To arrive at the right answers, one first needs to ask the right questions! CISOs who discover that their actions do not generate the desired results to strengthen security and compliance postures may not be asking the right questions. Effectively managing data, information risk, and compliance is complex and ever-changing. There are many components and considerations in developing and implementing a robust program that encompasses and integrates all the elements needed to manage risk and achieve one’s compliance objectives effectively. A critical component is making sure to ask the right questions of the right people.
By Jason Taule, Vice President of Standards & CISO, HITRUST
The right questions include those that CISOs should ask themselves as well as the management team, the operations team, and other key stakeholders, including the Board of Directors. CISOs who come up with the questions on their own will likely tailor the questions to their situation and environment — often driven by functional and operational priorities that may not directly line up with the top-line business objectives. More specifically, an ad-hoc approach usually overlooks some of the
core questions that matter in establishing a strong security and compliance posture.
Answer the Right Questions to Drive Business Results
By collaborating with people from across the organization and asking questions focused on risks and controls tied directly back to the business, CISOs can drive decisions that truly get at what the organization needs to achieve the security and compliance postures the business is seeking. This, in turn, leads to an action plan to produce the desired business results.
The ad-hoc approach perpetuates managing the security and compliance program in a reactive fashion — where the focus is only on the immediate situation at hand. How should CISOs avoid situations where they have to ask themselves, “Where did I fail the business?” They can do this by taking a results-driven, proactive approach adopted by others in their industry. They can work with internal stakeholders to adopt a set of questions that demonstrate how to get to the “why” behind their security and compliance programs.
The Pitfalls of Creating Risk Profiles Based Purely on the Technical Environment
A key responsibility for every CISO is to seek the necessary information to understand their company’s security and compliance risks. The resulting risk profile can then be translated into recommendations and options that the internal security team and executive team members can understand, throw their support behind, and take action. Ultimately, it’s about the action; and action must have a purpose more significant than the technical elements that technology leaders lean on.
Early in a CISO’s career, it may seem that the questions to ask to find such information must be explicitly created for the technical environment that’s being secured and the business environment is supported. This, however, could lead to many issues:
- Misaligned or missing questions
- Baited or ill-timed questions
- Yes/no questions that do not provide context
• Questions that do not go deep enough or don’t connect to tell the full story
- Questions that do not drive an understanding to get buy-in to act from the business
Instead, what is needed is a list of questions, in the right order, and a projection of what the answers could be, might be, and should be. Projecting the answers helps make sure the questions are on target and presented in an order that will elicit contextualized thinking. This may also result in the need to re-visit the questions once previous assumptions are confirmed or refuted.
Another critical facet is deciding when to ask the questions of each stakeholder. The results of each interview could influence the questions of subsequent discussions. So, the order in which the CISO connects with the stakeholders is critical. And after collecting the answers, the CISO needs to validate the information and investigate unforeseen responses to find out what is reasonable and if any of these provide incorrect information.
Similar to the assumptions made above, the more you understand as you move along this journey, the more likely you’ll want to re-visit other decisions taken along the way. CISOs need to find a delicate balance that is appropriate for their organization, which enables them to ask the right questions first, and methodically answer the questions through an investigatory process that appropriately assesses vulnerabilities. There is no room for poor decision making and misaligned actions.
Questions that Drive Security Action Plans
While well-constructed questions and a strategy for conducting interviews with key stakeholders will produce highly valid answers, there’s still no one-size-fits-all response to risk and security management. However, a consistent, transparent approach that spurs conversation as the organization assesses risk and drives toward decisions and actions will bring your organization closer to reaching the expected/desired responses.
Before engaging others, CISOs should consider their own high-level perspective: What is the organization’s security and compliance posture? Where do those postures need to be? How does the organization get there? Thinking along these lines helps CISOs digest what they hear from others to probe for issues surrounding compliance, risk, and assurance in a way that leads to the “why”:
- What is our current risk exposure and security posture? What level of risk exposure is acceptable, and what security posture is desirable?
- Do we have the most appropriate framework?
- How do we compare to other organizations in our industry?
- Where do we need to be? How do we select a program and tools that will scale within the organization?
- Is what we are doing sufficient and, if not, what level of resources do we need to apply?
- To which partners and customers do we need to provide or obtain security assurances, and what are our processes to do so?
- What do we need to do to fulfill our due diligence expectations?
- What do we need to do to qualify for cyber insurance? Can we obtain a better policy and/or reduce our premiums?
- How do we keep up with new business services, expanded industry/market profiles, emerging threats, and changing regulatory requirements?
The above is just a consolidated sampling of crucial questions that have been an important starting point in my role as a CISO. Every CISO should identify their own set of questions along these lines, and evaluate each of them per the audiences they are meant for. This can include the executive team, the Board of Directors, partners, customers, third-party vendors, and the internal IT security team. The answers will give the CISO a broad perspective on what actions require the highest priority for bolstering the organization’s security, compliance, and privacy postures. We do not need to reinvent the wheel, thanks to others who have demonstrated methods and approaches that can be leveraged – not only to save time, but to ensure the right plans are put in place for the business.
Action Plans Help Implement Mitigating Controls to Manage Risk
While taking this approach, it’s vital to utilize a standard, proven approach—the HITRUST Approach™, as one example. It includes questions created and maintained by risk management experts in conjunction with industry leaders tied to a comprehensive privacy and security framework and world-class assurance program. This helps generate the required answers to drive actions while also identifying and understanding security risks transparently and accurately. The CISO can then better communicate the risks and mitigation options, and the required security and compliance controls and information risk posture.
A two-way approach with all relevant stakeholders combined with a self-assessment approach gives me the answers to do my job as CISO. To promote this I set up a campaign coined as the “Just ask Jason” program. It allows everyone to receive and contribute information and be part of the risk and security management solution. I even printed up buttons that read, “Just ask Jason” and handed them out to the Board as a reminder to keep an open channel for security communication.
It’s all about driving actions that result in implementing controls to manage risk. Each stakeholder within the organization has an answer to one or more questions that will help tell the story and paint the picture an organization needs to achieve security and compliance posture. Once the questions have been asked, we then analyze the answers to understand the necessary controls — using a consistent, independently-proven, and validated approach. CISOs will find that an ad-hoc approach will produce random results. Conversely, CISOs that answer the ultimate question “why?” via an approach described above, will find the results to be closer to what they desire and expect.
To develop strong security and compliance postures, every organization needs a “Just Ask Jason” campaign. For advice on how to set up a similar program for your organization, “Just Ask Jason” Taule by reaching out to him at [email protected] or visiting https://hitrustalliance.net/
About the Author
Jason Taule is an information security luminary who has served in most capacities within the industry. He started in the intelligence and government sectors first consulting to Federal agencies and then serving as inside Chief Security / Privacy Officer both within the Government and at large systems integrators like General Dynamics and CSC. Mr. Taule helped build the original DARPA CERT, helped develop the first computer security programs at the VA and NASA, and revised the Risk Assessment Methodology still used throughout DHHS. He enabled hundreds of systems to earn their accreditations and remain free from compromise. Mr. Taule currently serves as HITRUST VP of Standards and CISO overseeing the development and evolution of the HITRUST CSF to ensure its relevancy and continued sufficiency while also ensuring that HITRUST continues to earn and keep the confidence our customers and third parties who have entrusted us with the safekeeping of their data.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.