A pragmatic alternative to the SuperCISO [L O N G]


Yet again this morning, something on the ISO27k Forum caught my imagination, firing-up my sleepy caffeine-deprived neurons. We have been chatting lately about what is expected of the Chief Information Security Officer role - namely an exceptional mixture of knowledge, skills and competences possessed by the 'SuperCISO'. 

Today, Nigel Landman referred us to an interesting article by JC Gaillard at Medium.com 

JC's repeated assertions that 'cybersecurity is not purely technical' caught my beady eye: the 'cyber' bit clearly suggests that it is 100% purely tech ... but those of us who have swallowed the ISO27k pill recognise that information security requires more than just securing the bits-n-bytes. This is yet another example of the confusing use of language - specifically 'cyber'. Many professionals immersed in the field take 'cyber' implicitly to include technology plus other aspects but the general perception Out There is very strongly and perhaps exclusively technical. 

For the majority, cybersecurity equates to IT security or, more specifically still, it refers to hacker attacks and malware infections via the Internet. For that reason, the recently revised and reissued standard ISO/IEC 27032, formerly on 'cybersecurity', was re-titled to clarify that it covers Internet security, specifically - an important part of the information security landscape and cyber area, but not the whole thing. It falls short on intellectual property protection, for instance, plus insider threats and plan ol' fashioned accidents that cause a significant number of incidents, despite not being 'attacks'.    

[\rant]

As to whether we need CISOs at Exec Committee or Board level, I agree with JC.
It depends on the organisation, and requires a person with an unusual (= rare and therefore valuable) combination of business and infosec (and information risk, privacy, compliance, resilience, leadership and other) capabilities.

[Aside: I maintain that the best infosec qualification I hold is not CISSP, CISA or CISM, but an MBA from an excellent course at Bath University with very little IT content and nothing at all on information risk and security. It is all about the business. If you admit to being an ordinary CISO aiming to become super, I thoroughly recommend business/management training to supplement your specialist tech background.]

The underlying issue, as I see it, is that what's needed is not 'a CISO' per se but 'strong leadership in this area from senior management'. So, with roughly 7 out of 8 organisations that even have CISOs apparently finding themselves short of SuperCISO, there are other ways to achieve strong leadership, such as deliberately raising management's understanding and appreciation of the value of information security and related matters through the information security awareness and training program - implying the need for different content and emphasis compared to the typical staff-focused awareness activities.

I am suggesting a security awareness approach I've developed over more than twenty years, with parallel streams of awareness and training content specifically targeting managers and specialists in terms that suit those audiences, as well as the usual staff stream addressing workers in general.     

Here are some rhetorical questions I believe are well worth addressing through a dedicated management stream of security awareness content and activities:
  • Strategy: what are the strategic options in information security, what are their pros and cons, and how do we decide what approach is most appropriate for this organisation, going forward?

  • Governance: what reporting structure and management arrangements or controls are appropriate for information risk, security and related matters? What are those 'related matters' or areas of concern, and how do/should they interact? Do we need a CISO, and if so, what are the expectations of the role, at what level, and what kind of person would be ideal?

  • Business: how does information security contribute to the business objectives? What can/should be done to increase its net contribution (benefits less costs i.e. the business case)?

  • Risks and opportunities: in which areas can/should we afford to take chances, and conversely where are we most exposed and in need of greater effort, investment and focus? How does information security relate to all the other things we are doing and need to do - how does it fit the bigger picture?

  • Priorities: given all those other things of interest and concern, in which areas is it necessary to apply management pressure, and how much pressure is appropriate relative to other business activities and initiatives?

  • Policy: what is our position on information security-related policy matters ... and how do we ensure the associated messages cascade effectively to those who need to know (including managers!)?

  • Assurance: do we have sufficient confidence in the adequacy (sufficiency, suitability, quality, capability ...) of our information security and related efforts? Do we need - or would we welcome - additional assurance in any areas?

