The 21st Century CISO
The conductor of the orchestra doesn’t make a sound. His power comes from awakening possibility in others.
KeywordsSecurity Issue Security Group Security Investment Security Organization Security Initiative
The finance director sounded frustrated and exhausted. Our IT auditors had been trying to tell her about an obscure yet important data backup problem that affected SOX compliance. But her background was in accounting, not technology, and as the IT experts presented page after page of technical information elaborating the intricacies of backup processes, her eyes glazed over. The more they tried to explain by adding yet another layer of detail, the more confused and frustrated she became.
That’s when I thought of a solution. “Imagine,” I said, “we’ve got a passenger train running from station A to station B. That’s what our backups are like; they’re carrying data from our servers to tape.”
“We know the train arrived at station B, so we know the backup occurred,” I said. “But we don’t know how many passengers got on at station A, and we don’t know how many got off at station B. So we can’t definitively say we actually backed up all the information, and to comply with SOX, we need to be certain.”
The finance director sat up. For the first time since the start of the presentation, she seemed alert and engaged. And from that point on, we made progress. She asked how we planned to solve the problem, we briefly mentioned a couple of the possible solutions, and the meeting ended on an upbeat note.
My storytelling—using an off-the-cuff metaphor—succeeded where the more traditional approach had failed. It communicated a technical security issue in terms that a senior businessperson could understand and remember. And it illustrates one of the key skills of the 21st century CISO. We need to extend our reach outside the security organization to communicate with and influence people at all levels, from all backgrounds.
Chief Information Risk Officer
In this final chapter, I’ll explain some of the skills and traits I believe CISOs need to fulfill their changing role. To set the stage, I’d like to step back for a moment and briefly recap the changing focus of information security overall.
Because information technology now supports every aspect of the business, the information risk and security group must also expand its scope to span the full breadth of information-related business risks, as described in Chapter 1. At many organizations, this is already happening. CISOs are taking on responsibility for privacy and regulatory compliance in addition to more traditional IT security functions.
This is a huge opportunity for CISOs to step into a more valuable, high-profile role within the organization. Perhaps the term chief information risk officer more accurately describes this role since it implies responsibility for the broad range of business and technology-related risks. The core skills of information security professionals—evaluating and mitigating risk—are as essential for mitigating new risks associated with privacy and regulatory compliance as they are for more traditional IT-related threats.
Taking on a larger role requires a broader view and a corresponding set of skills. We need to communicate in terms business people understand and build relationships that enable us to influence people at all levels across the organization. We also need extensive management and leadership skills, both to operate at an executive level and to inspire our security team.
The ability to manage the full range of information-related risks is a necessity, not just for the CISO, but for the organization. If we do not step into a broader role, the organization must acquire these abilities elsewhere. Because of this, CISOs who do not adapt to this role run the risk of becoming irrelevant to the organization.
I believe the 21st century CISO’s broader skills are also the key to addressing one of the biggest continuing challenges facing security groups, which is obtaining funding for security initiatives. A few years ago, one CISO expressed his frustration this way: “Many CISOs have long expressed concern over their inability to obtain funding, to obtain resource and funding support for information security investments deemed necessary to provide suitable levels of protection.” At conferences and meetings, I often ask other security professionals if they agree. Overwhelmingly, the answer is yes.
Funding security initiatives can undoubtedly be challenging for most organizations. But I also believe this quote is an indication of a failure within the security profession in general. This failure can be largely attributed to a lack of business acumen. Business acumen is necessary to communicate the technical risks in language nontechnical people in the business can grasp. It’s also necessary to understand the perspective of others, including the fact that some risks are worth taking. Risk-taking is fundamental to business. Without it, no business value would be created.
The Z-Shaped Individual
If we don’t already have the skills required of the 21st century CISO, we’ll need to acquire them.
