Up until now, cybersecurity was often an afterthought for several organizations due to lack of mitigation measures. However, COVID-19 is accelerating digital transformation in decentralized locations. The state of security is getting better at building business resiliency, thanks to the evolving role of a CISO. CISOs are the assets and business enablers that give organizations a direction towards a safer and secured work environment. But a CISO’s role is critical in today’s fast-growing digital world. Just being a good CISO is not enough, you need a successful CISO. Why? Because an organization’s success invariably depends on a CISO’s success. So, how do you become a successful CISO? It is a phased process. Let us find out the good, the bad, and the ugly roadmap to success of a CISO from a veteran CISO, Heath Renfrow
By Mihir Bagwe, Tech Writer, CISO MAG
Speaking at the EC-Council’s Global CISO Forum, Heath Renfrow said, “For too long people have feared us (CISOs) and stayed away from us. We are exactly the opposite of that. We are business enablers! We are there to educate people, tell businesses what their security risks are, and give them advice of how to up their defenses.” Renfrow added, “The success and reputation of an organization largely depends on the security of its employees, systems, and customers. And CIOs/CISOs of that organization have the responsibility of steering this ship.”
“AI has done a good job in securing the dynamic workforce” – Global CISO Forum 2020
Renfrow highlighted the fact that the position of a CISO is like the guy behind the curtains. They are omnipresent and critical to the entire theatrical of running the business. And just like that guy who does his work in a mechanical manner, taking into consideration all the pros and cons associated with it, Renfrow says that there are five phases that every CISO needs to follow — to not just be a good CISO, but a successful one.
The Five Phases to Become a Successful CISO
These phases and their respective timeframe differ from one organization to another. However, Renfrow notes that in the two decades of his working career in security, he’s followed this model and has had success across all the organizations he’s served.
1Phase One: Company Meet and Greet
Renfrow has been working in this field remotely for six years now because of the global supply chains of his associations. When you have a global network of employees, vendors, third-party suppliers, and customers, it becomes even more difficult to mark the starting point of this phase. However, this needs to be done and is essential. It is important to know your team and the business leaders, and understand your job profile, which includes definition and maintenance of physical and IT security, privacy and risk management, compliance, and disaster recovery.
Renfrow says, “Now in the COVID age, it is even more difficult to connect with the stretched resources of not just other teams but your own teams as well. We cannot meet them face to face, but we need to connect. Connect via Zoom, Teams, Slack, or any other tool with every important member possible and know what they expect, want, and whether they are happy with their roles. Build a relationship with your team and peers. This will go a long way.”
Renfrow specifically mentioned the need to find a “Cyber Champion.” Identify this person as quickly as possible. This person may not be wearing a cape, but he can be a CISO’s go-to guy who has the answer to all the network and security related queries.
2Phase Two: Inventory
Renfrow quotes, “This could be an extremely time-consuming phase.” Why? Because of the number of people involved in this phase. A carpenter does not straightaway start making a bookshelf or that bunk bed for your kids. He first measures the dimensions of the room; he then decides upon the design taking into consideration his customer’s requirements; prepares a rough inventory of how much ply, varnish, nails and adhesives he requires, then goes and buys it from a third-party vendor, and finally starts preparing the shelf or the bed. If this so-called small piece of work requires so many stakeholders in between, then imagine how many does a CISO needs to interact with for preparing his inventory.
This process, like Renfrow explained, should include the following:
- Skill sets of people involved (and required)
- Audits and reports
- Number of third-party and customer contracts
- Budget – Past/present, IT and financial
- Current processes
- Current security strategies and posture
- Network and security architectures in place
- Regulatory and compliance requirements
3Phase Three: Assessment
It’s now time to prepare your to-do list. This is the phase where you sit back and assess your findings from the inventory phase and measure your organization’s security posture. Prepare a list of pros and cons of the various systems, processes, and strategies in place. Now understand the requirements of your business and its shortcomings.
Renfrow says that he has seen organizations having a lot of security tools but also found a shortage of skilled people manning these tools. In some cases, he also observed that certain security tools were implemented for specific tasks but 80% of those tasks were being carried out by some other tool or manually by a person. Thus, there is a need to sit back, assess the ground reality against the actual requirements based on the findings of the first two phases, and then prepare a to-do list or the action plan to move forward.
Considerations for this stage include:
- Review of technical requirements
- Reviewing performance metrics
- Assessment through a specialized third-party assessor
- Review of vulnerability and penetration testing reports
4Phase Four: Planning or Building a New Vision
This is where you put your challenges into vision, says Renfrow. Understanding challenges like poor support, security governance, or compliance and audit gaps is very important. You may have support from the business team but maybe not from your executives or vice versa. You might have spent a lot of time in the first two phases by communicating, educating, and convincing your peers, but this can hamper your operations and can be a huge challenge to overcome.
At the same time, this is the phase where you must cross another impediment that CISOs face – the Budget. Based on the assessment done in the previous phase, it is quite clear what you need for taking your organization’s security game to the next level. So, start deducing a budget which can be presented to the business leaders in the next phase. Renfrow also suggested keeping this as a variable budget. Based on the risk decisions taken by the business leadership, the budget may swell.
5Phase Five: Communication
Time to roll out that carpet, sit across the table, check those microphones, and talk! We have already built the vision in the last phase as to where our organization’s security posture needs to be against where it currently is. Now sit across the table to educate and make the business leaders understand what you have analyzed and what is the way forward on the security front.
According to Renfrow, another key element of this conversation is presenting business leadership with quantifiable risk analysis. The top suite better understands the language of numbers and statistics than just being presented with grey zones. Some methodologies like the Factor Analysis of Information Risk (FAIR) can come handy in doing so. It helps in establishing accurate probabilities of the frequency and magnitude of the risks.
And finally, it is time to discuss the Budget! Renfrow says, “You have laid the vision, shown the gaps, quantified the risks, and gotten the risk tolerance sorted for those risks. Just one thing remains, adjust your budget vision, take approval, and get out of that room!” Yes, it will be a difficult conversation, and you will be bombarded with tough questions and choices but remember the title of this phase – Communicate. You need to convey and convince your case. After all, the tag of being a successful CISO is a hard-earned one and lies just at the other end of this conversation.
6About Global CISO Forum
Global CISO Forum is an annual event that sees a confluence of the highest-level executives from across industries and countries who discuss the most pressing issues in information security. Now in its tenth year, the 2020 Global CISO Forum promises to be the best yet with an exciting mix of industries, formats, and interactive presentations.
In celebration of our 10 years of CISO events, EC-Council is giving its brand-new Risk Management Approach and Practices e-book to all attendees of the Global CISO Forum! Risk is at the heart of what a CISO does and EC-Council wants to create as many risk-smart executives to protect the world’s assets as possible.
EC-Council’s Global CISO Forum 2020 Virtual Conference was an invite-only, closed-door event gathering.
CISO MAG is the Content Editorial Sponsor for the Global CISO Forum.