Security Leaders: made, not born?

You may be as sceptical as I of easy recipes for corporate success.  Of airy promises, sunny uplands, burnished reputations.

Well, here’s a thought.

Sometimes, they might just have one or two nuggets worth chewing on.

I apply a few simple tests:

- Can I see myself having a shot at it, for real?

- Would it work in my enterprise, with all its cultural and technological quirks?

- If it’s obvious, then why haven’t I been doing it?

Joe Gottlieb in his article ‘Being Great: Five CISO Traits’ (SC Magazine, June 2013)  suggests really good quality CISO’s are easy to spot.  They:

 - never stand still and are never complacent.

- act as change agents, pushing others to better business decisions by focusing on the risks

- balance reward and risk by measuring and applying learning from the results

- recognising deep security skills are scarce, lead and challenge their teams, recognising the skills and tools they have – and where help is needed

- are business-focused, speaking the language of the Board and winning their trust

- vigilant and respectful of the threat horizon and as-yet unknown adversaries.

Forrester’s Andrew Rose touched on similar themes, warning last year (Computer Weekly 11 June 2013) that CISO’s needed to ‘evolve into corporate information risk managers if they are to survive’ and ‘to fall out of love with the thrill of firefighting and other tactical aspects of security operations.’

He went on that the people who faced up to common shortfalls, a ‘lack of IT security alignment and engagement with the business and a lack of strategic innovation’ would prosper, investing in self-development to acquire skills in leadership, strategic thinking, business knowledge, risk management and communication.

 The rest, he judges, would move down into supporting technical roles.  Important, challenging, interesting, roles, yes, but not leadership roles.

 This has some pretty clear implications for those who want to go Up.

 Business engagement moves from the bottom to the top of the priority list. Technology and processes to protect data will move down.

 CISOs will no longer be the single point of expertise but need, in Rose's words ‘external support as compliance, privacy, data management and even physical security are grouped together’.

 CISOs will become ‘orchestrators, able to manage service providers, co-ordinate the support team and make decisions.’

 See the commogn threads?

Coming up for air; grasping the business drivers; making friends with the business and the Board, balancing risk with opportunity; working through technical specialists; acting to prevent rather than recover.

But what do the people who are actually doing the job say?

To find out, a research institute recently asked 80 CISOs ('A new standard for security leaders' – IBM Center for Applied Insights 2013) what they are grappling with in the areas of practice, technology and  measurement.

 What it found offers some clear guidance and a useful pathway that tomorrow's CISOs may do well to adopt.

In the area of business practice, four things:

Strong strategy and policy

Thinking strategically, applying policy consistently throughout the enterprise.

Action agenda: Broaden technology competencies. Broaden business acumen.

Comprehensive risk management

Considering the whole risk picture based on understanding the business model, operations, partners and regulators.

Action agenda: Work towards a holistic view of enterprise risk. Move from co-operation through collaboration to integration.

Effective business relations

Speaking the language of business.  Building transparent cases for options which meet business needs.

Action agenda: Understand what line of business leaders really want and why they want it.

Concerted communications

Telling real world stories to line of business executives of wins and losses; a competitor which has suffered; a supplier whose breach damaged their customers. Quantify the pain and the gain.

Action agenda: Think like a user. Find and tell stories from 'out of sector' places.

In the area of Technology, two areas:

Moved beyond the foundational and functional

As well as investing in identity and access management, network intrusion prevention, vulnerability scanning and database security, explore advanced, strategic technologies.  Today’s protection will be increasingly ineffective. Prevention needs foresight.

Action agenda: Explore advanced malware detection, security intelligence analytics and alternative authentication mechanisms.

Advance all aspects of mobile security

 Although mobile is top of mind, mobile security is only at a foundational stage of development and centred on management devices and inventories. Too few have clear response polices or an enterprise strategy for Bring Your Own Device (BYOD).

 Action agenda: Think less about technology and more about policy and strategy.

 In the area of Metrics, a single focus:

Creating the right feedback loop

Moving from operational measures (how many, how often, ownership, audits, compliance) to feeding business and security measures into their enterprise risk management process, even though CISO’s recognise this as a critical success factor.

Action Agenda: Campaign to get security measures accepted as critical business measures e.g customer satisfaction. Claim and prove value where it’s due.

 So, quite a bit to do, then.

 But a striking degree of agreement amongst the sampled CISO population about what it now takes to be a high performer. And some clear pointers on what to focus on and what to strive for:

-  Versatility: delivering sound security strategy as part of enterprise risk management.

- Integration: Normalising security as a business measure. Catalysing good decisions.

- Mastery: of many disciplines to build security leadership into a enterprise level differentiator.

Now that's got to be worth a shot.