Things I wish I knew before I started as a CISO.
2,5 years ago I applied for a CISO-job at a big e-commerce company that operates in The Netherlands, Belgium & Germany. It was my first job where I would get the full responsibility for the strategy, vision and execution of the information security management. I went in head first, hit my head a lot, and learned a lot doing so. So here is a summary of the things I wish I know before I started this whole adventure:
Trust is better than control
Every auditor or accountant knows the phrase: “Trust is good, but control is better”. In the last few years I learned that it’s actually the other way around.
As a CISO managing a security team, the most important thing you can do is trust your employees. They are your most valuable resource. Whether it’s about detecting and reporting phishing mails or implementing security controls, you must trust them to do that properly. If you can’t trust your employees, the solution is never to implement more controls. It increases complexity and creates distrust from your employees towards you and your team. This does not mean that controls are bad, but they mustn't be used to compensate for your lack of trust. If you don’t trust your employees, you have an HR problem, not a control problem.
An extension of this, is the fact that I will never do company wide phishing testing. It will only create distrust towards you and your team and the only thing that it will prove is that people will click on links, which we have known for many years. Think about what will happen and what needs to be done when people click on those malicious links instead.
Recently I started communicating that we will never do a phishing tests and if people are suspicious of a mail they should always report it. Yes, it has increased the amount of false positive reports, but I rather check 100 false positives, than miss one true positive because an employee thought it was a test and just deleted it. This topic is worth a post by itself to explain more clearly, but I’ll leave it for now.
If you show trust in your employees, you get rewarded with trust in return. Employees will be less reluctant to contact you and your security staff for incidents, questions or advice. It’s the biggest win-win you can get.
Know your weaknesses
The scope of a CISO / information security team is almost unlimited. Nowadays there isn’t a part of a company that does not involve IT or data. And the Information security field is getting bigger by the day: Networking, Incident Mgt, Security Architecture, Defensive Operations, Offensive Operations, Risk Management. This security certification list from July 2021 counts 399 security specific certifications and it’s probably not even complete.
Don’t get overwhelmed by this, you cannot know everything. But you can know, what you don’t know. And you should build your team around that. The most valuable team members are the ones that have more knowledge than you.
Roundabout Politics: Sometimes you have to let things fail in a controlled manner.
Ask anyone the question: “Do you think security is important?” and everyone will answer “yes”. But when push comes to shove and priorities need to be addressed, it will rarely end up on top of the list.
One way to solve this, is to know that nothing gets everyone aligned more than a good incident. So when you just know that a process sucks and is just waiting for an incident to happen, don’t be afraid to let these processes fail. It’s often the best way to make people learn. Just try to make sure it happens in a controlled manner with limited impact. And when it happens, don’t say “I told you so!”. Just be the first to lend a hand to help resolve the issue, preferably by having a solution at the ready.
I’ve called this approach Roundabout politics. A lot of intersections started as a regular intersection with no security measures whatsoever. Then an accident happened and signs were placed on the side of the road. Traffic increased and another incident happened. Traffic lights were placed. Another incident later and a roundabout is placed. So why not place a roundabout there in the first place? Well, because traffic wasn’t high enough to warrant the costs of a roundabout. This is risk management in an nutshell and the longer your work in Infosec you realize that most improvements are not driven by risk assessments, but by incidents. Why? Because people are really bad at estimating risks.
People are really bad at estimating risks and qualitative risk analysis sucks.
This topic is probably worth a separate blog post by itself as well, but I’ll try to summarize it, because it hits at the core of information security management. The whole information security industry is built around managing risks, but I found that in general people are really bad at estimating those. Not just business people, but everyone, from Infosec, to management, to operations.
Insurance companies use complex models with massive amounts of historic data to calculate risks and the premiums to compensate for them. In infosec the general approach is to use qualitative methods (e.g. the Delphi technique) and classify risks as low, medium, high or critical, mainly because large datasets are missing and financial approaches are often inflating.
I’ll give an example of why that is: One of the easiest things to calculate financially is the impact of when a company gets hit by ransomware. It’s roughly a calculation of:
Direct Losses = [ Average ransomware attack duration ] * [ Daily Revenue ] * [ Daily Employee Costs ]
These numbers go up very, very quickly. Note that this does not take into account recovery costs, additional measures and reputational damages. But the real challenge is: what is the likelihood that this will happen, because Risk = Impact * Likelihood. And where insurance companies can use massive amounts of data, for infosec incidents this data is very, very limited. So big risks get underestimated. And small risks get overestimated.
To properly manage risk, data is important. If you can’t quantify the risk with data, be careful not to rely on what people *think* the risk is. Also, as a CISO you and your team are the authority with regards to information security. If a person *thinks* a risk is lower, let them support it with data and solid arguments. If they can’t, your assessment should be the authoritative one.
You don’t owe anybody your time, especially not sales managers.
Since I started as a CISO I got contacted by sales people *a lot*. They all try to guilt talk you into spending half an hour with them, so they can tell how their tool is the silver bullet your company absolutely needs. Because you want your company to be as secure as possible right? No. Ignore those mails, reply you are not interested or just tell them to piss off if they keep contacting you. You don’t owe them anything, especially not your valuable time.
“But it really sounds like I can use their tool”. No:
Don’t buy tools for which you don’t have the people to manage them.
The biggest mistake is thinking that a tool will solve your problems. Vendors will come at you with 250% ROI, AI, ML, the whole bullshit bingo. But in the end, every tool will need some kind of manual work. Whether it’s configuration, maintenance, reporting, follow-up etc. This is especially a challenge with security tooling where teams are often relying on other teams (e.g. devops, operational, etc.) to take action. If you haven’t aligned with those teams about the work that will come their way and if they don’t have the people to support this, the tool will be useless.
Always put your personal health first.
Yes, I have been there as well. Arguably the biggest challenge the Infosec community faces is people getting overworked and ending up in burn-outs, eventually leading to them leaving the whole profession. This is bad for them, but also for the community as a whole.
Remember that in the end your working to live, not living to work. It’s probably the biggest challenge for every CISO out there, because we all feel the responsibility that has been given to us, but I cannot stress this enough: Your personal health is way, way, way more important than any job or company will ever be.