In today's security environment, a lot is written about tools that will defeat the latest rash of malware and attacks, but very little is dedicated to every organization's most vital line of defense – its security team. Gaining ground against attackers means more than having the right technology; you also need the right people with the right mindset. This starts with the CISO.
Each day, attackers grow in volume and expertise, while most budgets remain largely static. It is essential for CISOs to lead the charge, innovating where needed and minimizing complexity when possible, while always staying realistic. I am fortunate to work with a number of stellar CISOs, and there are five common traits that I see in the truly innovative ones. These are easy to spot, and their absence can be glaring to teams, bosses, and most critically, to the cyber criminals who stand to gain from any potential shortcomings.
CISOs reside in a world of constant change – both internally and within the context of the attacks they face. Rather than simply riding along and reacting to change, they encourage it throughout the organization. Most importantly, they base recommendations on empirical data which illustrates the changes in threats and the risks of remaining static – so that others can appreciate the benefits of making changes.
Data establishes credibility. So, instead of using fear, uncertainty and doubt (FUD), these CISOs can actually create dialogue and build an understanding of the risks that can result from certain business decisions. With this data-driven approach, they also become a “change agent," pushing other groups to adopt a more forward-looking approach to the business.
CISOs not only use data to present a compelling argument, they depend on it to continuously measure themselves and others within their organization. They go the extra mile to understand what the data means, so that they can balance risks and rewards. They make adjustments and address shortcomings, which ultimately improves the organization's protection efforts.
By taking a metrics-minded approach, the CISO avoids subjective decision-making and neutralizes internal politics. Instead, they use indisputable data to help others improve and grow, while also evaluating themselves and the overall security program.
Because qualified job candidates are scarce, the CISO needs to think holistically about the security team, the assets they are protecting, and what it means to create a rewarding work environment. They foster an atmosphere which challenges and recognizes both security teams and individuals, while realistically taking stock of the skills and the tools they have at their disposal. This way, they can supplement assets wherever possible – filling gaps and providing opportunities for growth, which lead to greater effectiveness and job satisfaction. This may seem obvious, but it's critical and often overlooked.
We've all worked with security gear heads who are unable to see beyond the technical details or appreciate the greater business objectives. As good as these folks may be at their current jobs, they don't get very far. CISOs need to understand the business, how it is evolving and the critical issues of the day -- from the benefit trade-offs of various business models to what it is doing to stave off business erosion from China.
Once a CISO helps leadership recognize the range of risk factors associated with various business decisions, they earn a seat at the table as the organization maneuvers new opportunities. This business savvy goes a long way toward earning credibility and trust, which ultimately leads to better protection that aligns with business drivers.
This may seem at odds with maintaining a powerful position, but humility is possibly the most important emergent attribute in the security community. CISOs must maintain a deep enough respect for the threat horizon and adversaries to stay diligent and vigilant about protecting the business. They have to accept the areas in which they are failing, in order to make improvements.
CISOs need to be honest with themselves and ask the hard questions, like, “Where is my technology successfully solving a problem and where is it failing?” Once they honestly answer this question, they'll elevate their performance, and that of their teams.
The opposite is hubris, which we see all too often in cyber security. CISOs who think they are untouchable will leave themselves and their organization open to all sorts of breaches. Once they believe they have it all worked out with all the right technology in all the right places, the clock starts ticking until they suffer the consequences of their egos.
Security professionals face tremendous pressure every day to identify threats that could harm the assets they are tasked with protecting. Organizations depend on leaders who handle this pressure, with the talent and insight to prepare for future challenges as well. By leveraging data to align security with the business plan and objectives, acknowledging shortcomings and empowering employees to perform to the best of their abilities, CISOs are not only reducing risk, they are gaining influence over the entire organization and building their value among management and colleagues, and becoming a trusted source for innovation and best practices.
At the end of the day all of this positions them to make dynamic changes that reduce risk, while empowering the business to seize new opportunities.