As someone regularly hired to lead red-team engagements that hack into Fortune 500 organizations, I’ve had the opportunity to work with – and go up against – many different types of security leaders. Some are technical, others thrive on adrenaline. Some dig deep into the weeds, and still others prefer the C-suite. Each type brings something unique to the table. Over my long career breaking into companies as a red team leader, I’ve found that the most formidable CISOs share five critical traits:
1. Protect their crown jewels.
The best CISOs know what they are protecting. They say in an instant what the business values, whether it’s sensitive financial data at a bank or precious patient information at a medical practice. And no, “everything” does not qualify as an answer. They know what matters most to the business and build their programs around protecting those assets first. They don't ask what’s most vulnerable or ask outside consultants to identify what to patch. By protecting what matters most, they make my role as the adversary much harder.
2. Understand what’s valuable and what defines failure.
The best CISOs understand the consequences of failure, and the level of acceptable failure. They know the cost of downtime, a reputational hit, or regulatory fines. They quantify the cost of security, seek outside expertise to assess likelihood and then make a risk-based business decision. They’re not focused on finding and fixing the most bugs - they’re laser-focused on resiliency and risk reduction, they measure and report on it and quantify the results in dollars saved whenever possible.
Top CISOs know there are systems not worth fixing because they’re too expensive, but know that anything important gets locked down and highly monitored. In fact, they are usually aware of a bug that needs patching, but know that the impact won’t justify addressing it because it’s too expensive to patch and if I hack the system or database, it really has no real business impact. Instead, they might put up another control or segment something which would create less friction in the workplace. Going up against a great CISO, I can quickly gain limited initial access, but it’s extremely difficult to gain access to anything valuable.
3. Speak the language of business.
The best CISOs are business leaders first, security leaders second. The focus on keeping the business running, not stopping clever attacks. They ground their decisions in business objectives, are fluent in the language of business and know how to frame problems in ways the C-suite will understand in plain English.
Top CISOs are also always optimizing for business value, trading off security and cost for the best possible outcome. They start with potential impact, and then dig into the details and outline solutions. For example, when a top CISO wants to mitigate the risk of something bad happening, and knows it’s too expensive for the business to turn it off, he might deploy network segmentation or add new firewall policies. Basically he’ll set up other controls that are less expensive to the business, yet curb the risk of my team getting in.
4. Prioritize security fundamentals.
Yes, it’s boring, and it’s not fun to remind people about, but it’s still shocking the number of security organizations that don’t take care of the security basics. Rather than spending time segmenting the network or implementing the CIS Top 20 critical security controls, many security leaders invest in shiny new security products hoping they will fix their security issues. That never works. The best CISOs double-down on security fundamentals and regularly test to make sure they work as they were designed.
5. Measure how well their programs perform.
The security industry still doesn’t have a good way to accurately measure risk, so it’s a difficult challenge. But the best CISOs set a baseline measurement for how their program performs by regularly stressing their security systems to find weak points, flaws, misconfigurations and blind spots. By regularly stressing a system, top CISOs can assess the likelihood of something happening, and assign it a value.
Most security leaders know what the job entails -- there are a lot of very passionate and smart people in security -- but it takes more than will to make my life as an adversary harder - it takes institutional change. The CISOs who truly move the security needle are those who understand what they are entrusted to protect and its value so they can make calculated risks. They invest in security fundamentals and stress their systems so they can have a conversation with the business leaders about the actual risk to their organizations. It’s leaders like these that organizations should seek out, because I’m going to find my way in. The only question that matters: who will make me work the hardest to break into the company’s crown jewels.
David “Moose” Wolpoff, co-founder and CTO, Randori