Part IV: The CISO's Strategy
How many of you have often wondered how does the CISO come up with their cyber security strategy, and how does it differ from the other CISOs?
What I like about our community of Cyber Risk Leaders is the fact that more and more people in the leadership team have seen the value of sharing experiences, knowledge, intelligence, and collaborating more closely together.
The first three parts of the five part ‘Coffee with the C-Suite’ series explored a range of different perspectives.
Part 1 went back in time and I was able to pick on the brains of the world’s very first CISO, all the way back in 1994.
Part 2 focused on a few simple takeaways shared by the first federal CISO of a former US President.
Part 3 was more specific to a selected industry of choice and as it was the Christmas and Boxing day season, and I explored the view of Cyber Risk with a few CISOs from the retail industry.
In today’s part 4 segment, I thought it will help our readers if I were to highlight a few key things of a CISO’s approach in drafting out the cyber security strategy. Now, here’s where I put a disclaimer: there is no perfect strategy, and the success of every strategy hinges on so many variable factors, from the way it is being executed, to the culture of the organisation, leadership among other things.
In this case study, I sat down with Shawn Thompson who is the CISO at the Department of Transport in Victoria, and he walked through five steps of his approach below:
1. Stay current with the threat landscape
- Read, listen, and watch a variety of security coverage.
Shawn: “I quite like to include academic papers and leading consultancy publications, and also keep an eye on the likely emerging opportunities and threats.”
Shamane: “Podcasts is another good way - Darknet Diaries has a really creative way of telling true stories from the dark side of the Internet. Their style reminds me a little of LucasArts Guybrush Threepwood and the Monkey Island Series!
Steven Li, Cyber Risk Meetup's Tokyo Chapter lead recently wrote a great article of the top few cybersecurity podcasts that people are listening to for those who are interested. The Cyber Security Weekly Podcast by MySecurity Media is another good one to check out.
I also like subscribing to OSINT dashboards from different intelligence communities around the world. Their summary makes it easier to have a quick snapshot on the cyber trends and key threats.”
2. Research your core business
- Find out your industry trends and disruptions.
Shawn: “Interview and have informal conversations with your internal business customers. Start high in the organisational hierarchy, with those accountable for the business services. Understand their strategies, goals, needs, pains. It serves us well to engage our best listening skills and learn from our customers."
Shamane: "I most definitely agree. I especially like this saying by Stephen Covey, that most people do not listen with the intent to understand; they listen with the intent to reply."
3. Collaboration and engagement are essential
Shawn: “Be the helper for your customers.”
Shamane: “It is about building trust and credibility as well. Most CISOs want to be seen as a trusted advisor to their customers. So what would your internal collaboration strategy look like?”
Shawn: "I will work with my internal business customers, mostly senior and those with accountable positions, to workshop how security can enable their business strategy. While security is often about threat mitigation, try to be positive - glass half full. Keep expectations realistic. E.g. "We're expecting to have an X number of breaches or cyber attacks this period, but successful implementation of our security strategy will see a reduction of the impact to our customers and staff, and increase our return to stakeholders." This is a great opportunity to reinforce your relationships with your internal business customers."
Shawn uses the OKR methodology to help him. What are OKRs?
There are two parts to this: Objectives and your Key Results. Objectives are your long term goals and your Key Results are the ways you accomplish those goals. Key Results should be quantifiable, achievable, lead to objective grading, and also be a little bit difficult, but not impossible. He uses OKRs to help him set strategic objectives with the internal business customers that enable their business outcomes. Here's an article on OKRs and strategy deployment that Shawn referenced to for those who are keen to find out more.
4. Search for key sponsors
Shamane: "I'm glad to hear you highlight this as there's a whole chapter in Cyber Risk Leaders that talks about the strategy of various CISOs in influencing sideways, whilst leveraging on current business advocates as they work to grow a meaningful influence."
Shawn: "Yes, you need people who can help you reinforce your security messages. It’s amazing how much difference it makes when you have another one or two leadership voices supporting security initiatives. It might be a person on the board or in a C-suite position. Search out those who are interested in security and nurture those relationships so they can become influential."
5. Keep the strategy flexible
Shawn: " You want your strategy to take account of a rapidly changing threat landscape."
I reflected on the different environments I've seen - no one CISO strategy looks the same. There are many variables in when it comes to planning and execution. Shawn shares his personal experience in overcoming obstacles.
Shawn: "Sometimes, a strategic message is not well received and it’s worth investing some time to understand why your audience didn’t react the way you had hoped. Often there are other motivations that you’re not aware of and that may be due to different values. That is normal."
"Timing is key. People often take several conversations to begin to understand your message and how it is relevant to them. Be patient. Be courageous. It takes time to develop relationships and trust, to understand the business needs. Education is challenging and continual."
Shawn spoke fondly of the practices of DevOps/ DevSecOps. One of the concepts he likes is the continual improvement approach, which shifts the mindset to look for failures in order to learn faster.
If I were to take it to the next level, I would want to encourage the CISOs to also spend more time thinking strategically on how they can understand the business risk and different board motivators better, and in turn, have a strategy that is more closely aligned to the business incentive. The icing on the cake would be in the execution of the strategy, of which, the key element would be in one's ability to influence, and that's a whole different article topic by itself.
So, a question to my network, what are your thoughts? As always, I would love to hear your comments and sharing of best practices, from ideas to experiences; they are greatly welcomed!
This is Part IV of a Five-Part #CoffeewiththeCSuite Series:
Part V: Fireside Chats with the Board
To read the entire collection of the CISO kit including global C-Suite insights and perspectives across industries, you can now get your very own Cyber Risk Leaders book in stores or the e-book on Amazon, Kindle or Google Playbooks.
About the Author
Shamane Tan is a published Author of Cyber Risk Leaders and the APAC Executive Security Advisor at Privasec, a leading and independent Security Consulting Firm. She has worked with exciting start-ups all the way to global organisations extensively in the Asia-Pacific region. Shamane advises the C-Suite and IT Executives on their business security posture to the reality of the challenges they faced from regulatory issues and cybercrime. She is also the founder of the Cyber Risk Meetup which is in four major cities in Australia, as well as Singapore and Tokyo. Her meetups offer Security Enthusiasts and Executives a unique platform to impart and exchange innovative insights.