It used to be common for new chief security officers to come in with guns blazing. The security personality stereotype was a machismo type who wanted to be seen as the hero in saving the company’s network from all the villains trying to get in.
But times have changed. In today’s corporate setting, if a CSO enters the building with the intent of doing a gut job in the first few weeks, he most likely will find himself out the door in short order.
It is often said that nobody likes a know it all. This is certainly true with regard to a new CSO who comes aboard with grand plans to turn everything upside down to right the ship. But that strategy has changed to a more cautious approach. One that takes a step back in the early going on the job and reviews the situation along with the players.
“Learn the business before you start trying to implement any type of changes. It is very crucial that you listen to your team and other department heads. If this is not done first, you will have execution mistakes that may not be career enhancing, because you were hasty with your execution,” says Todd Bell, who has become an international expert and leading speaker on preventing security breaches for new start-ups to Global Fortune 500 companies.
He explained that the first 90 days as a CISO or CIO are very critical. “You need to come across as likeable, credible, and the person that can get things done. Don’t over commit, but execute with precision and concise communications,” he said.
It is imperative that CSOs show everyone they work with that they are a trusted resource, not the “loose cannon” that is unpredictable. He said over time, CSOs need to learn to become the “trusted adviser” up and down the corporate ladder.
“When you sign your executive contract, it is important to remember you will be tossed out within 90 days if you are not a fit for the company. Try explaining that story for your next C-level position—not a good situation to be in,” Bell said.
That is sound advice that Dave Dalva wished he had when he first started out as a CISO three years ago. In his situation as a CISO on a consulting basis, he acknowledges that he did not come in on Day 1 with the idea of engaging with the IT stakeholders.
“The lesson learned is to be fully engaged with the IT team. It is very important to have those relationships. The network, communication, telephony guys,” he said in noting that it is not just communicating with the board and C-suite but also with the people doing the security work in other departments.
“The first thing to do is to have an independent security assessment -- look at governance and operation,” he said. The assessment needs to be risk-based so that the CISO can get a handle on where priority items are.
“It helps to have engagement with the board of directors. A CISO for tech will only inevitably fail. The CISO needs to be business savvy and all encompassing,” he said.
Dalva said in providing advice to other new CISOs is to set expectations for security as a process and not a goal. As is often said, creating security with the expectations of zero intrusions is nearly impossible, so it helps to think of this as a process on what to do when security is breached.
Tips for being a new CISO
Todd Bell offers up this advice from his experience in the security field.
Dealing with a merger
Golan Ben-Oni agrees that understanding the organization and its network is the first course of business. As CSO of Network Architecture at IDT, he went through a merger in which a number of the senior network and security staff who were originally charged with keeping accurate documentation and network security configurations had not kept up with the pace of change in the organization. As a result, much of the documentation was not up-to-date, and in many cases, policies were not implemented to achieve strong security.
“Shortly after the merge, a number of individuals who had been involved in these configurations were no longer at hand, and we were left trying to put together this information with little or only basic information,” he said.
As it turned out, the prior staff who had been tasked with doing all of this were not able to do to a large degree because they had been resorting to sniffer traces, conversations with application owners, and non-verbose application logs, in order to tie-down security policies – not so much because of lack of attention but rather because the difficulties in the method by which they were going about it.
He brought in Palo Alto Networks initially just to add Layer-7 Application visibility to the environment – spanning close to 20 ports around the network to feed into the device for the sole purpose of gaining that visibility. Eventually he and his team repositioned the Next Generation firewalls directly into the network to apply policies based on the new knowledge they were able to ascertain from the network.
This process took a little over five or six days to complete, and given the dual challenge of gaining an understanding of the environment, properly documenting that environment it was a key challenge that they were able to overcome. In the following weeks they were able to replace an aging infrastructure with more powerful capabilities.
“I suspect that for many individuals entering their roles, having a proper understanding of their environment that they are in is likely an area that they need to spend time focusing on. In our case, we had been relying on aging technology, older methodologies, and we needed a fresh perspective. Sometimes a fresh perspective is really what is needed, and coming into the role from the outside can be turned into an advantage,” he says.
He said every year they ask themselves: If we had to do this all over again, what would we do differently. “This is important to do, because very often key assumptions that we may have made, or solutions that we may have adopted in the past may no longer be effective, and we must always be prepared to ask (and answer) these difficult questions,” he says.
He added: “In our environment, every time we added visibility to a given area, it was always like shining a light into a darkened tunnel – interesting artifacts generally emerge, and these should be considered ‘low hanging fruit’ that can be quickly remediated. If you can’t see it, you can’t react.”
Once viability is gained, an organization can begin to focus on the next step, which is lowering their response and remediation time.
His final piece of advice for new CSOs is to network as much as possible with peers who have to deal with similar challenges, and to solicit input from a variety of sources which may include research organizations like Gartner or Forrester if they don’t have the time to do their own research.