Security Executive Priorities

Sweet dreams (are made of this)

There’s a phrase that’s oft repeated when a person is trying to understand what’s on the mind of and what motivates another person: What keeps you up at night? This question is regularly posed to business executives—during sales efforts, in interviews, and at conferences—as the industry attempts to learn the inner workings of executives’ thoughts and then align policies and procedures with what’s important to the head honcho. 

MISTI held our own “head honcho day,” otherwise known as the CISO Leadership Summit, at InfoSec World 2017. Unlike other CISO events where the focus of the content is often a mini version of a general conference agenda, the aim of this Leadership Summit is the improvement in leadership skills, including communication, trust building, and team management strategies and styles. Providing expert guidance and facilitating interaction, Michael Santarcangelo began the day by asking attendees a version of What keeps you up at night? Maybe it was because everyone came armed and ready to talk about leadership topics rather than the latest security tools and techniques, but the answers provided indicate that security management is starting to move in the direction of leadership.

Who am I to disagree?

Many senior-level security professionals have been thrust into the executive spotlight due to a coalescence of factors: She/he reached the top security position in the company, and without a next-level VP- or C-level position available, the security pro’s boss had an option to either create a position of such caliber or let that very knowledgeable employee walk out the door to find a more suitable position elsewhere. Of course, executive-level security positions would not have been created had it not been for the emerging and urgent need for security leadership. Over the last 10-15 years, it has become apparent to many organizations that information security/cybersecurity is an important line of business in the same way that finance or HR is. Unlike HR or finance, though, security professionals weren’t given time or offered training that allowed them to be groomed into executive leaders; security practitioners have historically reached seniority due to outstanding technical acumen. While these impressive technologists may have displayed leadership qualities throughout the years, fostering communication and collaboration, and learning to empower coworkers are not attributes highlighted in the standard security employee annual review.

Instead, there’s been a lot of learning “on the fly” for CISOs and their otherwise-titled compatriots. Some CISOs have embraced the leadership journey while others have stuck to what they know: technology. It was interesting, therefore, to see what our CISO Leadership Summit participants considered their biggest challenges at work.

I travel the world and the seven seas

Staffing & Smart Team Growth

Number one on the list of challenges stated was “staffing and smart team growth.” We’ve all heard about the massive security staffing shortage, and all the media buzz isn’t helping—it just adds to the FUD. Attendees of the summit said they are concerned with not only filling open positions but adding to that employee pool as company growth and budget allow. On top of that, though, attendees said they worry about finding the right employees for the job. Given the current landscape, these security leaders are concerned about losing out on top talent because the market is so competitive.

In a buyer’s market, it’s more important than ever to provide a positive workplace and keep good, productive employees happy. Does this mean pinball machines and three-hour lunches? No, not necessarily. But it does mean ensuring that security staff are working on projects that are fulfilling, that employees feel a sense of purpose, that they’re given the opportunity to be creative in problem-solving, and that staff know—not by intuition or gut feel—that the work they provide is valued and appreciated by senior leadership.

Security Culture & Alignment

Arising from the cultural meme that is the aloof, hoodie-wearing security guy who drinks too much Mountain Dew while he sits in a corner and breaks into his friends’ email accounts, Summit participants realize that shedding this persona and being taken seriously by other executives is an uphill climb. Couple this with the truth that all security pros love to talk tech—which bores other departments to near death—and we’ve got a cultural alignment disaster on our hands. Yet, attendees said they understand that the key to success is developing a security culture that is positive and supportive of the business and its employees.

One misconception by the greater security community about achieving this alignment is that security teams will have to acquiesce to business needs, which in turn means the business itself will be less secure than if everybody just does what security says to do. It’s not the business’s responsibility to align with security, however. Security must align with business needs, and then collaborate, educate, and use earned influence to permeate the business with security-minded passion.

True security leaders are patient and understand that these shifts are long-haul processes; achieving a healthy security culture and security-business alignment can only be accomplished by being an excellent communicator, building trust with colleagues, and elevating those around them.

The Threat Landscape

Focusing on the threat landscape instead of immediate problems and vulnerabilities in an organization’s systems is much harder than it looks on paper, said Summit attendees (to no one’s surprise). Gaining that holistic picture, though, and using it to guide the company’s strategy around how to find, manage, and mitigate emerging threats needs to remain a top priority, regardless of the velocity or quantity of threats aimed in any specific company’s direction. Attendees said that they anticipate that keeping abreast of the threat landscape will always be a challenge, despite any new technologies or capabilities developed. Attackers always seem to be one step ahead.

As more and more CISOs and VPs of security spend time in boardrooms explaining how security risk contributes to business risk (which the business generally understands well), gaining a realistic grasp on the threat landscape is crucial. No CISO wants to overestimate risk and become Chicken Little, yet no CISO can gamble on underestimating risk and put the organization in a position where it’s not sufficiently protecting company assets.

With such a plethora of threat data available, security leaders need to guide their teams towards an executable strategy that focuses on identifying the most potentially dangerous cyber threats. Doing so requires that strong business-security alignment our CISO participants cited earlier in the conversation. A security leader must fully grasp what’s important to the business before relaying information to her/his security and operations teams. On the flip side, the security leader needs to use his/her influence to educate fellow executives and the board about threats identified by the security and ops teams that might not be as apparent as, say, losing all the company’s customers’ credit card numbers or adversaries taking down the entire network for three days.

Everybody’s looking for something

Unfortunately, the list of worries or challenges didn’t stop there. Summit participants also said they are concerned about patch management (because no matter how much it’s discussed, the industry doesn’t patch well or in a timely fashion), leading security change (because it’s going to take a long time and be hard), board reporting (because we haven’t mastered that alignment piece yet), merger and acquisition activity (because few CEO’s ask about legacy systems and patch management practices during a deal), and “covering the basics” (because no one wants the unsexy job of security administration for too long).

As Santarcangelo pointed out during the event, some of the more tactical tasks—like patch management, security basics, and even helping the CEO understand the business risk of acquiring a company with particularly hellacious security practices—are actually things that can be solved by becoming a great leader. Participants left the Summit feeling refreshed and energized…which is good, I suppose, since, apparently, lots of things keep them up at night all other days of the year.