To some extent, this trend parallels what is happening in most technology-related professions: IT professionals need to acquire business acumen as well as depth of IT knowledge. The concept of “T-shaped” individuals has been widely used to describe the idea that IT professionals need to be able to provide value horizontally, across business groups in the organization, as well as vertically at all levels within IT.
The 21st century CISO needs to understand business priorities and processes well enough to identify how security controls help or constrain the business. To gain this level of understanding, he or she has probably gained experience in areas that are central to the company’s business, which, of course, vary depending on the company’s core focus. For example, the CISO might previously have worked in manufacturing operations, services, or mergers and acquisitions.
The CISO needs technical knowledge too, although the depth of technical knowledge required remains a subject of intense debate among my peers. I’ve observed CISOs at smaller and less-complex organizations who feel they need deeper technical skills to do their jobs. This is not surprising. With much smaller security teams, CISOs at smaller companies may need to be more involved in day-to-day technical details as well as managing people. At larger and more complex organizations, CISOs are less likely to spend time delving into technical detail.
However, all CISOs need to be able to understand enough about the technology to absorb the important issues and communicate these issues to other managers outside the security group. This means that our technical knowledge must be broad, ranging from devices to data centers. We need to know enough about devices, such as smartphones, PCs, and tablets, to understand the security implications as well as the benefits. At the other end of the scale, we need to know enough about data centers and physical access controls to understand and communicate the important security requirements and challenges.
Our core risk management and security skills provide the link that completes the “Z” by connecting technology and business. We understand how to assess and manage risk by applying procedural, technical, and physical controls to meet the organization’s legal, privacy, and security requirements.
Becoming a Z-shaped individual is the foundation for one of the 21st century CISO’s essential traits: establishing credibility across the organization. We must be credible in order to build trusted relationships with executives and specialists across the organization and to discuss the vast range of issues that affect the business. This credibility is built on the competence that comes from understanding the business and technology as well as possessing core security skills.
Our ability to influence the organization also springs from a clear mission. I use the term centered to describe this. We can effectively present our case because we have a strong sense of purpose and a clear understanding of why the security group exists and what we are trying to achieve.
This idea returns us to the theme of this book: Protect to Enable. In our global economy, Intel, like most companies, operates in highly competitive markets. As the security organization, our mission is to enable the free flow of information and rapid implementation of new capabilities to ensure success and long-term competitive survival. Other CISOs may work at more risk-averse organizations, and therefore some aspects of their mission may differ from ours. However, the mission is always aligned with the business priorities, and it becomes an essential part of who we are. It provides a sense of purpose that lends authenticity and consistency to our actions and helps us build credibility across the organization.
As we all know, security can be a particularly distracting profession, with a constant barrage of day-to-day emergencies and diversions. So we need a clear mission in order to retain a strong sense of direction. Like expert sailors, we can progress toward our goal amid the day-to-day distractions and diversions, making continual adjustments and corrections to stay on course as the winds shift.
We also need to retain a sense of curiosity. To engage with others, we need to be genuinely interested in what they do. This curiosity enables us to continue to learn, building on and broadening the competencies that then enhance our credibility.
Another major reason we need to be learners is to stay ahead of the enemy. Threat agents are always learning because they must. As new threats emerge, we put in place new controls. But once implemented, these controls tend to be static, while threat agents are dynamic, coming up with new techniques to bypass the controls. Therefore, our thinking must also be dynamic, and we must continually learn in order to protect against ever-evolving threats.
Becoming a Storyteller
We cannot influence people unless we communicate with them. And as the scope of information risk expands, we need to communicate with a wider range of people across the organization.
Communicating with people isn’t always easy, as most of us have discovered. If we start relaying technology details to those who aren’t technologists, we won’t capture their interest. In fact, we run the risk of doing the opposite, as I described in the example at the start of this chapter.
