The Information Security Leader, Part 1: Two Distinct Roles, Four Fundamental Questions and Three Persistent Challenges
“If you always do what you’ve always done, you’ll always get what you’ve always got.”
This kernel of wisdom comes from a certain high-tech headhunter in the late 1980s, who passed it on as she was helping her candidates prepare for their next job. Twenty years later, it showed up again in “What Got You Here Won’t Get You There,” a best-selling business book by Marshall Goldsmith.
For today’s information security leader, it’s wisdom that’s still worth appreciating. The role of CISO is very much in transition, and it’s increasingly clear that the skills that got you there are not the skills that are going to keep you there, let alone move you forward. For those who aspire to become CISOs, the path to a leadership role in cybersecurity is not the same as it has traditionally been.
In the spirit of doing things differently, here are introductions to three specific dimensions of important changes for information security leaders and their teams if they want to make a bigger and more valued contribution to their organization.
Two Distinct Roles
As recommended in a strategy map for security leaders, successful next-generation CISOs should strive for their information security teams to be perceived by key stakeholders as being strong in both of two distinct roles:
- Subject matter experts in the technical aspects of ever-changing threats, vulnerabilities, exploits and information technologies, in the specific context of their own organization; and
- Trusted advisers to the people who are responsible for making the business decisions about security-related risks, complete with the business acumen needed to bridge the gap between technical detail and organizational impact.
While acknowledging that every person is different, it’s generally true that current information security leaders have come up through the ranks of technical experts. These are the skills that got you there — and indeed, these are the skills that continue to be in short supply. But the leadership role is now demanding a blend of technical and business skills. Think of it as a cross between the business-savvy technologist and the tech-savvy businessperson.
Four Fundamental Questions
Helping the organization to manage not only the unrewarded risks of protecting its assets and minimizing downside, but also the rewarded risks of enabling its assets and maximizing upside, is the fundamental value provided by the business function known as information security. For this reason, the successful next-generation CISO should be extremely capable and highly confident when addressing the following four questions:
- What’s the risk? This question might refer to phishing attacks, ransomware, bad bots or whatever challenge comes next in the never-ending battle between attackers and defenders.
- What’s the annualized risk in the specific context of our organization, industry, strategy, IT infrastructure and culture?
- How does an incremental investment quantifiably reduce risk? What’s the business justification for an incremental investment in some recommended mix of technical, administrative and physical security controls, which are intended to manage the risk?
- How does one investment compare to another, with respect to reducing risk to an acceptable level in a specific context?
Identifying, assessing and communicating effectively about security-related risks — along with making sound business recommendations regarding what to do about them — is the very reason that information security leaders and their teams exist! Unfortunately, far too many are really struggling with how to address these fundamental questions and need to make a deliberate effort to develop the necessary skills.
Three Persistent Challenges
Pushing one level deeper in this line of thinking, successful next-generation CISOs will have to figure out how to help themselves and their teams overcome three persistent challenges.
- A language challenge: Even though risk is literally at the center of everything we do, a surprising number of security professionals don’t have an accurate understanding of how risk is defined and don’t use the correct terminology when talking about it. In addition, many misunderstand the types of risk, the range of responses to risk and the all-important question of who owns the business decisions about risk.
- A measurement challenge Given the predominantly technical and engineering-oriented backgrounds of security professionals, there’s an innate discomfort that security risks generally can’t be quantified with precision. But a lack of precision doesn’t mean “I don’t know.” In any case, the name of the game is to help make more informed business decisions about risk in spite of these inherent uncertainties.
- A communications challenge In spite of our discomfort at not knowing how to quantify risk, we routinely fall back on using a wide range of purely emotional and qualitative approaches to measuring and communicating about it. For example, we tout the latest headlines, averages based on surveys, the opinions of experts, qualitative assessments and semiquantitative heat maps. None of these approaches really moves the dial with respect to making better business decisions beyond the default intuition and gut instinct of the responsible business decision-makers.
Do Something Different as an Information Security Leader
If we always do what we’ve always done in these areas, we’ll always get what we’ve always got. An information security leader needs to take a different approach in each of these three dimensions if they want to drive different and more valuable results.