Interesting model and well presented. Here’s my summary:
- do you promise to safeguard your company’s assets?
- do other ppl in your org believe you’ve made that promise?
- do you have the resources to deliver on that promise? – probably not.. so you’ll need:
“lead without authority” using influence, persuasion, negotiation conflict management, communication, education of organization.
CISOs must have Technical Excellence AND Organization Engagement
8 domains of Technical Excellence
- configuration and data protection
- Software and vendor security
- access control
- security awareness and training
- analysis and detection
- incident response
7 factors OE:
- Get command of the facts: when board asks “are we ok? are we safe?”
- reach individual business leaders, how’s business ran? what are crown jewel? risk apetite?
- Get the business to own risk
- have a partner in managing that risk. “Have funded infosec mitigation plans, the business has financial stake in the outcome.”
- Embrace change agent role: systematically and proactively engage stakeholders at all levels
- Embed into key processes
- you can’t attend every meeting -> be virtually present -> done right infosec is practice even when you’re not around
- find natural allies in legal, audit etc, change management to add security early into the project
- don’t wait to be invited to the party
- Run infosec like a business
- credibility, budget, people, projects. Deliver on time on budget
- Technical & Business capable team
- CISO can’t do it all alone. Build a team considering: technical debt, business knowledge, interpersonal skills
- cohesive cyber cadre – not just a team. This is a step further: a unit that is on the same page and bring a consistent message
- Communicate the Value
- how infosec helps the org win and succeed? the answer needs to be broken apart and customized for different stakeholders. how does infosec help beat competitors and reach their goals (this isn’t security awareness or swag posters or corporate speak BS). Do you have a 30sec elevator pitch for security?
- Organize for success
- are you organized for max influence and impact? younger orgs reports exclusively into IT (CIO, CTO…), as it becomes more established, reporting into a risk function
it’s a 5-7 year journey lead your organization to adopt safe business practices