To communicate, CISOs must become chameleon-like, with the ability to blend into a variety of environments. We need enough knowledge of each business domain to be able to communicate with different groups using language they understand. And we need to discuss these subjects at different levels. A CFO may only want to hear a high-level summary expressed in terms of financial impact and return, which is often not easy when discussing security investments targeting hard-to-quantify threats. Product group managers want to hear security issues expressed in terms that relate to sales, marketing, and operational efficiency.
I’ve found storytelling to be a powerful tool for communicating with diverse people across the organization. When I frame security issues as stories and images that people can understand, they relate better to the issues even if they lack a background in technology.
I like to tell stories using metaphors and analogies. They are easily remembered, and they translate complex subjects into simple terms everyone can understand. In fact, the metaphors I’ve used throughout this book, such as the perfect storm in Chapter 1, the train backup in this chapter, and the roundabouts and traffic lights in Chapter 5, have helped me communicate security issues to many people both within and outside Intel.
To paraphrase Benjamin Zander, the conductor and visionary, the power of an orchestra’s conductor comes from awakening possibility in others (Zander and Zander 2000). In the same way, I believe the power of the CISO comes from awakening the awareness of risk among people across the organization. I use stories based on metaphors to create that awareness.
For example, employees often find it hard to understand the dangers of stealthy threats. This is because the threats are unobtrusive, concealing themselves so they can steal information over the long term. Users are usually not even aware that a problem exists on their system. They still associate malware with obvious, annoying symptoms such as screen messages and system crashes. So when we tell them we’ve detected dangerous software on their machine, they have a hard time believing that it matters.
To communicate the danger, I sometimes use the analogy of ants and termites. “Malware used to be like food-eating ants in the kitchen,” I explain. “You’d know when you had an infestation because you’d see ants crawling over the countertops and walls. Once you knew about them, you’d spray or set traps to eliminate them.
“But today, threats are more like the termites that can live in your walls. You can’t see them, and you may not even know they are there. But they’re doing much more damage than ants ever did. In fact, they may be destroying the structural integrity of your house.”
I’ve found using analogies helps quickly drive home messages. People immediately understand that these invisible threats can undermine the structure of the computing environment, just as termites undermine houses. This makes them more likely to accept the next step, which is that we have to perform the digital equivalent of tenting their computer to eradicate the vermin.
Fear Is Junk Food
Just as building trusted relationships is essential to influencing the organization, I also think we need to transcend the doom-and-gloom that can pervade discussions of security topics.
The security industry has a tendency to use fear to sell products. Internally, as security professionals, we sometimes share this tendency. Of course, security really is about scary things: threats, vulnerabilities, and risk. But focusing on fear as the primary motivator is like living on a diet of junk food. It may provide immediate gratification, and it’s somewhat addictive, but ultimately it’s not healthy for either the CISO or the rest of the organization.
In the short term, fear can scare people into action and help drive funding for security projects. However, relying on fear alone can only work for so long. Eventually, it has the opposite effect. It causes the CISO to lose credibility. In fact, I think relying on fear may even contribute to the high rate of job turnover among CISOs. Those who rely too much on selling fear are snacking on an unhealthy diet, and eventually the organization realizes this and rejects them.
Ultimately, fear doesn’t work for other reasons too. Most people don’t want to listen to a continuous stream of negativity. If we are always seen as the source of negativity, we will lose our audience. If we are continually viewed as the group that says no, we will be ignored. People will bypass security restrictions in order to meet their business needs.
Even within the security organization, fear can become a gravitational force—a black hole—drawing ever-increasing attention to the negative side of security issues and draining energy that should be directed to enabling the business.
Accentuating the Positive
So how do we take a more positive approach? We must focus on our mission—Protect to Enable. This mission shifts the emphasis from the negative to the positive: how we can help the business achieve its goals by solving security problems. It puts hope and optimism before the challenge.
