Modern security leaders find themselves at the crossroads between business and technology, selling the importance of security to all levels of an organization while helping them maintain efficiency, create a risk management strategy, and prepare for the inevitability of a cyberattack.
This idea of "selling information security" is the area where security leaders struggle most, said Peter Keenan, CISO of a financial services company, in a DEF CON talk. As security practitioners transition from roles as technical analysts or engineers into leadership positions, they learn the challenge of driving security through a business without control over employees' performance.
Information security at its core is "influence without authority," he said, and it's more involved than convincing executives to invest in new technologies. Security leadership may feel like a lot of top-down selling, convincing the board and CEO that you're doing well, but leadership also means conveying the importance of security to people across all levels of the business.
"If you actually want to fix security at an organization, you have to sell it from the bottom up," Keenan said. "It's the people on the ground, the people at eye level who are actually doing the things that will make you more or less secure, and you have to convince them that this is the right thing to do, and these are the changes they need to make in their processes to be better."
This requires a different strategy depending on who the CISO is talking to. Consider IT: You may think tech folks all have a similar mindset, he said, but selling security to IT can be a challenge.
IT's goal is getting information to as many people as possible, as quickly and reliably as possible. Their concerns are cost, features, and uptime. Security isn't among their main goals — it's adjacent to their goals, and infosec has to convince IT how security can be helpful.
Because people respond better to a story than to data, Keenan suggested a penetration test. Show someone walking through the environment; demonstrate how they could be targeted. This could help in addressing the optimism bias, or the tendency people have to believe they're less likely to experience a negative event. Nobody thinks they'll be next to get hacked.
"If you demonstrate clearly [that] they are capable of making mistakes, they'll be angry at first, but generally if they're professionals, they'll get over it and want it to be better," he explained. CISOs don't want to bring IT concerns to audit or management unless they absolutely have to.
Selling security to the board is different. Most board members are focused on security now; they know it's a risk and they want the CISO to know they care. A key thing to remember here is few of them have technical or cybersecurity backgrounds. In preparation for board meetings, he advised readying answers for four questions they're likely to ask:
- Are we compromised right now? Answer with a high, medium, or low likelihood — be humble — along with why you think this.
- How vulnerable are we to compromise? Explain details like who might attack you, what might they target, how they'd get in, and what you've done to counter that.
- How are we proactively addressing the next generation of security threats? Here, elaborate on budget, organization influence, and team size.
- What is our plan if we get compromised? Review the incident response and cyber-crisis communications plan.
Risky Business: Speaking Executives' Language
An area where security leaders can find middle ground, and a key differentiator between sole contributors and leaders in cybersecurity, is risk.
"Business leaders understand it," Keenan said. "They may not understand your specific technical domain, and they may not understand what a router or a switch is, but they understand the language of risk."
Keenan outlined several terms security leaders should understand before risk conversations. Risk reduction — or ensuring systems are patched and users trained — is one. There's always a chance a patch didn't work or a user didn't reboot after it was applied, but the overall risk will be lower. He spoke to risk acceptance, a concept technical pros struggle with. If there's a 10% chance a website will get hacked, but it'll only be up 30 days, the business may decide to risk it.
"It makes our heads explode, but absolutely, that's their call," he added. The CISO's job is to identify, quantify, and report a risk; it's the CEO's job to accept it.
Security leaders must understand risk appetite, or the amount of risk a business is willing to take on. Everyone has a different tolerance level: Financial services is usually more risk-averse; tech firms and startups are more risk-favorable and take chances. There is no numeric value here, he said, and most people will have a different definition for it. A CISO will have to chat with a lot of people, learn their risk appetite, and communicate it back to senior leadership.
Because everyone has a different view of risk, the CISO has to consolidate their viewpoints into a calculable risk level — whether someone is low, medium, or high risk. It helps to create a lexicon that brings everyone onto the same page and builds a common understanding of risk; if an incident occurs, having this framework will get everyone on the same level.
An effective way to mitigate risk is to build a team to help you manage it. Keenan advised his audience to build a diverse team with a range of backgrounds and experiences. "The more viewpoints you have on your team, the better you're going to be," he said. In order to effectively manage risk, the CISO and their team must understand it from every angle.
These perspectives can inform the company's cyber-risk profile, which should include the likelihood of getting attacked, frequency of security incidents, who may target you, and the impact of a potential incident. This profile should also include external viewpoints from peers and law enforcement, and it should be updated over time as processes are adjusted.
Businesses are in a race with today's cybercriminals, Keenan emphasized, and their strategy should plan for continuously investing more in security training and awareness. Security hygiene should be a top priority in protecting the business, from patching critical vulnerabilities to ensuring frequent backups and phishing tests, to protect from likely types of attacks. People talk a lot about advanced persistent threats and sophisticated threats, but most don't need to worry about them.
"Chances are, you're going to get owned by a mediocre ransomware crew," he said.