  • Metrics and reporting: are we receiving suffiicient, credible, valuable information regarding information risks, security and related matters from the organisation? Are we fully in-tune, up-to-date and in-the-picture, or are we delusional, perhaps being misled by various others with their own agendas, interests and concerns?

  • Culture: given senior management's leadership role, are we doing enough to influence the corporate culture towards information risk, security and so forth? Do we have an appropriate, consistent, strong culture throughout the organisation at all levels? If not, where should we focus our attention and what can we actually do to influence or drive cultural change?

  • Executive-level information security: given the sensitive and valuable nature of information routinely accessed and generated by senior management, what security controls are appropriate/necessary at our level?

That cluster of questions begs questions about what information or guidance the information security function can most usefully offer to address senior management's concerns. What should that management stream provide? Here are some suggestions:
  • Language: an informed debate in this area requires that senior managers appreciate the concepts, which in turn means they need to understand the language. For instance, I maintain that information, specifically, is the focus of information security, IT security, cybersecurity or whatever it is called. Intangible information is the valuable asset that needs to be both protected and exploited by the business - not technology, not digital data, not the Internet, but information. That's the handbag we are dancing around. There are other examples where consistent and reasonably precise use of language supports clarity and understanding, whereas inconsistencies and imprecision in how we talk about this stuff leads to misunderstanding. This is hardly rocket surgery, and yet I feel I am going out on a limb by raising concerns about our language.

  • Complexities: the interrelationships between information risk, security, compliance, safety, privacy, resilience and continuity, assurance, technology and business are confusing in many ways. For example, the term 'supply chain security' seemingly relates to risks aroung continuity of supplies, but from an information security perspective there are concerns around the flow of information throughout the supply chain, issues at selection and procurement time plus during the operation and management of supplier relations, potential information risks within the information processing and content of products (goods and services) supplied, and more besides - a flurry of issues crossing several traditional business stove-pipes.

  • Dynamics: threats, vulnerabilities and impacts are all changing, hence the controls we need to protect information 

  • Confidentiality, Integrity and Availability - the classical CIA triad - is a powerful concept and an important reminder to consider all aspects in the broad. In particular, it is worth noting that although security is necessary to ensure adequate secrecy and privacy, it also needs to ensure adequate quality, relevance and utility of information. There are tensions between the CIA factors, hence a myopic focus on confidentiality/secrecy/privacy fails to address the other aspects of security, and misses the mark. Locking the only copy of our 'secret recipe of herbs and spices' away in a bank vault keeps them confidential, yes, but means the business can't manufacture that delicious coating. 

  • Business: offering business-oriented advice on applying the information risk-based approach involves, for instance, using credible illustrations from within the organisation and its industry, and aligning with business initiatives, strategies and objectives except, perhaps, for those rare occasions where the business strategies need to change in response to information risks (such as how to exploit Artificial Intelligence technologies without losing control of information).

Raising senior management's awareness in this area offers benefits such as:
  • More sensible, comprehensive and yet pragmatic infosec strategies, policies etc.

  • Greater appreciation for the effort involved in balancing information access restrictions against utility, quality etc.

  • Proper management consideration of infosec budget and investment proposals

  • More appropriate risk- and security-related decisions, with a better understanding of risk appetite, risk tolerance and risk management in general

  • Better, more effective and efficient interactions between various departments, teams and individuals with various perspectives on information risk, security and so forth, strenghtening the team as a whole

  • Advancing from 'doing the bare minimum as required by law' to 'doing whatever is best for the organisation', with more than just a vague clue about the difference and the business implications

The SecAware security awareness materials put the 3-streams approach into practice, one information security topic at a time, so if you like the sound of this, take a look at the website and by all means contact me for more. How can we help?

PS If you are a practicing SuperCISO, raising senior management's awareness is surely a worthwhile part of the job. Any tips to share? 

PPS  On LinkeDin, Manfred Ferreira suggested adding "project cycle of life, since [senior management] should have a regular update process that [is] fundamental to keep it secure, fast and with new features of innovation."  Good point Manfred!  There's lots more to say about cycles and innovation, so if this intrigues you, keep an eye on the SecAware blog for updates.