Introduction
I’ve had the amazing opportunity and privilege as a CISO to lead a team charged with designing, managing, and growing a successful security program. I realize that many don’t get the opportunity to design a security program from scratch and I’ve learned a lot along the way so I wanted to create this series of posts to share that knowledge. I don’t have all of the answers and the approach I took is certainly not the only viable one – but whether you’re tasked with building a brand new security program, re-factoring an existing program, or simply looking for some ideas for your own program, I hope you find some of this useful.
I’m going to start the series covering the absolute basics, so this first post may seem very simplistic, but stick with me because I will build on this with future posts, covering topics such as program metrics, defining and measuring risk, staffing, and other key aspects of designing (or improving) a security program.
Today I’ll cover:
- A brief background on how I became a CISO
- Positioning security for success in the organization
- Forming a leadership team
- Finding your “Why”
- Having a clear Mission statement
In the next post we’ll dive into some of the more tangible activities of scoping and organizing your program.
A Little Background
About ten years ago I was ending my military service and I accepted a position at a world-class healthcare organization in its Information Security office. InfoSec was a relatively new function and was very much seen as an “IT thing”. There were only about five of us, including my boss, who reported to an IT director who reported to the CIO. At the time there were some basic policies in place, a spreadsheet-based risk matrix and some fundamental security technologies (e.g. firewalls, web proxies, data loss prevention, vulnerability scanning, etc.). I give them a lot of credit as that mall team had accomplished a lot in a very short timeframe, but there was much to do!
Over the next few years I did anything I could to help position the security function for success by helping design and implement capabilities around incident response, risk assessment, penetration testing and policy management. I spent just as much time on the technical aspects (leading the forensics and penetration testing functions) as I did on building out the supporting policies and processes. We didn’t have a lot of resources but we had a dedicated team and we were making great strides.
About four years in, we were still a very small group with a fairly limited scope to match our capacity. At that time my boss made the decision to take an opportunity elsewhere and I was offered his position. This was certainly a great opportunity to help take the security program to the next level at a world-class organization.
Positioning The Security Program for Success
There is a recurring dialogue in the industry about where the Infosec/Cybersecurity function should be positioned in the organization and who it should report to. There are certainly approaches that I think can hinder the success of a program regardless of the organization, but I don’t think there’s a one-size-fits-all model. It can depend greatly on the culture, the leadership, and the intended function of the security program. Reporting through an IT function tends to keep the focus on the technology, which may limit the perspective of what a robust security program should involve and cause it to compete with other IT priorities (vs. other strategic enterprise risk functions). At the same time, in a highly structured organization, it may be less important which function it reports to (IT vs. Compliance vs. Operations vs. Legal) and more important which layer of the organization it resides in (is the CISO positioned as a peer of other key strategic leaders in the organization?). [Perhaps a topic for a future post.]
Based on what we had observed over the preceding five years, we felt that if the Information Security function remained multiple layers down in the IT organization, it would be unecessarily difficult to influence the rest of the organization.
When having these conversations, I think it’s important to make your intentions and reasoning very clear. Nothing about the request to reposition the security function was based on personal titles or compensation. If that’s your motiviation I would suggest you’re doing it for the wrong reasons. In our case, our objective was to elevate the function and the team to a perceived position of importance (relative to other functions) that would overcome some of these challenges.
I will say there are certainly ways to overcome positional authority constraints, though sometimes they can just make things unecessarily difficult. If you’re considering taking a security role that you believe is positioned so low in an organization that it will negatively impact your ability to parter with other senior leaders or have the level influence you think you’ll need to be effective, you may need to make have that conversation (or reconsider taking the role if you feel the organization doesn’t place the necessary level of importance on the function in the first place). Of course, no matter where it’s positioned, it’s up to you to capitalize on that by demonstrating value.
