Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
 
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
 
Keep calm and we will be with you shortly!

Henrik Parkkinen 30 May 2022
8 min

A day at work as a CISO - Part 2

“Cat: Oh by the way, if you really like to know, he went that way.”

Alice: Who did?

Cat: The white rabbit.

Alice: He went that way?

Cat: Who did?

Alice: The white rabbit!

Cat: What rabbit?

Alice: Didn’t you just say?

Cat: Can you stand on your head?

Alice: ???<gets tilted>???”

 

What if Alice had some kind of a map (a roadmap for example) pointing her in the appropriate direction? Some tools available for her to find a better way forward when being lost that she could apply together with the map (like a compass maybe?)…instead of to trying to guess, or by listening to the disoriented Cat trolling her from the tree, which way to go?

For a CISO (Chief Information Security Officer) a good starting point, for setting out the coordinates and navigation, could be to conduct a cyber security assessment. These types of assessments are generally more driven from a technological perspective though, but with an addition of a threat and risk management exercise tailored towards the organization a cyber security assessment make a fairly good starting point. An initial roadmap to be used as a compass for guiding. To understand which road not to take. To understand which weaknesses and vulnerabilities need to be prioritized first. To find a road forward and to reduce the head scratching moments and guessing game.

Before diving further into today’s subject let’s do a fast recap of the message propagated through the first article, Part 1, in the series. In the essence of the role of a CISO (as in all types of C-suite or manager roles), the most important aspects what it comes down to, in my opinion, is “leadership”.

But what type of other skills/tools are needed as a CISO and why? This is today’s subject, to put emphasis on those other skills, which I believe are important for a CISO. Or one who wants to become one or one who want to improve their skills. For example, what is needed to create that roadmap? What is and why should a CISO use a “roadmap” and a “compass”? How can this type of “roadmap” be used to accomplish and reach a target destination?

TOOLS IN THE TOOLBOX
Business minded
. For me this skill translates to the ability of being able to understand and emphasize around security from different business perspectives, processes, industry verticals or horizontals. A CISO need to be able to, at least on a holistic level, understand the core components within the business processes in an organization.

By gaining understanding of the business processes this enables the possibilities for the CISO to better help the organization to for example, but not limited to, identify the information assets which are most critical and sensitive to the organization. Or to identify possible risks, related to information and cyber security, and applicable scenarios if actualized that will lead to a negative business impact. And of course, a better insight and understanding of possible threats against the organization and potential vulnerabilities.

By understanding an organization’s so called business value chain(s) provides enormous insight for an CISO. This skill for me is a blend of curiosity and analytical capabilities that is not directly something learned from a textbook. It comes more from engaging and communicating with key stakeholders and business leaders in the organization. Listening to the audience that is around you in your organization. Without the understanding of the business landscape in the organization, certain subjects and topics becomes significantly more challenging for the CISO. For example, business continuity. If there is reduced or limited understanding of the business landscape, there is also reduced and limited understanding around how an applicable and adequate business continuity plan should be crafted. Where to start, who to involve, what and how it should be tested and carried out if such a situation takes place. A business continuity plan is about the business. And it will in almost every cases have attachments and dependencies to digital capabilities, such as information systems, applications, digital capabilities, IT infrastructure and so forth. But the discipline, Business Continuity Planning (BCP) as the name says, is highly focused and connected to the business landscape within an organization. The CISO need to be able to listen, understand, communicate, and analyze how changes or initiatives in the organizations business value chains translates into information and cyber security.

NOT TO BE AN EXPERT. THE KEY IS TO “UNDERSTAND”
So, what about the technical know-how and knowledge? In my mind it is beneficial for a CISO to have a relatively good understanding of different technology domains and emerging technologies, i.e. technologies approaching in a near time and future. Let me put emphasize on this part of the sentence, “understanding”. The person does not need to be able to sit down behind the keyboard and develop exploits, configure firewalls, design networks, or shoot payloads through msfconsole (i.e. Metasploit framework). The reason for why I think a somewhat good understanding of technology for a CISO is beneficial, but not an absolute requirement in anyway, is due that it will help the person to better understand risks, threats and vulnerabilities related to the organization. Technology is today unavoidable. All business is today more or less highly dependent on technology, digital capabilities and enablement. And for this reason, which is less often spoken about, a CISO will also play a vital part in how to accelerate business opportunities. Yes, accelerate business opportunities! This is not only something (in my mind) the role of a CIO or something the role is singularly responsible of. The CISO, at least according to my own beliefs, shall also be accountable to ensure business value realization is enabled. It’s a team effort like in all types of sport. The CIO and CISO is not two dudes in opposite teams, they are and shall act as they are within the same team. They are there to help the same organization. The CISO should not, in my opinion or in any circumstances, turn into the Dilbert narrative named Mordac who strives for making information services and digital capabilities in the organization unable to be used due to all those security control implementations. But in some cases, the CISO becomes this guy. The preventer of digital enablement. The Anti-hero. Not so business oriented, but things at least from a security perspective got more secure. I’m joking here. This is not a sustainable approach. This not an adequate way of how to enable a secure and protected organization or digital value realization.


The role as a CISO is still quite new and the disciplines and skills within cyber and information security continually evolves. I think that if a CISO role is driven from more technologically focus this may lead to an amplification of less digital enablement and less business risk insight.

