Post Image
By PaulOctober 7, 2019In Uncategorized

CISO Lessons Learned – Hope Is Not A Strategy

When I first started my career, I often heard my leaders talk about the importance of strategy. I was an individual contributor who was dealing with insurmountable day-to-day problems that kept going on and on. I couldn’t understand the value of taking time out to think 3-5 years out when I had 100% of my day filled with day-to-day tasks. As I lived day to day with the same problems day after day, I started to see the value of planning out a strategy. I was living with the hope that things would improve because I was working hard. Hope is not a way to get your organization moving forward in a prevailing direction.

You have to make time to determine where you want to go and what you want to do. Start by deciding what your program looks like in a few years. For instance, do you want to be compliant with regulations only? Do you want to be a leader in your industry? What direction you choose determines the steps you need to take to get there. When I first started in the information security field, these concepts were odd to me.

I wanted to have a clear direction, but how would I align it to what the company wanted? I selected what I thought the company wished to achieve because I always assumed we wanted the same thing. Turns out that being a world leader in Information Security was a tremendous personal strategy, but the company didn’t share that goal. They wanted to be compliant and secure the information, but they didn’t want to spend the money to be the best. When I was younger, this was shocking, how could they not want to be the best at EVERYTHING? Initially, this led to frustration on my part, but then I started to look back and put an analogy to my own life. I wanted to be the best at the things I wanted to focus on; we can’t be all things all the time. For instance, I wanted to be healthy and in good shape. I didn’t want to invest the time and effort to be a world-class athlete as I cared about other things. The same thing applies to your company. They want to be healthy (secure for their customers), but they don’t need to be the world leader in security. Does that mean the company was doing something wrong? No, it just means they are focusing on other things, such as providing excellent customer service or amazing products.

When thinking about your strategy, think about this example. Most companies will want a security goal of being compliant with applicable contractual, legal, and regulatory requirements as well as to keep their systems and information reasonably secure. Once you know your goal, you can determine a strategy and the tactics you need to achieve the goal. Please don’t make a mistake I made earlier in my career by skipping aligning your program to your company’s objectives. There is a reason why a large group of CISOs last 24 months on average and why the average Chief Information Security Officer (CISO) is stressed. Being out of synch is enough to make anyone stressed. Your work relationship is essential, just like a personal relationship. Would a marriage or relationship with conflicting goals last very long? A professional one is similar.

Hoping things fall into place is not a strategy. You need to determine what you want, just like anything in life, and then take active steps to get there. For instance, you don’t only hope that food will appear on your table every evening. You will take steps to achieve the goal of eating tonight by working at a job, going to the store, and preparing a meal. This simple example has a corollary in security. You don’t just hope your organization will be secure; you make your organization more secure. Start by establishing the expectations and requirements via policies and standards. Next, communicate those expectations and requirements via a security awareness program. Finally, monitor the implementation of those requirements and report on progress.

When developing your strategy, don’t just trust that things will fall into place and that everyone is on board. Constant monitoring and adjustment are critical in reaching your plan successfully. Also, be willing to adapt as organizational changes evolve, such as changes in leadership, market conditions, or other unknowns as you grow and learn more. When sharing the strategy, ensure people know that your approach is flexible and will change as any strategy should.

Look at your organization’s overall goals and talk to your leadership. Here are three examples:

  • Does your organization want to lead the industry in security and use that as a differentiator from its competition? This approach makes sense if you are in a highly competitive industry that deals with a lot of personal data, or if your competition has had a highly publicized security issue that has eroded trust.
  • Does your organization want security to not detract from sales, so your organization only needs to be compliant with existing regulatory, contractual, and legal requirements? This approach is often taken in organizations just developing or rebuilding their information security programs. You will also see this in highly regulated environments where the costs of compliance are high, and the industry is mature.
  • Does your organization want the security program to be in between industry-leading and merely compliant? For example, your organization may not be ready to spend the money on leading-edge security tools, but they want to use companies in their industry as a benchmark and exceed them by a specified amount. You may see this in well-defined information security programs that are in the continuous improvement phase and in industries that are well established and benchmarked.

These are only three examples, there are many other options, and each will take your information security program in a different direction. Take the time to understand your organizational business goals and begin aligning your program to support those goals. This information will help you develop an aligned strategy, from which you can define the tactics of getting to the goal.

I’ve learned that hope and prayers, or even ignoring the future is a strategy that some people take, even when they don’t realize it. Alignment to your organization’s ultimate goal and a plan to support those goals is the only way to succeed.

The opinions in this article or that I post are my own and do not necessarily represent the opinions of my employer.

svgThe Three Stages of Internal Audit Grief
svgInformation Security and the Art of Contextualization