If there’s one constant in the life of a chief information security officer, it’s change. No one day looks like another. In many cases, CISOs don’t look alike either. They come from different backgrounds, and the companies that they work for will treat the role differently. They do, however, all face the same set of broad challenges, and can use the same techniques not only to get the job done, but to define it in the first place. Infosecurity talked with several CISOs and experts to find out what a day in the life of a CISO might look like.
8:30 AM – Welcome Aboard the Enterprise
When Jim the CISO arrives in the office, the first thing he does is check his security dashboard. This may not be a ‘single pane of glass’ web interface that brings up the status of every security issue in the organization. It might simply be a case of checking a few key touch points, which may involve calling key individuals, and checking go-to websites.
“What’s my health? Is my company at risk? Are there any threats? What’s on the newswire?”, says Bill Sieglein, founder of the CISO Network. “You might see that the Sony PlayStation Network was breached, which means that you could be on the end of a phishing attack today.” He likens the dashboard check to what might happen aboard the starship Enterprise: “Where are my shields?”, he quips.
10 AM – Meet the Audit Team
It’s audit time again. Actually, it’s audit time most of the time. Twenty-five to 30% of a CISO’s time is spent preparing for or responding to audits, Sieglein says. It is here that the CISO might begin to experience what Mike Gentile, editor of The CISO Handbook, calls a moral dilemma.
One of the problems facing a CISO is that the more effective the audit is, the more enemies they may make. “When you want to bring on a new client, most of the reputable organizations are asking you to do security audits on your environment, and to vouch for it”, he says, adding that in many cases, the senior VP of sales will be paying close attention to security audits. “The problem is that many organizations are not doing security very well. So, what do you think happens with an internal review that is a disaster?”
| "Technical guys can focus only on the mitigation, which can put a barrier between you and a business unit" |
| Bob Maley, Strategic CISO |
Bob Maley, former CISO for the State of Pennsylvania, knows all about dilemmas of disclosure. He was fired last year for disclosing information about an incident during the RSA Conference in San Francisco and is now founder and strategic principal at Strategic CISO. “It depends on the ethical environment of the organization in general”, he says. Different companies will evaluate CISO boundaries in different ways.
CISOs may therefore find themselves under pressure from different parts of the business, with different political agendas. How can they navigate this? Avtar Sehmbi, head of security and IT risk management at Deloitte, says that business engagement is paramount. He splits that process into several key activities. The first are alignment, and finding the right people to get advice from, and that is what Jim the CISO spends the next hour doing.
12 PM – Lunch With the Head of Human Resources
“I Spent 12 months when I joined Deloitte just talking to people and navigating the organization, understanding the politics, the appetite, the worries and concerns of key stakeholders”, says Sehmbi. Understanding business strategy, major changes coming down the pipe, and financial limitations is all part of the alignment process, as is mapping out initiatives within the organization that may compete with each other.
| "I spent 12 months when I joined Deloitte just talking to people and navigating the organization, understanding the politics, the appetite, the worries and concerns of key stakeholders" |
| Avtar Sehmbi, Deloitte |
“As part of alignment, you can target and tie your initiatives”, Sehmbi adds. “Without alignment, it’s difficult to sell protecting the organization. As part of that, it’s also important to support the organization’s objectives directly, while increasing capability and maturity.” The more plugged into a business the CISO becomes, the easier it will be to cope with moral dilemma, because the business will be more receptive to security initiatives.
12:30 PM – An Unexpected Phone Call
During lunch, Jim gets a call from Jill, a senior manager in the IT department, who tells him that she has seen unexpected activity on the network. Logs show a massive data dump from a company database, and it isn’t yet clear what data has been extracted, or where it went. It is, however, cause for concern. Jim asks Jill to attend a meeting with legal counsel, the head of public relations, and others on the executive team, including the compliance department. The IT department will continue gathering information until the meeting, which is scheduled for 3 PM.
1 PM – Meeting With Implementation Team
One of the biggest strategic projects that Jim’s company has on the go is a mobility and flexible working program that will enable 80% of its employees to work from home for a certain percentage of the time. Part of this entails a desktop virtualization program that will see all desktops hosted on a central server and accessed remotely.
