Tuesday, April 1, 2014

What's a CISO Do?

   A while back I started a new job as a CISO.  It's the second time I've held that title at an organization.  What's interesting about that is that both time it was a new position to the organization.  I wrote about my initial thoughts and plans in a post here.  That was before I started the job!  I've been meaning to follow up on that post, both to provide more insight and list next steps.

   In this post I'll dive a bit into the execution of the plans I originally discussed.  In another post I'll get into what came next, including the weightier topics of strategic and tactical plans.

   And yes, I know it's April 1st, but I'm keepin' it real!

   For my first 90 days on the job I tried to keep focus toward three key accomplishments:
  • Learn the business;
  • Start to establish a Culture of Security, and;
  • Baseline the environment.
   Let's talk a bit about each of these areas.

 Learn the Business.
   Security and IT have traditionally struggled this area.  It's easy to keep your head down and focus on technical issues and projects.  There's always too much work to do and a simple mistake many in Security and IT make is to not get out and engage.

   I started by asking questions and looking at org charts.  My plan was to have 1-on-1 meetings with any leader I could!  I reached out to: directors and managers, execs, leaders of key locations and functions and, of course, the C-suite.  In my first quarter I had 1-on-1's with over 70 key leaders!  This was Oct-Dec so there were a number of holidays.  You do the math... I was pretty busy.

   These meetings not only helped me learn what's going on in a very complex organization that is undergoing change, but also allowed me to establish my office, promote security and build confidence in others.

   I would recommend this to anyone, regardless of your position or industry!

Establish a Culture of Security.
A journey of a thousand miles begins with a single step.
Lao-tzu, The Way of Lao-tzu
Chinese philosopher (604 BC - 531 BC)
You gotta start somewhere.
          Me.
    It can take years to build a solid Security Awareness program.  But you just have to start.  It begins with promoting the core ideas of your program and security philosophy as you meet with leaders.  You also need to see what kind of training may be in place.  I was lucky in that, as a HIPAA covered entity, annual security and privacy training was already in place.

   I've written about my philosophy on security awareness.  So I also got out and did a few "Internet Safety for Kids and Families" talks.  These are always well received.  People learn lessons they can use and start to develop a security mindset.

   One thing I've been wanting to do for years is to cut short security video tips that can be featured on the intranet.  People can view them at their desk or on the go to get some info but not have to spend the time of attending a talk or a long training session.  Check out this one!

Baseline the Environment.
   You need to not only understand your environment, but communicate that to leaders and your management.  A baseline does both of these things for you.  Plus, it helps to be able to show how you've improved the organization.

   I used two different methods to do this baselining.  At first, I couldn't find a tool that I liked.  So I created one.  I started with a great article published by NASCIO that talks about the components of a security program.  Using the detail from the model and combining that with the CObIT maturity model, I was able to get a picture of the current state of the organization.  The main problem with that approach is that I am not able to make any industry or regional comparison.  So I also did a baseline using Gartner ITScore.  I'm not a huge fan of that tool... it's too absolute.  Many of the questions simply have yes/no answers.  But there are many maybe's out there.  So one can do the assessment twice - once choosing strict answers and then once more being more lenient.  Of course, this requires a Gartner subscription.

   Well, that's how it went for the first quarter!  What are your thoughts?  What of these techniques have you tried?  What are your keys to success?

No comments:

Post a Comment