Karin Bui
16 Apr 2024
Welcome to us Patrik Jonsson
1 min
Henrik Parkkinen
17 Jun 2022
11 min
“The best way to explain it is to do it.
Chapter III. A Caucus-Race and a Long Tale, Alice's Adventures in Wonderland (1865)”
This quote says a lot. In many cases when it comes down to leadership, as a CISO or similar roles within cyber and information security or in business management, the best way to explain things are by doing. And explaining by doing is lot more powerful than drawing those PowerPoints and strategies. Those are also needed, to set the direction on the map and point out the path for the team and the organization. But as long as there is no execution the value realization equals, close to, zero. I believe in pulling up the sleeves and leading by doing. Instead of just telling others how to do it or what to do, get in there are do it together with the team. Coach your team. Lead them. But at the same time don’t be afraid of getting some dirt under your fingernails. There is so much power in “leading by example”, practicing what you preach. You don’t need to be an expert and know everything in detail but show your team that you are there for them. That you provide to the overall strategy by doing, not only by thinking or telling others what to do. And if there are other peoples in the team better suited, more intelligent, better skilled on certain tasks it’s time to be grateful. Let them take lead in those activities and areas where they are the experts. Let them grow besides you. To lead you on your common journey. So that you both grow as leaders within cyber and information security. As humans and professionals. Coaching and leading is a two-way street.
APPLYING THINGS INTO PRACTICE
After two articles describing the importance of leadership skills, business understanding and communication skills part 3 will exemplify the application of these skills. Skills are something that can be improved and developed if there is enough of motivation and resources provided.
Something that I find very useful, in my own profession and in my assignments where I have acted as a CISO, is to form a roadmap dividing activities/projects/tasks etcetera into operational, tactical and strategic categories. This may be something that is totally obvious for the most, but many organizations out there unfortunately lack this type or similar form of structure. Everything they do, independent of if it is operational, tactical and strategic thing is put into the same bucket. Nothing wrong in doing so but all activities/projects/tasks etcetera within an organization are not equally weighted or of same character. Sorting and structing things into stringent forms provides not only a structure. It also enables us to better develop a long-term plan. Something sustainable to work towards.
For this article let us use below principles:
- OPERATIONAL – things are done on a daily/weekly/monthly basis and provides to and increased security perspective for the organizations more or less directly. These things can for example be classification of information, data protection, ongoing risk management activities, security control maintenance. The day-to-day stuff. Some of these things are also, as I see it, related to security hygiene. Nothing fancy, just those things that shall and need to be there. Plain and simple.
- TACTICAL – things that are done on an a less frequent basis but has as a goal to enhance the organizations security posture within a time frame of, let’s say in this example, approximately 12 months. These things are typically projects conducted over a more stretched period time frame of months or beyond. The value realization is not immediate but is a result of sanctioned resources conducting the work during longer periods of time. These things can for example be development of a security policy, construction of a risk framework, implementation of security awareness, education of staff members, third-party risk assessment frameworks.
- STRATEGIC – things that are done within a relatively long time frame to enhance the organizations security posture in the long run. The value realization is estimated to be realized within a time frame between 12-24 months or beyond. This for example includes re-engineering of the information security landscape, establishment of security governance, implementation and development of security practices, running a security improvement program. These are the things that require more stamina and persistence.
What goes in in the different buckets and the principles applied, in terms of time frames and so forth, will vary between organizations. Above is just an example how this form of planning can help an organization and the CISO to better visually, verbally, with a pragmatic and structured form present the “security stuff” to our stakeholders (security teams, board, management teams, leaders and key stakeholders in the business). The takeaway here is to have a structured form of what is going to be done and how the value realization is approximated to be actualized. This will help you as a CISO to gain understanding of what is needed to be done and when. The resources needed. The team you have around you will see the bigger picture and understand how the destination looks like that is there in the horizon. Having a plan, that stretches over a period of time, also creates sustainability. A plan also provides fantastic moments to celebrate the victories along the road, those milestones.
AND NOW WHAT?
But before the work can get started towards the operational, tactical and strategic goals outlined the CISO must ensure to have the management support. Yes, the management and leaders in the organization need to stand behind the CISO and support the work. If the plans are in place but there is no support for them from the upper management and leaders the execution will become troublesome. The classic pitfall of change management.
So, before we as a CISO are going to start and execute on the operational, tactical and strategic plans following, but not limited to, is highly important to make sure is managed:
- Ensure stakeholders understand the Information, cyber and IT security plan and how the initiatives/activities/projects etcetera relates to the business strategy.