Through my career I have noticed that it is quite common though that the CISO role tends to become somewhat driven from an IT-centric and technocratic agenda and less from a business oriented. In some cases the CISO role unfortunately becomes a glorification of a secadmin (IT Security administrator). A technocratic and elevated extension of an IT security specialist. There is nothing wrong in doing so, going by the technocratic approach but the results will be (at least based on my own experience) suboptimal for the organization. The potential value realization for an organization will be reduced and limited due to less concentration is made on the organizations business ecosystem and strategic objectives. So why is that? Why do this keep happening? I think there is not one given answer but as in many cases within the IT industry the person considered as “best in class” within the organization when it comes to technology is believed to be the best leader. This might be the case but there is no guarantee ensuring this is the case. Another case I have come across, is that the CISO is reporting to for example the CIO, CDO, Head of IT etc. There is nothing wrong in this either, so don’t get me wrong here. But by adding a reporting layer between CISO and the board can generate reduced focus and to suboptimal decision related to information and cyber security in terms of risks. The CIO, CDO, Head of IT is more often, and should be (in my opinion), concentrated and focused around digital enablement and less focused around the application of security and risks related to the subject or the business landscape. The later part is the role of the CISO.

FROM RISK TO SUCCESS
Risks are often seen and approached as only something negative within the realm of cyber and information security.
Of course, cyber threats and attacks are not something related to a positive risk or experience but this perspective to risk within the realm of cyber and information security does not need to be the singular perspective of truth. With a somewhat good understanding from a holistic perspective of technology, and not only something that may be generating negative risks, a CISO can use the opposite side of the coin when communicating with key stakeholders and business leaders. Or to understand how the business ecosystem in the organization may enable a competitive edge within the operating industry, market, digital ecosystem etcetera. Let’s call this success, the positive effects of risk…and something that I believe should be spoke more about. I write down a scenario for how I personally, for not so long time ago, presented a certain scenario to an organizations management team. This is a part of the presentation in a verbal format, it does not include every detail from what was said but the essence is there. #Success

“To my understanding the negative risks related to <emerging technology X> may result in a scenario causing a negative effect for the organization. According the risk assessment conducted, <(consequence + likelihood) + (articulated consequences + risk scenarios)>, we as an organization have the possibility to mitigate the negative impact by taking these recommended actions <risk response & treatment options>. We will still though need to live with some risk, to accept the residual risks which cannot be mitigated, but as we as an enterprise have expansion plans to penetrate new markets and customer segments this <emerging technology X> also enables business opportunities that increase our digital transformation rate. We can accelerate business opportunities, by for example, transforming manual processes into the digital ecosystem and by doing so leverage a potential magnified market increase. We will be one of the first enterprises using <emerging technology X> in our industry and of this reason we should together contemplate around to eventually accept the risks in relevance to the identified opportunities that we as an organization can leverage on to generate a competitive edge towards our competitors. Besides the risks <R01, R02, R03, heatmap, scenarios, risk appetite etcetera> there are also success that can be achieved which will be generating further growth, increased customer satisfaction, amplified market recognition. <Presentation on-going.....>”. #Risk Management (on of the tools in the CISO’s toolkit) coupled with Success management.

 

THE DIGITAL TRANSFORMATION AND EVOLUTION
As more and more business processes and capabilities transform into the digital and cyber landscape there is a need of understanding these implications, both from a risk and success perspective. For example, how will an organization impact if the decision is taken to lift core business processes or line of business applications to the cloud? The CISO do not need to be the cloud specialist, but the person should be able to contemplate, understand, analyze and communicate potential risks, threats, vulnerabilities and opportunities related to this decision. And these risks, threats, vulnerabilities are most powerful when being communicated with a non-technical jargon or language. But, as mentioned earlier in this article, the CISO shall also be able to understand and articulate the business opportunities involved. The Success. How competitive edge can be gained. Acceleration of digital business capabilities. This is one of the reasons behind why an CISO need to have the skills and understanding for how to communicate with a board, key stakeholders, business leaders, technical leaders and other relevant stakeholders who do have and do not have a technical understanding.

Being able to tie security initiatives and projects to organizational strategic goals constructs a better understanding for why certain investments are needed, projects to be executed and investments to be sanctioned continually to security. This also enables the feature for the CISO to better craft a story, tailored and relevant with applicable analogies constructed in the language and visuals in the form of the organizations own context and language. As you may understand, I believe in the power of storytelling and see this as a great skill to master. Storytelling in general is something everyone can benefit from. But from a security perspective and based on my experience this can really be one of the key ingredients for how a message or business case is best verbalized and visualized for any type of stakeholder, board/managers/subject matter experts/individuals/organizations/employees. And this skill, storytelling, is something everyone can learn to apply and master. We all have our own stories. We all have our own memories. The feelings we felt in different scenarios. The quotes we heard from movies, history books, stories (like Alice in Wonderland) and so forth. We all get good at what we practice. And we always practice something in terms of our skills. Making powerful stories does not come by them self and appear on the power points by magic. They need to be created. And the magic superhero power behind creating the stories resides within every one of us.

LEADING BY EXAMPLE
Many things, from all the stories and plans that are created, need to be executed. Without execution, the things we create is just that. Stories and plans. We all, and especially a CISO, need to be leading by example. Pulling up the sleeves and getting things done. Creation of inclusiveness and engagement. Enablement of an open and multi-disciplinary environment. Teamwork and teambuilding. If you want to go fast, go alone. If you want to go far, go together. Create a strong team and let the team take a part in the work you as a CISO do. Include them to help you to craft the story to be told. Let them help you to better understand technologies in the organization. Let the business leaders and key stakeholders educate you and lead you in discussion regarding the business challenges, processes, and knowledge. CISO is a team effort. Do it together with the people around you and help each other out. It will become much more fun, and the effects of resilience significantly amplified and sustainable. Information and cyber security are not a single mission game to be played, it’s a team effort. Do it together. As a team!

Click the follow button on Onevinn’s or on my personal LinkedIn account to stay updated when part 3 of this series enters the internet realm.

Take a look at Part 1 here: A day at work as a CISO - Part 1