Up until now, cybersecurity was often an afterthought for several organizations due to lack of mitigation measures. However, COVID-19 is accelerating digital transformation in decentralized locations. The state of security is getting better at building business resiliency, thanks to the evolving role of a CISO. CISOs are the assets and business enablers that give organizations a direction towards a safer and secured work environment. But a CISO’s role is critical in today’s fast-growing digital world. Just being a good CISO is not enough, you need a successful CISO. Why? Because an organization’s success invariably depends on a CISO’s success. So, how do you become a successful CISO? It is a phased process. Let us find out the good, the bad, and the ugly roadmap to success of a CISO from a veteran CISO, Heath Renfrow
Speaking at the EC-Council’s Global CISO Forum, Heath Renfrow said, “For too long people have feared us (CISOs) and stayed away from us. We are exactly the opposite of that. We are business enablers! We are there to educate people, tell businesses what their security risks are, and give them advice of how to up their defenses.” Renfrow added, “The success and reputation of an organization largely depends on the security of its employees, systems, and customers. And CIOs/CISOs of that organization have the responsibility of steering this ship.”
Renfrow highlighted the fact that the position of a CISO is like the guy behind the curtains. They are omnipresent and critical to the entire theatrical of running the business. And just like that guy who does his work in a mechanical manner, taking into consideration all the pros and cons associated with it, Renfrow says that there are five phases that every CISO needs to follow — to not just be a good CISO, but a successful one.
The Five Phases to Become a Successful CISO
These phases and their respective timeframe differ from one organization to another. However, Renfrow notes that in the two decades of his working career in security, he’s followed this model and has had success across all the organizations he’s served.
1Phase One: Company Meet and Greet
Renfrow has been working in this field remotely for six years now because of the global supply chains of his associations. When you have a global network of employees, vendors, third-party suppliers, and customers, it becomes even more difficult to mark the starting point of this phase. However, this needs to be done and is essential. It is important to know your team and the business leaders, and understand your job profile, which includes definition and maintenance of physical and IT security, privacy and risk management, compliance, and disaster recovery.
Renfrow says, “Now in the COVID age, it is even more difficult to connect with the stretched resources of not just other teams but your own teams as well. We cannot meet them face to face, but we need to connect. Connect via Zoom, Teams, Slack, or any other tool with every important member possible and know what they expect, want, and whether they are happy with their roles. Build a relationship with your team and peers. This will go a long way.”
Renfrow specifically mentioned the need to find a “Cyber Champion.” Identify this person as quickly as possible. This person may not be wearing a cape, but he can be a CISO’s go-to guy who has the answer to all the network and security related queries.
2Phase Two: Inventory
Renfrow quotes, “This could be an extremely time-consuming phase.” Why? Because of the number of people involved in this phase. A carpenter does not straightaway start making a bookshelf or that bunk bed for your kids. He first measures the dimensions of the room; he then decides upon the design taking into consideration his customer’s requirements; prepares a rough inventory of how much ply, varnish, nails and adhesives he requires, then goes and buys it from a third-party vendor, and finally starts preparing the shelf or the bed. If this so-called small piece of work requires so many stakeholders in between, then imagine how many does a CISO needs to interact with for preparing his inventory.
This process, like Renfrow explained, should include the following:
Skill sets of people involved (and required)
Audits and reports
Number of third-party and customer contracts
Budget – Past/present, IT and financial
Current processes
Current security strategies and posture
Network and security architectures in place
Regulatory and compliance requirements
3Phase Three: Assessment
It’s now time to prepare your to-do list. This is the phase where you sit back and assess your findings from the inventory phase and measure your organization’s security posture. Prepare a list of pros and cons of the various systems, processes, and strategies in place. Now understand the requirements of your business and its shortcomings.
Renfrow says that he has seen organizations having a lot of security tools but also found a shortage of skilled people manning these tools. In some cases, he also observed that certain security tools were implemented for specific tasks but 80% of those tasks were being carried out by some other tool or manually by a person. Thus, there is a need to sit back, assess the ground reality against the actual requirements based on the findings of the first two phases, and then prepare a to-do list or the action plan to move forward.
Considerations for this stage include:
Review of technical requirements
Reviewing performance metrics
Assessment through a specialized third-party assessor
Review of vulnerability and penetration testing reports
4Phase Four: Planning or Building a New Vision
This is where you put your challenges into vision, says Renfrow. Understanding challenges like poor support, security governance, or compliance and audit gaps is very important. You may have support from the business team but maybe not from your executives or vice versa. You might have spent a lot of time in the first two phases by communicating, educating, and convincing your peers, but this can hamper your operations and can be a huge challenge to overcome.
At the same time, this is the phase where you must cross another impediment that CISOs face – the Budget. Based on the assessment done in the previous phase, it is quite clear what you need for taking your organization’s security game to the next level. So, start deducing a budget which can be presented to the business leaders in the next phase. Renfrow also suggested keeping this as a variable budget. Based on the risk decisions taken by the business leadership, the budget may swell.
5Phase Five: Communication
Time to roll out that carpet, sit across the table, check those microphones, and talk! We have already built the vision in the last phase as to where our organization’s security posture needs to be against where it currently is. Now sit across the table to educate and make the business leaders understand what you have analyzed and what is the way forward on the security front.
According to Renfrow, another key element of this conversation is presenting business leadership with quantifiable risk analysis. The top suite better understands the language of numbers and statistics than just being presented with grey zones. Some methodologies like the Factor Analysis of Information Risk (FAIR) can come handy in doing so. It helps in establishing accurate probabilities of the frequency and magnitude of the risks.
And finally, it is time to discuss the Budget! Renfrow says, “You have laid the vision, shown the gaps, quantified the risks, and gotten the risk tolerance sorted for those risks. Just one thing remains, adjust your budget vision, take approval, and get out of that room!” Yes, it will be a difficult conversation, and you will be bombarded with tough questions and choices but remember the title of this phase – Communicate. You need to convey and convince your case. After all, the tag of being a successful CISO is a hard-earned one and lies just at the other end of this conversation.
6About Global CISO Forum
Global CISO Forum is an annual event that sees a confluence of the highest-level executives from across industries and countries who discuss the most pressing issues in information security. Now in its tenth year, the 2020 Global CISO Forum promises to be the best yet with an exciting mix of industries, formats, and interactive presentations.
In celebration of our 10 years of CISO events, EC-Council is giving its brand-new Risk Management Approach and Practices e-book to all attendees of the Global CISO Forum! Risk is at the heart of what a CISO does and EC-Council wants to create as many risk-smart executives to protect the world’s assets as possible.
EC-Council’s Global CISO Forum 2020 Virtual Conference was an invite-only, closed-door event gathering.
CISO MAG is the Content Editorial Sponsor for the Global CISO Forum.
Ensuring that you get the best experience is our only purpose for using cookies. If you wish to continue, please accept. You are welcome to provide a controlled consent by visiting the cookie settings. For any further queries or information, please see our privacy policy.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
October 2, 2024
Location: InterContinental Hotel Saigon, Ho Chi Minh City, Vietnam
Time: 9 AM to 6 PM ICT
Website: https://cybersec-asia.net/cybersec-asia-cybersec-vietnam-conference/
VNU Asia Pacific and...