“The best way to explain it is to do it.
Chapter III. A Caucus-Race and a Long Tale, Alice's Adventures in Wonderland (1865)”
This quote says a lot. In many cases when it comes down to leadership, as a CISO or similar roles within cyber and information security or in business management, the best way to explain things are by doing. And explaining by doing is lot more powerful than drawing those PowerPoints and strategies. Those are also needed, to set the direction on the map and point out the path for the team and the organization. But as long as there is no execution the value realization equals, close to, zero. I believe in pulling up the sleeves and leading by doing. Instead of just telling others how to do it or what to do, get in there are do it together with the team. Coach your team. Lead them. But at the same time don’t be afraid of getting some dirt under your fingernails. There is so much power in “leading by example”, practicing what you preach. You don’t need to be an expert and know everything in detail but show your team that you are there for them. That you provide to the overall strategy by doing, not only by thinking or telling others what to do. And if there are other peoples in the team better suited, more intelligent, better skilled on certain tasks it’s time to be grateful. Let them take lead in those activities and areas where they are the experts. Let them grow besides you. To lead you on your common journey. So that you both grow as leaders within cyber and information security. As humans and professionals. Coaching and leading is a two-way street.
After two articles describing the importance of leadership skills, business understanding and communication skills part 3 will exemplify the application of these skills. Skills are something that can be improved and developed if there is enough of motivation and resources provided.
For this article let us use below principles:
What goes in in the different buckets and the principles applied, in terms of time frames and so forth, will vary between organizations. Above is just an example how this form of planning can help an organization and the CISO to better visually, verbally, with a pragmatic and structured form present the “security stuff” to our stakeholders (security teams, board, management teams, leaders and key stakeholders in the business). The takeaway here is to have a structured form of what is going to be done and how the value realization is approximated to be actualized. This will help you as a CISO to gain understanding of what is needed to be done and when. The resources needed. The team you have around you will see the bigger picture and understand how the destination looks like that is there in the horizon. Having a plan, that stretches over a period of time, also creates sustainability. A plan also provides fantastic moments to celebrate the victories along the road, those milestones.
But before the work can get started towards the operational, tactical and strategic goals outlined the CISO must ensure to have the management support. Yes, the management and leaders in the organization need to stand behind the CISO and support the work. If the plans are in place but there is no support for them from the upper management and leaders the execution will become troublesome. The classic pitfall of change management.
So, before we as a CISO are going to start and execute on the operational, tactical and strategic plans following, but not limited to, is highly important to make sure is managed:
As spoke about in Part 1 of this series the current security posture of the organization will be one of those things that is going to dictate what should be prioritized. A cyber security assessment can be a good tool to use to better understand where an organization is at, where they want to go and should be heading. To simplify things, what the operational, tactical and strategic activities comes down to is a composition of the current state, wanted target state security posture and the organizations business goals/strategies.
Personally, I think that it is very good for an CISO to have some sort of hands-on experience from developing, establishing and implementing some of the things that is included in the crafted plan(s). This for example includes development of an information security policy, establishment of security governance, implementation of a risk management framework, conducting of risk assessments, development of an information classification model, project management, development of a strategy. The list can be made longer, these are just typical examples of things that falls into the realm of cyber and information security. I do not want to say all these things are needed to be mastered or something that is a requirement to be on the CISO’s personal CV BUT it will help the person to better lead the way, lead others in doing the activities or by getting in there and pulling up the sleeves and participating in the production of things. We are back there again, leadership. But what if there are limited resources? Not some many peoples around to do the things, developing and establishing the activities in the plan? In this case the plan(s) may be needed to be down sized to reflect the reality of what is possible to be accomplished. Or the CISO need to get into the mix and participate in the team and do some of the things necessary himself. And if applicable, gather help from external partners, consultants and networks.