Jim is meeting with the desktop virtualization team to discuss the security implications of the project. It ties into the second area of Sehmbi’s engagement program: service delivery. After aligning the company’s security starts with its business initiatives, the focus is then on service delivery. Jim must assist the design and implementation teams in the execution of the desktop virtualization project to bake security into the system at a foundational level.
| "The CISO’s real job is to interface between those at the business end of the organization, and those at the technical end" |
| Kevin Jones, City University London |
This is where things can get tricky for Jim. CISOs need a healthy mixture of business and technical acumen. Often, those coming from a background that is strong in one of them will lack skills and experience in the other.
Bob Maley says that being overly technical can blind a CISO to their role in the business. “The CISO needs to understand the risk, and to advise on how to identify, mitigate, or transfer it”, he explains. “Technical guys can forget that, and focus only on the mitigation, which can put a barrier between you and a business unit.” The good CISO remembers that they don’t own a system, and don’t have the authority to force the removal of that risk. Instead, they merely advise on the available options and help the business to understand the risk-benefit analysis.
Jim is more of a business-focused CISO, and needs help with the technical details. “If the business guy doesn’t have a technology background, then he needs a technical architect”, Gentile admits. “Business, technology, and security each talk their own language. A CISO needs to be multilingual, or will need someone to help bridge that gap if they can’t.”
3 PM – Emergency Meeting
Jim and the assembled crisis team gather for a short meeting to identify the scope of the security breach. Jim’s security architect has already briefed him on the technical details. Password data was dumped to a USB key via a machine that wasn’t locked down. It happened one week before the employee left. However, the password data was encrypted, along with the e-mail addresses used, and no other information was stored in that table. The company is relieved that data breach reporting requirements in its particular location don’t require disclosure unless sensitive information has been stolen in plaintext form.
Nevertheless, law enforcement will be involved, because the former employee attempted to steal sensitive information. The CISO knows that it will be his job to gather as much evidence as possible to hand over to the legal and law enforcement teams. From here on, they run the show.
3:30 PM – Board Presentation
This is a rare opportunity for Jim, who reports to a CIO who sits on the board. The CIO is a dyed-in-the-wool finance expert, who relies on those underneath him to advise on more technical matters. Jim will present a business case for deploying a role-based management system for the company.
He is careful to avoid too much technical jargon, instead focusing on the security benefits of restricting internal employee access to sensitive information, and also focusing on the benefits to human resources.
| "Business, technology, and security each talk their own language. A CISO needs to be multilingual, or will need someone to help bridge that gap if they can’t" |
| Mike Gentile, editor, The CISO Handbook |
“The CISO’s real job is to interface between those at the business end of the organization, and those at the technical end”, warns Kevin Jones, professor of Dependability and Security of Socio-Technical Systems at the Centre for Software Reliability, City University London. “It has been hard to find people who could go in front of the board and explain why they need to spend a boatload of money on making the company more secure”, he says.
Jim, however, with a strong understanding of business, has already spent lots of time aligning business initiatives together, and can speak articulately about the benefits to different areas of the business. Rather than simply using fear to sell the idea, he also focuses on the potential upsides in areas such as succession planning and staff retention.
5 PM – Reporting to Management
It’s the final meeting of the day, and Jim is exhausted, but there is one thing left to do. His weekly report to the CIO is his chance to brief management on the security status within the company, highlighting any incidents that arose, and outlining the progress and results of any ongoing audits. It is a big part of Jim’s week, because it gives him the chance to fulfill the final part of Sehmbi’s engagement strategy: credibility.
“Leveraging brand and discussing success stories is important”, Sehmbi says. “You need case studies to get the support of your peers. It’s also good to have support in the form of industry and statistical information.”
Jim has run the numbers, and explains to the CIO that by helping IT to enhance and standardize processes such as change management and software configuration, he has been able to reduce desktop security incidents by 7% in the past six months. He knows this because of his relationship with the head of systems support, who has become a close ally. This gives him additional leverage in promoting security as a key issue during the coming desktop transformation project – and the CIO is clearly on his side, looking at the security function as a strategic driver, rather than just as a money pit.
It’s time for Jim to go home. Perhaps in the morning, the Enterprise’s shields will be down, and there will be another fire to fight. But for now, a stiff scotch and an episode of CSI will help him to relax. He thanks the TV networks, silently, for not producing a drama series about hackers this year.