The last post opened up the idea that Gene Kim started me on while we recorded Episode 10 of the "Down the Rabbithole" podcast (released 2/6/12 here) which is How does a CISO become a catalyst for change, with not only responsibility - but also capability?
Today's post seeks to provide clues and hints (there aren't really any answers) on how a CISO can gain capability (or earn it) by becoming a catalyst for positive change in his or her organization.
This is a difficult topic because it often involves a lot of you should, and you could types of ideas - but rest assured the things I'm talking about here I've either tried myself or have had others tell me they work.
This post also draws upon the collective ideas from the LinkedIn "SecBiz" group which has become a favorite place for many to discuss this, and I encourage you to join and participate that group as well.
First up is trying to understand whether capability should be something that a CISO is expected to have walking in the door. More often than not, even in the age of Anonymous and non-stop cyber threats to every business, the answer is still no. Jared Bird's take is that:
"Capability will always have to be achieved (earned). If a CISO initially receives any capability when starting the position, that was capability that was left over from their predecessor. It is now the CISO's responsibility to earn more capability and solidify what may already exist."
In a way I completely agree. You never quite know what you're walking in to and it makes sense to make your own way.
Let me take a step back and define what I mean by capability for you first... it's the ability to catalyze positive change in the area of security and risk management in your organization (as a CISO or equivalent).
Should the CISO have the ability to catalyze positive change walking in the door? Sure, in a perfect world. But look around you, this is far from a perfect world and that is far from a reasonable expectation even in today's risk climate.
What a CISO can expect is that he or she will have to make their business value felt... that's about the only thing I think you can count on. As a CISO you should expect that you'll be challenged to not only provide better risk abatement for the organization but also improve the overall business' ability to achieve goals. Let's start from that premise.
Uncovering Ground Zero
Walking in (or starting fresh) in a new organization as the CISO or security leader means that you have a chance to, hopefully, define what it is you'll want to accomplish. Most of the time, however, the organization that hired you already has some pre-conceived notions either based on the previous person in that role or other industry definitions (or *gasp* an executive head-hunter).
Your first and only goal should be to uncover what your role really is. If you think you're there to keep the organization free of malware, keep the security appliances humming, and keep the company 'secure' you're probably not going to last very long.
Start your digging by meeting people who probably ordinarily sit on the opposing side of the table from you. We'll call these the delegates. Every effective leader must always win over the delegates of his constituency... you're no different. Find out what they care about.
My guess is that the VP of Applications (maybe called the CTO?) probably cares about release cycles, downtime, failure rates, and streamlining effort with over-worked resources.
Note that down. Next go to the key stake-holders of the business. Maybe the board of directors isn't a great place to start ...but the other C-levels definitely are.
If you don't hold a C-level title, this tells you something immediately because if they call you the "security leader" then you have a slightly different task ahead of you, and a more monumental march to capability. Your colleagues will be able to tell you what the organization cares to accomplish, and what its goals are.
You'll hear things like cost reduction, productivity (remember this?), agility and other terms you should familiarize yourself with. Here's the thing, you should probably be taking near-perfect notes right now in these meetings because you'll absolutely need this shortly.
Mapping Your Success
Once you've uncovered why you've really been hired ... and it doesn't hurt to know why the previous CISO left, or maybe that there was never one to begin with! ...it's now time to start thinking about how your security skills match up against the needs of the business. What I recommend is taking some time to do mapping exercise. The mapping should (and here I base this on personal experience) have 3 levels goals.
The first level should be the business objectives, the second level should be the management objectives, and the final level should be your level, the SRM (security and risk management) objectives. I've done a sample for you based on the highlighted terms from above, right here in Figure A.
Mapping like this is a forcing function which makes you mentally justify your activities, or your proposed activities, against the goals of the business. If you find yourself filling in this grid right to left you're doing it wrong.
You should absolutely fill this grid starting in the left-most boxes at the business objectives level and moving right. This is a many : many : many type of mapping... and sometimes if you have a mind-mapping tool like FreeMind, or Mind Manager it's even easier than spreadsheets.
Looking at the overall business goals on the left column forces you to understand the high-level goals you're trying to help the organization meet. They're high-level, and probably fairly easy to "fit" things into, which is why the middle level exists. The middle management objectives level exists to help you understand the goals of those around you.
Each manager, executive has their own objectives that will get them promoted and help them meet their commitments to the organization. Why do you care? Because if your activities can positively map to their goals it's simple to show how you're helping them, not fighting them. You've just taken a positive step in the direction of keeping a healthy relationship with the rest of your colleagues in the organization. This is much better than the adversarial relationships security leaders normally have.
See, this type of mapping has many great benefits. You can build better personal relationships, understand the organization better, and on and on... so how does this give you the capability you need to be a catalyst for positive risk management change?
Elementary my good Watson... once you've got a good understanding of your organization, its goals and have a solid helpful relationship with your colleagues the capability comes almost naturally. You're no longer doing things for the sake of security, but for the sake of business productivity, cost reduction, or agility - and you're someone people respect rather than fear.
Jared Bird says that one of the most important things a CISO can do to earn capability in an organization is "helping the other executives recognize the value of security" and that the big requirement is to "keep things simple."
Folks, this isn't magic, but great advice I've picked up from fantastic mentors. I pass it on, freely to anyone who wants to listen, because we need less 'security says' and more 'the business needs' discussions in the security circles if we're ever going to get our heads above water.
Good luck, I hope this helps!
 Jared Bird currently works as a consultant with the technology risk advisory services group at McGladrey. He specializes in network security assessments and security reviews. Jared has over 10 years of experience in information technology with positions ranging from network administration to information security management roles.
Cross-posted from Following the White Rabbit