Stepping into the management role can be a daunting task. In this article I will do my best in explaining how my experience has been, going forward as a Chief Information Security Officer (“CISO”).
The management role
OK, you have to face it, you are no longer the security techie nerd that can dig yourself into a bunch of logs for several days at a time. You are now expected to make plans for the time ahead, risk assessments and figure out where the business are in terms of security. You are expected to own the security area, and have clear and concise plans on how to bring the business further.
This task can seem daunting at first, however you should be up for the challenge if you have been accepted into such a position.
Being a part of the management also means you should try to be visible, show commitment and have confidence in the plans ahead. Security is a lot more than just technical speeches and finding out which boxes to buy. A very big aspect of the job is spreading security awareness, and in order to do this you have to be at least somewhat of a people person! Over my engagement so far, I’ve listed a few things that will help me stay visible:
- Don’t bunker in your office all day. Get out there, and get chatty! Open your office door and the blinds on the windows.
If people see you as an open person, you lower the bar on coming to talk with you regarding security issues. Who do you think knows the most of the current security landscape, the employees or your firewall? Overall you want employees to consider you as someone they can trust in disclosing security issues with. You do not want them to feel like they are going to the police, reporting some offense, and risk being jailed themselves. - Talk to people and introduce yourself and your work. Show your enthusiasm regarding your work, and explain why security is such an interesting field of work. If you can get them infected with your own enthusiasm, you will have a very positive epidemic on your hands. Remind the employees that “providing good security is providing good service“!
- Encourage employees to come talk with you, especially regarding security concerns and issues. Let them know that you are a person they can talk privately to, between 4 walls and 4 eyes. You should not be hard to reach.
- Stay visible by sending out monthly newsletters. The OUCH! newsletter from SANS (www.securingthehuman.org) is perfect for this. Remember that each newsletter is a perfect chance to to reinforce security policies and encourage staff in talking with you, or reporting security issues.
Another important thing is that you should be really careful not to be too much hands-on in your role. Security should be baked into the business processes as natural as possible, not something everyone points at, expecting it to fix itself! Implementing security this way, the proper way, is a truly challenging thing as many people in your organization may think that you are here to solve things for them. As a rule of hand, and an analogy to security work, I’ve always said to myself: “You’re not the dust boy, cleaning up after everyone else. Instead of cleaning up the kitchen chef’s spill, you must teach them how to properly work the kitchen. You’re here to help them make better food, prevent spill and help them clean up after themselves.”
When people approach me saying “Hey Chris, your a security guy right? I have this thing…“, I interrupt them immediately. I tell them that I am not the only security guy, you are one too! The business expect it from you, and we really need stay security aware today! Security is not something we point at, but something that should be incorporated.
Reporting – Don’t be a victim of the security roller-coaster
If you do your job perfectly, management will never have any security issues to concern about, and everything should be great, right? You’ll get the budgets you want, increase your team size and be in a secure position at the firm!
No, not really. If everything is great, all the time, you will have less of a chance to defend your budget, position and team! Why? Because no one will know about all the great stuff you accomplish everyday while defended your organization. Remember that hacker your team stopped, but you didn’t bother take credit for? We’ll unless you explicitly let your organization know about this, they wont know about it, thus the possibility of the leadership thinking your position may be surplus arises.
But hold on, I am not saying that you should have something bad happen to you, so you can be the white horse vigilante who swoops in and saves the day. No, to the contrary, you should do what many security leaders don’t do, report on all the stuff you actually accomplish everyday! Report on security events hitting your firewall and IDS, the script kiddies you’ve stopped and viruses blocked. Most likely you being attacked all the time, perhaps several times a day, but your team, security solutions and budget is managing to fend it off. You need to report on this!
So, what is this security roller-coaster? The idea is that if you don’t report on all the great stuff you are providing the business with, you may be the victim budget cuts and lay-offs. If upper management gets the indication that everything is so perfect, they may get the idea that they don’t need a designated security department. While you may advocate for increased security budget to win the war, they may instead cut it. They may even dispose of your position because everything is so great!
If they decide to run without your position and your team, they will probably fall victim of a compromise during the months to come, thus hiring a new CISO may be their decision. This is the roller-coaster effect. You go up, things are looking nice, then you come down.
Remember that the business has made an investment in you. They want a security manager who makes sure they don’t get compromised, or in some way get bad media for having poor security. You have to report on all the great things you do everyday to accomplish this. Make sure they know you are a good investment!
Want to become a CISO?
These are my thoughts to any aspiring CISO’s out there. Be sure to know what you are going for. This is not necessarily a techie position, however you are mostly making up your own days. It is important to know you are expected to focus on business and strategy, leaving less open time to do hands-on technical stuff (which so many of us love!).
You must also expect doing a lot of paper work. Security decisions should be anchored in policies which can be easily referred to. In many cases these policies needs to be properly approved by the organisations management, so be ready for some paper shoveling. Another thing on paper work is that you will probably be working on some form of Information Security Management System (“ISMS”). Usually these frameworks require a great deal of documentation to successfully implement. Don’t feel discouraged from this though, as you will most likely find it very rewarding being able to seal the deal with having management approval of your policies. Having a document to point at when referring to security decisions is really useful!
You should also be advised that once you climb the organizational food-chain, you will be doing less and less security work, and more and more time telling others what to do. You should be confident that you can appreciate delegation instead of doing it yourself. Remember that good leaders delegate! Delegation will free you up to tackle the truly important challenges in your business. After all, you will be able to do follow up on the delegation you have done, and that may allow you to get a bit technical and sometimes your hands dirty!
When you are working as an engineer, architect or something similar. the job is very much about ‘you’. You are the hero, the guru, the expert, etc. When you move into management it’s all about ‘we’. It’s no longer about you – it’s about your team!
Final words
If you are an aspiring manager, don’t give up! Let everyone, and I mean EVERYONE, know how you feel about security. Let your passion shine through and make your enthusiasm rub off on others. Take action and lead! Sometimes pointing at things is not enough, you need to do it yourself.
To any current managers out there, I really do hope you avoid the security roller-coaster, and that you found my thoughts helpful. Remember that a good leader enables their team to make their own decisions. An effective team jumps at opportunities, instead of just ‘doing what we’re told’. That culture comes from you!
I encourage everyone to leave a comment with your thoughts. Follow me on Twitter if you’d like to hear more from me! Thanks for reading!