THANK YOU FOR SUBSCRIBING
Former CSO at Facebook and Yahoo, Alex Stamos perhaps summed it up best when he said,“It’s kind of a crappy job to be a chief security officer” because “it’s like being a chief financial officer before accounting was invented”.The absence of an executive playbook and lack of a universal language to communicate with the business can be overwhelming. But while working in cybersecurity I’ve observed a few structural differences that elevate some teams ahead of the rest; there are often things they do which have made them more successful.
The first thing to say is structure isn’t about job titles. Nor is it about technical specialists (more on that later), this is about some key roles in cybersecurity teams that I’ve seen deliver transformational effects.
A cybersecurity leader
This is the strategic cybersecurity leadership position in an organisation and is ultimately responsible for cybersecurity performance. The leader (usually the CISO) needs to think bigger than preventing ormanaging the next incident; they must formulate a plan that articulates where they are now, where they want to be and how to get there.
They are responsible for building digital resilience across all critical business functions. With the average tenure of a CISO often less than 2 years, it appears many organisations areover-emphasising the operational aspects of cybersecurity and not placing enough value on retaining a custodian to look after the long-term interests of the organisation. The CISO needs to answer severalresilience and team performance areas such as:
• Developing the organisation’s digital resilience capabilities to a performant structure.
• Continuously adopting the best from others while creating the team’s own standards to achieve the vision.
• Contributing back to the cybersecurity community and raising professional standards.
The CISO reporting line is debated frequently and a lot has been said of the conflicts of interest reporting to a CIO. But the common success factor I’ve seen is whether messages reliably reach the board in terms that they can understand and objectively assess. In this sense, it is important that cybersecurity is effectively communicated in the context of business performance and other operational risks. At the same time, the importance of the board’s role in performing oversight and challenge of the CISO and his team is critical (see Non-Executive Director).
This is someone responsible for promoting the use of facts to make better decisions. The role focuses on data and evidence, whether that is at the technical and tactical levels of security operations and application development, operational level of risk management or strategic level of governance, technology strategy and resilient business performance. Across all business levels, it is rare that non-security people care about security arguments and so this role needs to be expert at translating between data and technology specialists and business context. When collected, wrangled, and analyzeddata can provide tactical, operational and strategic benefits. Figure 1 illustrates how high-quality intelligence supports decisions by matching data and intelligence products to the complexity and time horizon of the decision-maker.
As Alex Stamos quote infers, cybersecurity is a field fraught with disorder. Intervening in this disorder requires sense-making and planning skills that cover the organisation’s technologies and anticipated threat activity. Through development of integrated frameworks,a security architect aligns all the cogs of organisational development. A word of caution, a significant part of cybersecurity is the chaos and complexity driven by both incidents and our organisations’ pace of change - so what is known and what can be anticipated becomes less obvious. The best architects drive more of the cybersecurity team’s work into ordered structure and automation for expected events while also increasing the organisation’s potential to tolerate the unexpected.
Leading teams recognise that behavioural psychology skills are crucial to cybersecurity as the systems we defend are both people and technology. This role shapes the way the team acquires, develops and maintains the right information security skills. A process and programme for learning and development is crucial - not just for the team members but other teams throughout the organization.
Apart from embracing modern behavioural science, a common target of successful organisations is to resolve dissonance between work as imagined by the cybersecurity team and prescribed in policies and work as done by the business. There will be gaps (see figure 2), but with some humility and by aligning policy to business performance objectives and constraints, there is potential for transformational change. This in turn drives the culture and behaviour of the cybersecurity team, and their acceptance within the entire organisation.
Non-Executive Director (Cybersecurity)
Boards already appreciate the value of including someone who is expert at something they consider critical to their future success. The non-executive role is still rare in cybersecurity, but it makes sense to have someone who acts as an independent bridge between the board and the information security team. This role may involve:
• Ensuring the board continually review how the cybersecuritystrategy is being delivered and looking for ways to help those tasked to deliver it.
• Assembling acommittee to meet with the CISOandadvise on team and performance. The purpose being to support the CISO in navigating internal teams, regulators, suppliers and threats, not to put pressure on them.
The benefit of this role is having someone grounded in disciplined cybersecurity fundamentals who is not embroiled in the politics of the organisation.
A NOTE ON SPECIALISTS
How often have we seen cybersecurity job specifications with a long list of every possiblecyber skill set? High performing cybersecurity teams have technical depth. However, designing and implementing secure, resilient systems (infrastructure and applications) requires different technical know-how to efficiently and reliably detecting, triaging and responding to incidents (SecOps). These disciplines are supported bycybersecurity governance, risk analysis,stakeholder engagement and anticipation of threats, all of which should also be treated as specialist skills.
FINALLY - LEADERSHIP
We can talk at length about structures and specialisms, but, ultimately, it’s human relationships that count most of all. A common thread to a security team’s success seems to bemindset, rather than the skillset. This mindset involves having an expansive view, understanding how relationships improve risk management and being eager to grow others and the cybersecurity community. Ultimately it is about being the relentlessly energetic force the enterprise needs for transformational change.