Preparing for a Board of Directors meeting is one of the more intellectually stimulating aspects of a CISO's work. It's an entirely different conversation than the one I typically have with my team, my peers, and my other stakeholders around the firm. Our board is wicked-smart... and is the absolute wrong audience to engage in a philosophical discussion about the latest trends in firewalls, or whether our projects are on time. With the steady drumbeat of recent breaches at well-heeled organizations, even the customary discussion of whether security spending levels are appropriate may become passe, if not irrelevant. For every under-funded victim, we are learning of events where underspending is not the obvious outrage driver:
- Sony spent $171M recovering from their 2011 breach(es), only to be hit again three years later;
- on paper, Target had invested in the people, process, and technology needed to quickly react to - if not prevent - their sentinel event;
- a $250M annual cyber-security budget was not enough to keep JP Morgan on the friendly side of the headlines.
As attacker capabilities grow exponentially, the board-level slant on security spending becomes less of an algebraic equation to solve and more of a reflection upon a greater theme: does the company have the right culture to manage the factors that lead to a breach, and what level of assurance can the CISO offer that an outrageous breach is unlikely?
The question of information security culture becomes a difficult one to pin down: just like all politics is ultimately local, security culture can look and feel very different depending on one's vantage point within an organization. Are you an end-user, navigating through policies and awareness material? Are you an executive, considering whether to accept risk or sponsor the latest countermeasures? Are you an architect or an engineer, defining and delivering roadmaps and new solutions? This is why, when a colleague asked me to proofread a whitepaper in which he described culture as a choice between "agile or static... creative and risk-taking or a heirarchical, well-oiled machine," I offered an alternative perspective.
Security culture is determined by the intersection of all these factors: the organization's pace, the tone at the top, and the feel in the trenches.
Individually, each one can drive certain aspects of security forward. Together, the three can define a culture that supports the delivery of an information risk management program that considers the delicate balance between doing too little, courting an outrageous breach; and doing too much, delivering a locked down system at the expense of innovation, customer service, and shareholder value.
Pace: not simply the rate at which security happens, but the ability to move with velocity - a measure of both speed and direction. Once a gap is identified, how long does it take to select and deliver a solution with appropriate coverage? Can the company adapt its people and processes, as well as its technology, when the need arises? I chose the word pace deliberately over speed because maintaining a strong security program as attackers continually evolve means being able to support perpetual change without harming the core business; it means giving our teams permission to succeed — or fail — quickly, and rewarding them for that speed... and for having a good plan that anticipates the most likely points of impact and preserves reliability for the enterprise. I spend considerably more time diving into pace in this supplementary article.
Tone at the top: does senior staff support security with both its words and its actions? Has social norming in the organization attached a stigma to accepting security risks, and do leaders follow up to ensure their teams are delivering remediations on schedule? Are security exceptions granted based on business need moreso than title? Is the CISO able to approach any leader in the company to discuss an emerging risk or an ongoing concern? At the risk of stating the obvious, in most organizations the main difference between a CISO and a Directory of Information Security is the "C". Each is the senior-most leader setting and delivering their company's information security program. The Director seeks permission to engage someone in the C-suite; if the tone at the top is positive, the CISO simply calls the meeting.
Feel in the trenches: do end-users know what to do (or not to do) to remain adherent to company policies and controls, beginning with their first day of orientation? Are policies enforced, and do employees and contractors know whom to contact if they suspect a violation? How is the end-user community engaged before a new control or policy is rolled out to the organization? It's a good day for the CISO when friendly hallway chatter with a new employee pauses on this quote:
You know, this is the first company I've been at where I've worried about sending work home to my personal account.
I have long been a proponent of the idea of "personas" as a coaching tool - the face on your company badge looks just like the one on your driver's license; one is authorized to access classified company data, the other is not. There's a big difference between data "loss" and data "theft", and most staff are a higher risk for the former than the latter. It was gratifying to hear that our lightweight but consistent messaging was having the intended effect on our employee base.
As organizations begin to combine these elements of a positive security culture, a virtuous cycle begins.
Pace combined with tone at the top yields a vision: in the face of a widening population of adversaries, whose capabilities grow at the speed of H.D. Moore's Law, and whose tactics are unburdened by budget, statute or regulation, what measures is the organization prepared take with its people, process and technology in order to protect its customers, staff, and shareholders?
The feel in the trenches, combined with a strong tone at the top, creates alignment: when the entry-level employee has heard from upper and middle management about the importance of their role in protecting the company's assets, and when they know that there is integrity and passion behind those words, they themselves are less likely to take risks.
Finally, when pace is combined with the feel in the trenches, the end-user's experience improves along with their adherence to current and emerging controls. I recently had the opportunity to deploy a nifty tool that "helped" (forced) our users to comply with a critical but inconvenient security control. The team did its best to create good documentation for the tool - we made it fun, pithy, and brief... which made it all the more painful to watch as our pilot group struggled to use the tool correctly. There were too many options, and the "intuitive" help system we were deploying was intuitive only to the core team... who already knew and understood the product intimately. We paused the pilot and set an audacious goal: 90% of the user's interactions with our tool had to be completed in one click, period. Round two of the pilot was considerably better than first.
Without a vision, alignment between leaders and staff, and a user experience that makes adherence the norm, controls are more likely to be bypassed, investments in security tools are less likely to deliver value, and threat actors' approaches are less likely to be met with an effective response. With a strong security culture in place, an organization will be ready to face its shareholders, its customers, its staff, and its board and say with integrity, "Information Risk Management is ready to serve."