Fortunately for us, we had a great leadership team who was in agreement that security needed to be repositioned and I was entrusted with the first-ever VP & CISO position, reporting to the CIO. We would have our own budget and significantly greater scope and responsibility. We were up to the challenge of transforming what we had at the time (which was not very structured or strategic) into an organized, mature, and high performing security program befitting a world-class organization. So where to begin?
Forming A Leadership Team
If there was one thing I knew by that point in my career, it was that I would need to surround myself with talented people to help develop and lead the program. I can’t stress the importance of this enough. While you may have a vision, tons of ideas, and sound leadership qualities, you can’t do everything alone. Without a great team, that vision will unseen, the ideas unrealized, and there will be no one for you to lead. Also, in my experience, collaboration and diversity of thought is so important when it comes to turning good ideas into great ones. In those early days, I spent many hours in front of my whiteboard coming up with ideas that I thought were great, only to radically change or discard them after a collaborative session with my team.
Do yourself a favor and surround yourself with people that aren’t afraid to challenge your bad ideas make your good ideas even better. And be sure to establish an environment where they feel safe and empowered to do so – and that you’re humble enough to listen to them! Seek out people that are excited about change, that aren’t satisfied with the status quo, and that are willing to invest the time and effort it would take to build a brand new security program.
I’ve called it a “leadership team” because in our case, each of these individuals assumed leadership positions in the department and we built functions around their skillsets (more on that in a later post) but you don’t necessarily have to call it that or even limit this team to just other functional leaders. The size of this team may vary too. Keep in mind I’m not talking about growing your entire Information Security department – for us that would take some time because we were basically starting from scratch. But in the interim I needed that collaborative team of highly invested people that I could brainstorm ideas with and quickly turn those ideas into reality. Even as our department grew (and with it, some wonderfully diverse perspectives and ideas), I found it very important to have this consistent core leadership team to lean on.
I must admit, I was fortunate because even though there were only a handful of people on the team at the time, I had three very smart, capable, and motivated people that I knew could help me design and implement this program if they were afforded the opportunity. They had differing interests and skills, and each brought something unique to the equation. I also had the added benefit of having worked alongside them for several years so I knew each of their strengths. Keep in mind, no one on the team had ever built a security program from scratch before, but I knew each of them would bring their own value to our program. More importantly, all three were invested in making it a success. As such, the four of us would become the core leadership team.
I realize that not everyone stepping into a new role will be fortunate enough to know their team as well as I did. But I’m also a big believer that as long as they’re motivated, the key to unlocking someone’s potential often lies with finding something they are good at and passionate about, and giving them an opportunity to contribute. If you’re new to a team, get to know each person. Identify their strengths and interests and seek out those individuals that are motivated to contribute and empower them to do so.
Finding your “Why”
It’s also important to identify the guiding purpose of your program. Whether you’re starting a brand new Information Security program or inheriting an existing one, I strongly advise you start with the “Why”. If you’re looking for some inspiration or guidance, here are some resources:
And, if you’d like to see an example of the exercise I went through to develop my own personal Why, please see this post
As Simon Sinek says, people don’t invest in what you do, they invest in why you do it. This is especially true for Information Security. If you think the average employee is going to get excited about your phishing awareness efforts or identity management intitiative, you’re likely to be disappointed. User engagement is a topic that interests me very much and you can expect at least one future post devoted to the topic, but for now I’ll just stress that you if you want people to care about what you do, you need to connect with them in some meaningful way and demonstrate your value. There are multiple ways to do this but starting with a clear, relatable purpose can go a long way.
Our security program’s Why is centered around how we’re contributing to the success and Why of our organization. Yours will be different and should reflect the purpose and culture of your own organization. If you can’t explain the Why and get your stakeholders invested, it will be more difficult to inspire a team to follow you or convince your employees to modify their behavior through awareness activities. Just as important, you should to align what you do in your program with your why.