- When forming and crafting the overall plan for the organization, construct it in such a way that clearly shows how operational, tactical and strategic initiatives within cyber, information and IT security relates to the business strategy. For example, one of the organizations business goals is to increase time to market and to customers which implies that digital enablement will be on top of the agenda for the coming 36 months. The organization will sanction loads of dollars in the digital strategy to lift and shift several key capabilities to their next level which will provide to the strategic goal, i.e. “speed to market and customers”. To support this business initiative the organization will apply a cloud first strategy, along with other initiatives from other business units. A cloud first strategy will most certainly lead to that the organization will increase their risk exposure related to a third-party perspective, supply chain attacks, miss-configurations etcetera. Of this reason the CISO can, very easily and pragmatically, explain why third-party risk management (but not limited to) from a cyber, information and IT security perspective need to be one of the organizations strategic goals. There is a clear alignment between the business goal for increasing time to market and to customers with a digital enablement strategy and the cloud first principles. To tie these things together, as described, makes a total sense for the CISO’s. This also makes it easier to articulate and present a story for the leadership team(s) and the board why certain security initiatives need to be sanctioned and conducted. Create the story and tie the things together. This will make the story more clear and easier for everyone to understand. Security does not exist or operate in a vacuum; it is there to support the organization.
- Information, Cyber and IT security is something important for the organization that needs continuous investments to be sanctioned.
- Frame the message around the resources, monetary and humanitarian, that the organization you are helping with Cyber, Information and IT security as an investment. It shall not be seen as “cost” in my opinion. It is an investment to ensure potential negative risks are responded to with adequate treatment options in relation to the organization’s security posture and risk appetite. A CISO needs to have the adequate resources in place to enable the value realization of the initiatives and plans applicable for the organization. There needs to be a team. And a team is a composition of peoples who have time to work together to achieve the desired goals. Unfortunately, at many organizations IT and security are still seen as a cost center. I get that to some point. If IT is not the “core” service provided to the customers one can argue that it is a cost or “just” an enabler. But at the same time, digital enablement is not a fluke or something that will fade away. The transformation and evolutionary process of digital and security are just in the beginning phases. In my opinion, the sooner IT, digital and security are seen as investments the value realization will increase and be speeded up. “Internet is just a hype”. Nope, neither internet nor security is a fluke. That is not the case…and will never be.
- The stakeholders (board, business leaders and management team(s)) need to help you as a CISO in the realization of the operational, tactical and strategic goals related to Information, Cyber and IT security.
- The leaders (formal and informal) in the organization need to help you as a CISO out. Ensure you have them within your corner. Form relationships built on trust. Lead the way and pull up the sleeves and show them how the work is done. Teamwork is key! Inclusiveness is the thing. Develop a team that support you. Articulate what type of help you may need from your team. Is it for example communication of security policies, procedures and guidelines? Propagate security awareness? Leading by example? The power of security will be greatly amplified if the leaders, formal and informal, within the organization are helping you to propagate the messages. The leaders are there to communicate why security is important. The trajectories of a leader’s behavior can be huge when it comes to the positive down stream’s effects. This shall not be underestimated! Think about it. If the CEO of a big and popular company would stand there, on the frontline and dictating how important cyber and information security is. What would this say about the organization? What would this say about investments within security for that organization? What kind of message would this send out? I can think of one specific word. Trust. It would create a feeling of trust. “These guys led by that CEO take security seriously.”. And we are all leaders in one way or another. A title is great but that doesn't make one a leader. But those with a great title, they have the responsibility to act accordingly. Security is not something about IT technologies. It is something that is about the organization. About the business landscape. It should be there, among the top of the highest priorities for every organization and their agenda. It is those, the board and CEO, who are ultimately responsible for the security. And a CISO is there to help them out. So that we together can make the organization safe by increasing the security posture and alignment towards the risk appetite. Communicate and establish those trustful relationships. Help each other and do it together.
- The leaders (formal and informal) in the organization need to help you as a CISO out. Ensure you have them within your corner. Form relationships built on trust. Lead the way and pull up the sleeves and show them how the work is done. Teamwork is key! Inclusiveness is the thing. Develop a team that support you. Articulate what type of help you may need from your team. Is it for example communication of security policies, procedures and guidelines? Propagate security awareness? Leading by example? The power of security will be greatly amplified if the leaders, formal and informal, within the organization are helping you to propagate the messages. The leaders are there to communicate why security is important. The trajectories of a leader’s behavior can be huge when it comes to the positive down stream’s effects. This shall not be underestimated! Think about it. If the CEO of a big and popular company would stand there, on the frontline and dictating how important cyber and information security is. What would this say about the organization? What would this say about investments within security for that organization? What kind of message would this send out? I can think of one specific word. Trust. It would create a feeling of trust. “These guys led by that CEO take security seriously.”. And we are all leaders in one way or another. A title is great but that doesn't make one a leader. But those with a great title, they have the responsibility to act accordingly. Security is not something about IT technologies. It is something that is about the organization. About the business landscape. It should be there, among the top of the highest priorities for every organization and their agenda. It is those, the board and CEO, who are ultimately responsible for the security. And a CISO is there to help them out. So that we together can make the organization safe by increasing the security posture and alignment towards the risk appetite. Communicate and establish those trustful relationships. Help each other and do it together.
WHERE TO GO FROM HERE
As spoke about in Part 1 of this series the current security posture of the organization will be one of those things that is going to dictate what should be prioritized. A cyber security assessment can be a good tool to use to better understand where an organization is at, where they want to go and should be heading. To simplify things, what the operational, tactical and strategic activities comes down to is a composition of the current state, wanted target state security posture and the organizations business goals/strategies.