This mission is aligned with the business. Rather than being antagonistic, it is based on common values. It sets an optimistic tone, and, in the long term, optimism is a far better motivator than pessimism. Threats may be frightening, but our goal is to see past the threats and identify the opportunities. To paraphrase the noted Stanford University behavioral scientist Chip Heath, there’s no problem that cannot be solved without a new framework. Therefore, if we can’t see a solution, we have the wrong framework. Protect to Enable provides this new framework. It helps us focus on finding solutions.
Imagine you’re invited to attend a meeting to discuss whether the company should start using a specific cloud-based business application from a new supplier. Clearly, this product introduces risks: it comes from an unfamiliar supplier, it’s accessed over the Internet, and it means sensitive data will be stored outside the enterprise.
A narrow security view might focus solely on minimizing the risk. However, this narrow view can lead to a Catch-22 situation, as discussed in Clayton Christensen’s book The Innovator’s Dilemma (Harvard Business School Press, 1997). Typically, it goes something like this. To minimize the risk, the organization initially restricts the use of a new technology. For example, the technology can only be used for low-risk data, or by a narrow segment of employees. The problem with this approach is that it also reduces the business benefit to the point that the benefit of the technology cannot justify the expense and effort of adopting it. So we reach an impasse. To make the technology a viable proposition, we need to be able to show a business benefit—but we can’t show a business benefit because we won’t allow viable use of the technology.
Protect to Enable provides the new framework that frees us from the innovator’s dilemma. It allows us to focus on the opportunity and identify benefits that outweigh the risks. For example, introducing a new supplier increases competition for our existing suppliers—leading to future savings for our organization. This benefit aligns with the business and is one that everyone in the organization understands. Perhaps less intuitive, but equally important, the savings can be used to fund security controls to mitigate the risk of using the technology more widely. Now our benefit/risk equation has a positive result rather than a negative one. By enabling the technology to be used more widely, we realize bigger business benefits that outweigh the additional cost of controls. This example also underlines the need for CISOs to build business acumen that enables us to see the opportunity and how it can be used to overcome the challenge of funding security initiatives.
Let’s look at another example, this time from our experience at Intel in the days before we had defined our Protect to Enable mission. Several years ago, a highly damaging worm was discovered in our environment, requiring a significant emergency response from our team. Upon investigating, we traced the origin of the worm to an employee’s personal computer.
Our immediate response was that of a stereotypical security group. We shut down this usage to eliminate the risk of future infections. We immediately tightened security policy to ensure only Intel-owned PCs could access the network, and we ruthlessly went through the environment and cut off access by any devices not managed by IT.
Our response was successful in the sense that it reduced the risk of infection. But it led to other risks we hadn’t foreseen. Eliminating personally owned PCs from the network meant we now needed to issue corporate PCs to contract employees. This meant that we had to provide more people with devices that allowed full access to the Intel environment. It also, of course, increased capital costs. The broader impact was that it eliminated the potential business benefits of letting people use their own personal devices for work.
More recently—driven largely by employee demand, as well as the massive proliferation of new consumer devices—we revisited this issue. This time, we examined it from the perspective of Protect to Enable. We looked at the business opportunities if we allowed personally owned systems on the network, and then how we could mitigate the risks. As I mentioned in Chapter 1, we rapidly discovered that the business value is enormous. Helping employees communicate and collaborate at any time can drive significant productivity gains. It also helps make employees happy. They love using their personal smartphones, PCs, and tablets and appreciate that we enable them to do so.
These benefits easily outweigh the cost of the technology required to reduce the risk of allowing access by personal devices. True, some of this technology wasn’t available at the time we experienced the original security problem. But if we had focused on the opportunity first, perhaps we could have found ways to provide some level of access while mitigating the risk, and experienced at least some of the benefits we enjoy today.
Demonstrating the Reality of Risk
Of course, the security organizations’ role still centers on managing risk, which includes discussing the negative consequences of people’s actions. If we frame this discussion carefully, I believe we can inform without fearmongering. By describing possible outcomes and solutions without using emotional language, in terms listeners can understand, we create a context in which the organization can make the decisions that are best for the business.
