“
Tip: Always be willing to collaborate, help, aid, and assist.
Zachery S. Mitcham
Chief Information Security
& Compliance Officer
North Carolina Central University
We can all benefit from viewing the problem from different vantage points. Collaboration is the life blood of Information Security.
“
Tip: Never Pay Lip service to your Security Awareness Program
Favour Femi-Oyewole
Certified Chief Information Security Officer
Awareness training is an essential part of securing an organization. However, the idea should be to create a security culture, not to make them knowledgeable. If it is handled as tick the box, then it heads into failure, if it lacks Top management involvement and support, it results in futility. If it is not a continuous activity using a strategy that target imbibing a security culture among the employee, it makes a mess of every other good thing the CISO is doing. CISOs should “market” Information Security and cybersecurity best practices as a matter of personal importance that promotes the protection of home and family.
“
Tip: Be A CISO That Walks Around
Tyson Martin
Take your lead from Bill Hewlett & Dave Packard’s example of management by walking around. Get outside your security safety zone and stroll around the office, talking to others from other teams about their latest initiatives and goals. The relationships you build and the things you learn will be priceless in the cultural transformation you have ahead of you.
“
Tip: No CISO is an Island of Knowledge
Favour Femi-Oyewole
Certified Chief Information Security Officer
The importance of CISOs sharing information among each other and learning trends from one another is essential. Avoid the silo mentality; we all need one another in this global village.
“
Tip: The 6 or 9 approach.
Jothi Dugar
CISO, National Institute of Health
If two people stand on either end of the number 6 or 9, both will see a different number, yet both are right in what they see. Many times in organizations there seems to be a dynamic in which CISOs and CIOs and their Technical Operations personnel are on opposite ends of the same "number" and feel the need to prove either side wrong. To be a successful CISO, it requires you to look at situations with a different perspective and have strong communication skills to enable you to communicate effectively and effectively with diverse groups of people in a "language" that resonates with them without making anyone right or wrong.
“
Tip: The CISO needs to understand the business.
Favour Femi-Oyewole
Certified Chief Information Security Officer
I ensure time is created even in the midst of no time to read business books that broaden my knowledge on how to interface with business people in my organization. My job is to help all the stakeholders in the business and ensure their activities align with the security program.
“
Tip: Invite yourself to peer staff and leadership meetings whenever possible
Chuck McGann
Independent Security Consultant
In order for a CISO to be really effective, they must understand a few things:
- Understand the business and how it works
- Who the movers and shakers are
- How money is made and managed
- The company road map - where they are going and how are they getting there.
Collaboration is key to success, but you can't collaborate on things you don't know about or understand. You should know what moves the senior leadership and how they and the business units are thinking/positioning. Your security strategy should directly reflect and support that.
We all have presented security concerns and faced the 'so what?" moment. If you understand the business and the mission of the company, you should have that "so what" answer ready to deliver. It should show why the business needs to be concerned about the security issue or risk you are bringing forward, what the consequences might be and what strategy can be employed to mitigate the issue - yes indeed, it's called Risk Management. CISOs are managing a business enabling function and need to be engaged at the business level, integrating security into the organization needs not the organization into security.
“
CISO as a True Corporate Advisor
Favour Femi-Oyewole
Certified Chief Information Security Officer
A CISO that has matured into the level of Corporate Advisor will easily have its way and have many in the organization consulting him/her you on different issues, even outside of security stuff because the CISO function is seen as an Enabler, the opposite will lead to the CISO being in the darkness of so many things happening in the organization.
“
Tip: Stress Test Your Cybersecurity Program
Tari Schreider
Cybersecurity Strategist, Author & Instructor
In my career, I have assessed literally hundreds of cybersecurity programs. Of those programs I reviewed, less than five-percent were ever stress tested. Having a program audited or assessed does not constitute stress testing. They only serve to review control existence, not execution or performance. One has to purposefully test the reactions of their cybersecurity program and staff against a number of scenarios or simulated attacks.
I have found that using the NIST Cybersecurity Framework (CSF) is perfectly suited as a baseline. Particularly the detect, respond, and recover functions. Next you would select a hypothetical data breach or cyber-attack scenario as a test of your organization’s ability to react to the simulated event. The stress test is an advanced table top exercise and is best carried out unannounced using a scenario ripped from today’s headlines. Your staff can only use what is presently documented within your organization’s cybersecurity program. You will be amazed at how the stress test unfolds.
“
Tip: Never be too quick to accept blame.
Dr. Curtis KS Levinson
United States Cyber Defense Advisor to NATO
Privacy, Cyber Defense, Compliance,
Continuity/Recovery,
Secure Cloud & Information Governance
Very often, the CISO tends to be the dumping pit of everything gone wrong. One zero-day attack, when you’re fully prepared (as budget will allow) everyone wants to fire the CISO. Even when budget has been tightly restricted (as it often is) the CISO gets blamed for every cyber incident. Don’t be afraid to push back, cite budget and staff limitations and quote as many statistics as possible. Always hang tight.