Personally, I think that it is very good for an CISO to have some sort of hands-on experience from developing, establishing and implementing some of the things that is included in the crafted plan(s). This for example includes development of an information security policy, establishment of security governance, implementation of a risk management framework, conducting of risk assessments, development of an information classification model, project management, development of a strategy. The list can be made longer, these are just typical examples of things that falls into the realm of cyber and information security. I do not want to say all these things are needed to be mastered or something that is a requirement to be on the CISO’s personal CV BUT it will help the person to better lead the way, lead others in doing the activities or by getting in there and pulling up the sleeves and participating in the production of things. We are back there again, leadership. But what if there are limited resources? Not some many peoples around to do the things, developing and establishing the activities in the plan? In this case the plan(s) may be needed to be down sized to reflect the reality of what is possible to be accomplished. Or the CISO need to get into the mix and participate in the team and do some of the things necessary himself. And if applicable, gather help from external partners, consultants and networks.
In general, the role as a CISO should be more inclined towards tactical and strategic activities but, personally and based on experience, going in there from time to time and doing the job, leading a project, engaging operationally closer with the teams/stakeholders/project enables understanding and creates trustworthy relationships. I think most of us peoples gain a stronger trust to those leaders who talk the talk and then walk the walk --> “The best way to explain it is to do it.” as mentioned in the prologue. Alice in Wonderland has the answers to many of the CISO questions. One only needs to decipher them accordingly.
STRATEGIC AND TACTICAL THINGS
What are these types of things and why are they even important? It’s a good question to ask and something that I also feel need to be explained and put in context. The CISO role should be, as mentioned in all parts of this series, driven mainly from a business perspective. The tactical and strategic things, in terms of activities should be strongly business related according to my opinion. They should have a strong correlation to how they clearly align towards the business goals and strategies. (This statement is true for the operational stuff as well though). This for example could include improvement of the organizational security culture by integrating security within business processes supporting the employees, customers and external parties (partners, vendors etcetera). Or, to enable a stronger security culture within the organization by ensuring relevant measures are cascaded within all levels, horizontals, verticals and processes. Establishment of security metrics, performance indicators and key performance indicators correlated to key risk indicators. In the best of the world, the organizations leadership team(s) and board should be leading lead by example when it comes to security. Dictating the importance of security. Communicating how important it is for the organization. But the CISO can not assume this shall be or is the case. As a tactical and strategic objective, the CISO need to in one way or another, educate and enlighten the leadership team(s) within the organization about the importance of security. If you as a CISO do not have the leadership behind you, there is an uphill climbing needed to be made. You need to have them in your corner. Tell them the story about security that you have crafted together with your team. Educate them by leading them in the right direction. Be there to support them in decision-makings. Listen to the language they speak. Ask them questions. Invite them to the table. Create these relationships. Build a trust. Form the plan. And show them how the different things on that plan(s) (Operational, Tactical and Strategic stuff) aggregates and relates to the business goals. I’m not saying this is easy. I’m not saying this is hard. I’m just saying this is the way forward.
”No, no! The adventures first, explanations take such a dreadful time.
Chapter X. The Lobster-Quadrille, Alice's Adventures in Wonderland (1865)”
The adventures need to wait. Explanations need to come first. Help your stakeholders within the organization to understand that the time to form a common understanding, if this is not already formed, around why security is important is a common investment for the organization. This is key before the adventure can start to take place. There are of course quick wins that can be gained in meanwhile. Security is a marathon, it’s not a sprint. It is not about putting a check in the box and then saying “Ok, we are safe now.”. It doesn’t work that way. There is no vaccine that prohibits bad things from happening or to keep those bad guys out there away.
EPILOGUE
”I don’t see how he can ever finish, if he doesn’t begin.
Chapter IX. The Mock Turtle's Story, Alice's Adventures in Wonderland (1865)”
Everything needs to start from somewhere. A plan needs to be crafted in some sort and form. The first pencil strokes may be the hardest or challenging. Start with the quick wins maybe? Those things which build confidence and quickly provides positive effects for the organization’s security posture. Show case the effects, in terms of how they better secure the business, to your stakeholders. Have a dialogue with the board and leadership team to conduct a security assessment to identify the current and wanted state of the organization’s security posture. From there, form a plan of activities which are prioritized and categorized. Tie the activities and initiatives to business goals and the organizational strategy. Do this with help from the key leaders and business units. Craft the story together with you team. Lead when there is a need to lead. Let others lead you when there is a need to be led. Do the things together. Strive for resilience. Increasing protection. Having fun. And help each other. CISO is a team sport.
Lewis Carroll, thank you for the amazing story written about Alice in Wonderland. I truly love it. In so many ways. The quotes, narrative, structure, characters. It is a legendary English masterpiece novel from 1865. Maybe Alice will say hello again in the future and be a part of my storytelling again? But for now, the CISO story is over. Thank you all for reading, sharing and liking of the writing!
Read about Part 1 here: A day at work as a CISO - Part 1
And Part 2 here: A day at work as a CISO - Part 2
Henrik Parkkinen
henrik.parkkinen@onevinn.se
