Master the ability to delegate the tasks that do not affect you, and learn what your company ethos is to deliver to its needs.
Speaking in a Strategy Talk ‘CISO Confessions: Security Lessons Learned From Modern Day Cyber-Attacks’ at Infosecurity Europe, chaired by Tim Erlin, VP of product management and strategy at Tripwire, Publicis Groupe CISO Thom Langford said that if he were to be given a task that does not relate to his position, he would delegate it and transfer authority to someone else.
Asked about buying technology that becomes ‘shelfware’, Langford said: “My group don’t buy hardware or technology and we set a policy and assess and audit, and if it is a piece of technology it is for IT to decide to buy it, and up to IT to decide how to do that.”
Erlin claimed that in many cases where the CISO is part of the organization, it is clear what direction the company should be taking. Security practitioner Stephen Khan, speaking in a personal capacity, said that if you set a strategy for the company’s direction and suggest choices, you can determine what outcome you want to achieve. “It could be risk mitigation or control enhancements, and then you can build a roadmap on what you want to achieve,” he said.
Martin Whitworth, research director at IDC, said that some organizations, the most effective solutions are where the CISO or security department don’t make decision on technology, but act as the customer and while they are responsible for defining requirements, they can lead with a solution that fits with the set of requirements of the company.
He said: “There is the case where people are not good at their desired outcomes, and go into a situation and fail as they ask the wrong question. So it is a case of sitting and asking what you want to achieve.”
Whitworth also said that security is bad at inventing metrics, and while we look for security implementations, the key to getting effective metrics is knowing what the business is trying to satisfy and what risks they want to mitigate.
Asked by Erlin on how communication works, and if there is a successful strategy for this, Langford said he works with the communications team to get the best message out, and bring a human factor so we know in a traditional sense what we are facing so you can "take the facts and turn it into a compelling piece of content”.
Khan agreed, saying a communications plan and business come together so an extra click on a tool of process can be determined, and understand what that means for a customer. “The key thing that I want you to take away to is look at your perspective of the business and ask why you’re asking for an extra click or change of process, and what you want to achieve.”
Whitworth said that the CISO has got to communicate with the board or other functions as you cannot expect it to happen, and if you need skills, the business should invest in it. “If the CISO is not asking to be developed personally, then they are not long for this world,” he said.