In general, the role as a CISO should be more inclined towards tactical and strategic activities but, personally and based on experience, going in there from time to time and doing the job, leading a project, engaging operationally closer with the teams/stakeholders/project enables understanding and creates trustworthy relationships. I think most of us peoples gain a stronger trust to those leaders who talk the talk and then walk the walk --> “The best way to explain it is to do it.” as mentioned in the prologue. Alice in Wonderland has the answers to many of the CISO questions. One only needs to decipher them accordingly.
What are these types of things and why are they even important? It’s a good question to ask and something that I also feel need to be explained and put in context. The CISO role should be, as mentioned in all parts of this series, driven mainly from a business perspective. The tactical and strategic things, in terms of activities should be strongly business related according to my opinion. They should have a strong correlation to how they clearly align towards the business goals and strategies. (This statement is true for the operational stuff as well though). This for example could include improvement of the organizational security culture by integrating security within business processes supporting the employees, customers and external parties (partners, vendors etcetera). Or, to enable a stronger security culture within the organization by ensuring relevant measures are cascaded within all levels, horizontals, verticals and processes. Establishment of security metrics, performance indicators and key performance indicators correlated to key risk indicators. In the best of the world, the organizations leadership team(s) and board should be leading lead by example when it comes to security. Dictating the importance of security. Communicating how important it is for the organization. But the CISO can not assume this shall be or is the case. As a tactical and strategic objective, the CISO need to in one way or another, educate and enlighten the leadership team(s) within the organization about the importance of security. If you as a CISO do not have the leadership behind you, there is an uphill climbing needed to be made. You need to have them in your corner. Tell them the story about security that you have crafted together with your team. Educate them by leading them in the right direction. Be there to support them in decision-makings. Listen to the language they speak. Ask them questions. Invite them to the table. Create these relationships. Build a trust. Form the plan. And show them how the different things on that plan(s) (Operational, Tactical and Strategic stuff) aggregates and relates to the business goals. I’m not saying this is easy. I’m not saying this is hard. I’m just saying this is the way forward.
”No, no! The adventures first, explanations take such a dreadful time.
Chapter X. The Lobster-Quadrille, Alice's Adventures in Wonderland (1865)”
The adventures need to wait. Explanations need to come first. Help your stakeholders within the organization to understand that the time to form a common understanding, if this is not already formed, around why security is important is a common investment for the organization. This is key before the adventure can start to take place. There are of course quick wins that can be gained in meanwhile. Security is a marathon, it’s not a sprint. It is not about putting a check in the box and then saying “Ok, we are safe now.”. It doesn’t work that way. There is no vaccine that prohibits bad things from happening or to keep those bad guys out there away.
”I don’t see how he can ever finish, if he doesn’t begin.
Chapter IX. The Mock Turtle's Story, Alice's Adventures in Wonderland (1865)”
Everything needs to start from somewhere. A plan needs to be crafted in some sort and form. The first pencil strokes may be the hardest or challenging. Start with the quick wins maybe? Those things which build confidence and quickly provides positive effects for the organization’s security posture. Show case the effects, in terms of how they better secure the business, to your stakeholders. Have a dialogue with the board and leadership team to conduct a security assessment to identify the current and wanted state of the organization’s security posture. From there, form a plan of activities which are prioritized and categorized. Tie the activities and initiatives to business goals and the organizational strategy. Do this with help from the key leaders and business units. Craft the story together with you team. Lead when there is a need to lead. Let others lead you when there is a need to be led. Do the things together. Strive for resilience. Increasing protection. Having fun. And help each other. CISO is a team sport.
Lewis Carroll, thank you for the amazing story written about Alice in Wonderland. I truly love it. In so many ways. The quotes, narrative, structure, characters. It is a legendary English masterpiece novel from 1865. Maybe Alice will say hello again in the future and be a part of my storytelling again? But for now, the CISO story is over. Thank you all for reading, sharing and liking of the writing!
Read about Part 1 here: A day at work as a CISO - Part 1
And Part 2 here: A day at work as a CISO - Part 2