Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:20 PM
Connect Directly

InfoSec Teams Share Keys To CISO Success

Tech expertise and business engagement are critical for CISOs who want to strengthen security but lack authority in their organizations.

CISOs promise to protect critical business data, but many lack the influence they need to be effective. High-performing infosec teams combine technical expertise and organizational engagement to do their jobs well.

This is the key takeaway of a new research report from IANS entitled "CISO Impact: The 5 Secrets of High-Performing CISOs." For more than two years, researchers collected diagnostic data from more than 1,200 businesses to assess their security posture.

Diagnostics were structured by two best practice models: 8 Domains of Technical Excellence and 7 Factors of Organizational Engagement. The expansive collection of data was boiled down to 75 best practices shared among high-performing businesses and their leaders.

In this report, IANS takes a step back from the granular details of its research and highlights five high-level lessons CISOs should adopt as they aim to build greater influence within their organizations.

Cloud growth is driving the importance of security, says Leonovus CEO Michael Gaffney, but CISOs don't have enough influence to drive change. Most report to CIOs, which are usually trained in basic security but may not be fully up-to-speed on web-based security.

"Security pros don't have enough of a seat at the table," he says. "Boards of directors want to hear from more than the CIO; they want to hear from someone about what’s going on. If you're not at the table from a security perspective and the C-suite doesn't recognize it, that's a vulnerability."

Despite this concern, most infosec pros have to accept they will need to lead without authority, says Stan Dolberg, chief research officer at IANS. Most security managers aren't given full access to the staff, processes, and technologies they need to fully protect data.

"The CISO and security team make a promise to safeguard critical assets, but they have little control over the resources to make it happen," he explains. "Security isn't an isolated function. It stretches over every operation."

Security leaders can build authority by building alliances for a risk-based approach to security through which the business owns risk. All high-performing organizations in the study hold business leaders accountable for the risk of their actions, says Dolberg.

CISOs must connect the dots across businesses, goals, strategies, and results, and handle situations at the technical and negotiation levels. These skills are important because CISOs need to inform boards of exposures, collaboration, and steps taken to secure assets. This data is owned by the business, and CISOs must convince them to work together.

The second key is to embrace the role of change agent. CISOs and their teams are responsible for changing many things; for example, how software is developed, or how people click on emails. It's important to prepare for pushback.

"Change encounters resistance," says Dolberg. "People don't like to change. It costs money; it takes time. Embrace the role of change agent, otherwise you're going to get very frustrated."

Engagement is also important here as security pros have to build relationships to understand what motivates other parts of the business. They can use this research to introduce more informed change recommendations.

IANS' third lesson is to be responsive and demonstrate the importance of security. Organizations don't instinctively know infosec must be integrated into the business, so security pros have to step up, teach them, and prove its value.

"The CISOs who make a difference understand people won't open the door and say 'give me a makeover,'" Dolberg explains. "You have to be proactive and can't just sit back." Few CISOs will be hired into organizations that already recognize the danger. The rest can employ tactics like fake cyberattacks to demonstrate the reality of cybercrime.

"You experience real emotions in a mock situation," he notes. Faking a DDoS attack on the main website, for example, will give business leaders a sense of how it feels to lose customer data and put their reputation at risk.

Most (84%) high-performing CISOs develop a "cyber cadre" or cohesive team of employees who convey the same messages to everyone in the business. This requires proficiency in interpersonal skills, a theme of the first three lessons.

"It takes a lot of effort on the part of the CISO to hire people with the right technical skills and build a cohesive team," explains Dolberg. "This way, when they're out there in the day-to-day grind of the business, they're all telling the same story."

The fifth lesson is patience; getting organizations to value their security teams takes time. It typically takes high-performing organizations five to seven years to build their teams, their cadres, and invest in their credibility before they were viewed as integral to the business.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...