworks, and senior management metrics—clearly, a broad swath upon which to venture. As in many senior executive positions, technical acumen may have been a part of the CISO's early technical career; it will be the leadership skills that evolve to the front for the CISO of the future. These skills, according to Fitzgerald (Forsythe and Gartner both identified similar skill traits), include: the ability to manage business relationships, people-oriented capability in conflict resolution, the ability to build consensus while building teams and exerting influence on the business, and the ability to speak to the business of security in nontechnical terms. The CISO is and must be a part of the business team.
In order to be a part of the business team, one must engage the business. Given the above requirements, this may not exactly be a cakewalk, but it is achievable. The session "Be a DREAMR: Obtain Business Partnership, Not Just Buy-In," hosted by Jessica Hebenstreit (Athene USA) and Ben Meader (Principal Financial Group) drove home these points. Hebenstreit and Meader provided CISOs a leg-up in selling their programs, recognizing the need to adjust from traditional methods of getting funding and buy-in. They offered up their "DREAMR" road map to successful engagement:
- Determine culture: What type of organizational culture are you operating within?
- Reach out: The process of partnering with the business, networking
- Educate: Learn from the business about the business; educate influencers
- Accommodate: Understanding and partnership—the foot-in-the-door approach—small wins
- Measure: Measure what is important, communicate back to the business effectively
- Recognize: Reward those who champion security
An easily remembered acronym, "DREAMR" contains all the components upon which to create your CISO playbook. It will be an implementation which most certainly requires investment—investment in and with those whom the CISO and his team support—the business operations teams. While recognition of those supporting the security initiatives is part of the "reward" component, another type of recognition by the CISO must also be present: recognizing and focusing on HOW to achieve the business and operational goals, securely. Keep in mind that the understanding that the CISO's team is a support organization enhances the ability for the business entities to partner with the CISO. The CISO works with the the ops team and can assist in navigating through the compliance and regulatory requirements. These requirements may require evolution of security policies and processes with the business team, and these policies, once created and implemented, should support and not slow down the business. Policies which stymie business do not fall within the category of good business security.