This is one of those things that I wish we had spent a little more time on in those early days of designing our program. That’s not say we didn’t think about our purpose. In fact, being in healthcare, we were absolutely focused on our role in ensuring the safest and best patient outcomes. We knew we were there for a purpose much larger than security, but we also didn’t take time to develop, document, and test our Why statement. Instead, we went right into forming our mission statement. While the latter is still very important, without a clearly defined Why statement, in retrospect I think it made it more difficult to clearly communicate our purpose and I fear we may have missed opportunities to actively engage our stakeholders. So learn from my experience and seriously consider defining your Why!
Defining a Mission Statement
One of the other things we did very early on was answer the question, “What is our Mission?". It sounds simple at first, but we wanted a guiding Mission statement that would align with our purpose, help shape our program design, and influence the initiatives we undertook. In other words, we needed to answer the question “What exactly are we here to do?".
Perhaps you’re walking into an established program and the answer to that question is very clear or perhaps, as in our case, you have an opportunity to define it. Either way, you should be sure that as you develop your mission statement,it aligns with organizational needs.
As with many security programs, it was clear to us that we were tasked to PROTECT the organization. As a healthcare organization, first and foremost that meant protecting our patients. But it also meant protecting the valued members of our workforce and the organization’s other assets and strategic interests.
While protection (and all of the things associated with it) was key, we also knew that in order to provide true value to our organization, we had to go beyond just protecting…we had to find ways to ENABLE it to achieve its strategic objectives. At the time we were definitely not viewed as an enabler and frankly, we hadn’t done a lot to demonstrate that we were. There were still people in the organiation that had no idea our department existed and many others simply saw it as a blocker. I will definitely have a future post on my thoughts and experience on how Information Security can serve as an organizational enabler as well as the key role user engagement can play in a security program’s succes, but for now we were intent on making it a core part of everythind we did.
So after some great brainstorming sessions, we came up with the following mission statement:
To PROTECT our patients, workforce, and organization and ENABLE [org name] to achieve its strategic objectives by developing and managing a comprehensive, predictive, and innovative information security program.
I’m sharing this not because I think it’s the best mission statement ever but rather as an illustrative example of what went into our thought process and demonstrate that this was more than just a series of words strung together. If you look at the statement, there’s a bit more to unpack there besides just “protect” and “enable”. We included the word “comprehensive” because we knew our program needed to expand considerably in scope … going beyond just “IT security”, serving the entire organization, considering all relevant threats, etc.
We intentionally chose the word “predictive” over proactive, because while we certainly wanted to move beyond the reactive space that we had largely occupied up to that point, our goal was to challenge ourselves to stay as far ahead of threats as possible.
We also wanted to find ways to “innovate” by finding new ways to tackle old problems and introduce solutions that may not have been considered in the security space before.
Our goal was to consider this mission statement in everything we did and communicate it widely in a way that it would also serve as our “brand”. To do so, we came up with a more succinct “tag line” by boiling it down to two words: Protect. Enable. These two words would become part of our common venacular and would be added to all of our promotional and awareness materials (t-shirts, mugs, etc.). I’ll have more on developing an awareness program in a later post, but in our case, that mission statement played a role in the way we talked about security. This mission statement was also important because it would serve to guide and validate our program’s projects and initiatives and we would develop program goals to align with it.
What’s Next?
Now that we had a core leadership team and a defined mission statement, it was time to start scoping and organizing our security program to define what we were actually going to do to execute on our mission statement. That’s a pretty detailed topic so I’ll delve into that in my next post and discuss what an effective security program might “look like”.
I realize to some, this first post may have seemed to be focused on the “softer” topics, but I strongly believe people and purpose are foundational to any good security program and thus, very important to devote attention to early. Don’t worry, we’ll get to some very practical topics like budgeting and risk management frameworks soon enough!
So stay tuned for more in this series. In the interim, I enjoy connecting with and learning from others, so reach out to me on LinkedIn and Twitter.
