Security operations · 4 MIN READ · MICHAEL SUTTON · MAY 28, 2019 · TAGS: CISO / Managed security / Management / Planning
Michael Sutton is the founder of StoneMill Ventures, which invests in disruptive cybersecurity companies. Michael has more than 20 years’ experience working in the security space, spending nearly 11 years as the Chief Information Security Officer (CISO) at Zscaler, and holding security-focused roles at companies like Hewlett-Packard, Verisign and Ernst & Young.
I occasionally hear from CISOs that a moment in time comes when they suddenly have a blank slate and therefore the opportunity to fundamentally revamp their security posture. This blank slate appears for a variety of reasons: maybe the CISO is new to the company, a breach occurred, the company’s taking on new investment capital, or the company’s preparing to go public.
Whatever the driver, this is a golden opportunity for a CISO — one that shouldn’t be squandered. In fact, I found myself in this situation a few years ago. Here’s what I learned about making the most of this opportunity, along with some guidance as to where to start when you have an empty canvas in front of you.
Build a foundation
Even though you’ve probably got plenty of opinions on what’s needed to build (or rebuild) a great security program – and it’s great that the company is now interested in investing in security — avoid the temptation to dive in head first and start making changes immediately. All good things do come to an end, which is why it’s critical that you first establish a game plan that you’ll continually reference as the basis for any decisions you make going forward. No matter how much flexibility you may have at a given point in time, you’ll always have someone to answer to and you’ll need to show progress against committed milestones.
So where do you start? To set yourself and the company up for long-term success, select and build your program around an established cybersecurity framework. Doing so will keep you on track, assist with prioritization and provide a clear roadmap that others can easily follow so they know where you’re headed. There are plenty of cybersecurity frameworks available and you should take some time to identify the one that’ll work best for you. In my experience, the NIST Cybersecurity Framework is now the most widely adopted among U.S. enterprises and is flexible enough to meet the needs of most orgs. Whatever framework you choose, it’s important to first map your existing security controls against the framework. You’ll be able to show everyone where deficiencies exist and help with prioritizing resources. This mapping will serve as a baseline that you can measure yourself against – it’s a great way to show progress as you make security investments.
Seek objective opinions
As much as we want to think we have all the answers, seeking external and objective viewpoints will help validate your assessments. Consider external pen tests or risk assessments, which you can usually get at a relatively low cost if you negotiate small initial contracts with larger ones to follow once your overall plan is approved. It’s much easier to defend your assessment of the org’s security posture or to seek additional budget if you can point to empirical evidence where weak controls already exposed your org to risk.
Security is a team sport. Even if you’ve secured budget for new resources, collaborating with other teams is essential. For example, selecting a source code scanning tool won’t be valuable if the developers don’t want to use it, or if you selected one that doesn’t fit into their existing workflow.
And good luck navigating any security audit without the cooperation of other departments. That’s why you’ve got to build those alliances early and often. Make sure that others in the org view the security team as one that can help them achieve their objectives, not hold them back. Having allies is critical to your success.
Position security as a business driver
Too many executives view the security team as a cost center and, even worse, the part of the company that slows them down. While you shouldn’t expect to ever be seen as a profit center, you should absolutely position security as a business driver.
How exactly can you do that? Work with other teams to understand their needs (when in doubt, re-read the “Make friends” section above) and determine how security can help. For example, has your sales team run into roadblocks with certain deals because of regulatory and compliance issues? That’s an area where you can and should lend a hand. Or have you heard employees complaining about not being able to use a certain tool or service because they’re blocked by security and IT? Don’t ever lower your security posture to appease your colleagues, but in my experience there’s usually a way to meet employees’ needs without negatively impacting your risk profile if you take the time to understand what they’re trying to achieve. All you need to do is sit down with them and take the time to listen.
Ask for regular feedback
Security is never done. That’s why it’s critical to revisit your initial mapping and make sure the gaps you identified at the beginning of the process are closing and that investments are paying off.
Over time, you’ll probably need to create additional metrics to show your progress. These metrics will differ depending on your goals, but it’ll help you communicate to and get support from your executive team and the board.
Every enterprise has a moment of clarity when it comes to security. Whether that arrives via the installation of a new security-conscious CEO or from landing on the front page of The New York Times thanks to a high-profile breach, make sure you’ve got a game plan for moving forward. Step up to the plate, follow these tips, and you’ll be sure to knock it out of the park.