Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

Hacking It as a CISO: Advice for Security Leadership

A security leader shares tips for adopting a CISO mindset, creating risk management strategies, and "selling infosec" to IT and executives.

Modern security leaders find themselves at the crossroads between business and technology, selling the importance of security to all levels of an organization while helping them maintain efficiency, create a risk management strategy, and prepare for the inevitability of a cyberattack.

This idea of "selling information security" is the area where security leaders struggle most, said Peter Keenan, CISO of a financial services company, in a DEF CON talk. As security practitioners transition from roles as technical analysts or engineers into leadership positions, they learn the challenge of driving security through a business without control over employees' performance.

Information security at its core is "influence without authority," he said, and it's more involved than convincing executives to invest in new technologies. Security leadership may feel like a lot of top-down selling, convincing the board and CEO that you're doing well, but leadership also means conveying the importance of security to people across all levels of the business.

"If you actually want to fix security at an organization, you have to sell it from the bottom up," Keenan said. "It's the people on the ground, the people at eye level who are actually doing the things that will make you more or less secure, and you have to convince them that this is the right thing to do, and these are the changes they need to make in their processes to be better."

This requires a different strategy depending on who the CISO is talking to. Consider IT: You may think tech folks all have a similar mindset, he said, but selling security to IT can be a challenge.

IT's goal is getting information to as many people as possible, as quickly and reliably as possible. Their concerns are cost, features, and uptime. Security isn't among their main goals — it's adjacent to their goals, and infosec has to convince IT how security can be helpful.

Because people respond better to a story than to data, Keenan suggested a penetration test. Show someone walking through the environment; demonstrate how they could be targeted. This could help in addressing the optimism bias, or the tendency people have to believe they're less likely to experience a negative event. Nobody thinks they'll be next to get hacked. 

"If you demonstrate clearly [that] they are capable of making mistakes, they'll be angry at first, but generally if they're professionals, they'll get over it and want it to be better," he explained. CISOs don't want to bring IT concerns to audit or management unless they absolutely have to.

Selling security to the board is different. Most board members are focused on security now; they know it's a risk and they want the CISO to know they care. A key thing to remember here is few of them have technical or cybersecurity backgrounds. In preparation for board meetings, he advised readying answers for four questions they're likely to ask:

  • Are we compromised right now? Answer with a high, medium, or low likelihood — be humble — along with why you think this.
  • How vulnerable are we to compromise? Explain details like who might attack you, what might they target, how they'd get in, and what you've done to counter that.
  • How are we proactively addressing the next generation of security threats? Here, elaborate on budget, organization influence, and team size.
  • What is our plan if we get compromised? Review the incident response and cyber-crisis communications plan.

Risky Business: Speaking Executives' Language
An area where security leaders can find middle ground, and a key differentiator between sole contributors and leaders in cybersecurity, is risk.

"Business leaders understand it," Keenan said. "They may not understand your specific technical domain, and they may not understand what a router or a switch is, but they understand the language of risk."

Keenan outlined several terms security leaders should understand before risk conversations. Risk reduction — or ensuring systems are patched and users trained — is one. There's always a chance a patch didn't work or a user didn't reboot after it was applied, but the overall risk will be lower. He spoke to risk acceptance, a concept technical pros struggle with. If there's a 10% chance a website will get hacked, but it'll only be up 30 days, the business may decide to risk it.

"It makes our heads explode, but absolutely, that's their call," he added. The CISO's job is to identify, quantify, and report a risk; it's the CEO's job to accept it.

Security leaders must understand risk appetite, or the amount of risk a business is willing to take on. Everyone has a different tolerance level: Financial services is usually more risk-averse; tech firms and startups are more risk-favorable and take chances. There is no numeric value here, he said, and most people will have a different definition for it. A CISO will have to chat with a lot of people, learn their risk appetite, and communicate it back to senior leadership.

Because everyone has a different view of risk, the CISO has to consolidate their viewpoints into a calculable risk level — whether someone is low, medium, or high risk. It helps to create a lexicon that brings everyone onto the same page and builds a common understanding of risk; if an incident occurs, having this framework will get everyone on the same level.

An effective way to mitigate risk is to build a team to help you manage it. Keenan advised his audience to build a diverse team with a range of backgrounds and experiences. "The more viewpoints you have on your team, the better you're going to be," he said. In order to effectively manage risk, the CISO and their team must understand it from every angle.

These perspectives can inform the company's cyber-risk profile, which should include the likelihood of getting attacked, frequency of security incidents, who may target you, and the impact of a potential incident. This profile should also include external viewpoints from peers and law enforcement, and it should be updated over time as processes are adjusted.

Businesses are in a race with today's cybercriminals, Keenan emphasized, and their strategy should plan for continuously investing more in security training and awareness. Security hygiene should be a top priority in protecting the business, from patching critical vulnerabilities to ensuring frequent backups and phishing tests, to protect from likely types of attacks. People talk a lot about advanced persistent threats and sophisticated threats, but most don't need to worry about them. 

"Chances are, you're going to get owned by a mediocre ransomware crew," he said.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
8/11/2020 | 9:33:27 AM
Well stated!
I believe I will be forwarding this article to my whole C-suite!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).