Measuring and Communicating the Value of Security Investments
Analyzing and communicating the value of security controls often presents challenges, particularly when it comes to expressing this value in terms that business people can understand.
This situation can be frustrating for security professionals, finance specialists, and business groups. Adding to the challenges, security investment decisions have become more complex as we analyze new options to counter threats, such as social engineering, and to support technology trends such as IT consumerization.
We created a security investment model designed to address these issues by helping us analyze investments based on their business value to Intel (Carty, Pimont, and Schmid 2012). The most important output of our model is an estimated financial value for each investment, based on how much the investment reduces risk. The spreadsheet-based model presents this information in a format easily understood by business professionals.
A key strength of our model is that we can analyze the value of each investment within the context of our IT environment, rather than in isolation. For example, we can estimate the incremental value that a new investment will provide when added to our existing controls. In addition, we can use the model to analyze any type of new or existing security investment.
We are already using the model to help drive discussions within Intel IT and more broadly across Intel. We have used the model to analyze new security initiatives and examine existing controls to identify areas where we may need to adjust our strategy.
Even when we have to highlight unpleasant outcomes, we’re not fearmongering if our information is based clearly on reality. Here’s another example from our experiences at Intel. As our customers’ use of the Internet expanded, Intel’s marketing groups naturally wanted to expand their external online presence by creating new web sites. So we, as Intel’s information security group, began assessing the risks and the security controls required. Some of our marketing teams didn’t find this an appealing prospect. They needed to move quickly, with the freedom to communicate however they thought best, and they viewed security procedures as bureaucracy that slowed them down and hindered their ability to communicate with customers and partners.
What happened next was far more persuasive than any of our initial efforts to forestall potential problems. A few web sites were launched without rigorous quality control. Hackers found the weaknesses in these sites, but they didn’t crash the sites or steal information. Instead, they inserted links to porn sites.
When this unfortunate fact was discovered, it provided the leverage we needed to improve security procedures. I realized this was a case where a picture spoke a thousand words. So, to illustrate the impact, I simply showed the links to people within Intel. This wasn’t fearmongering. It was simply demonstrating the real consequences of their actions on the Intel brand. Everyone could understand the implied question: Do we want our brand to look like this? This ended, once and for all, any discussion about whether we needed to apply rigorous quality control to external web sites.
The CISO’s Sixth Sense
In the book Blink: The Power of Thinking Without Thinking, author Malcolm Gladwell (Little, Brown & Co., 2005) describes an interesting experiment. Researchers asked subjects to play a game in which they could maximize their winnings by turning over cards from either of two decks. What the subjects didn’t know was that the decks were subtly stacked. They could win by selecting from one of the decks, but selecting from the other deck would ultimately lead to disaster. After about 80 cards, the subjects could explain the difference between the decks. But they had a hunch something was wrong much sooner, after only 50 cards. And they began showing signs of stress and changing their behavior even sooner, after only about 10 cards, long before they cognitively understood a difference existed.
As CISOs, we develop a sixth sense about security issues. Often, my instincts suggest a need to act or begin investigating a specific direction long before our group is able to fully understand or explain what is happening. This sixth sense is particularly relevant in the security realm, where our information is almost always imperfect or incomplete. When a threat strikes, we do not have time to conduct extensive research or wait for evidence to accumulate. Therefore, we need to act decisively based on imperfect information.
I think we develop this sixth sense from the diverse experiences and skills we’ve acquired during our careers. We can also foster this sixth sense by being aware. Some security professionals tend to be inwardly focused, looking only at the data and systems they need to protect. As described in Chapter 4, at Intel we try to be more open and outward-looking, sharing information, and seeking input from a variety of sources, including peers across our company and at other organizations. This can help CISOs spot early warning signals and correlate information to quickly identify threats. Like secret service agents scanning a crowd, our experience helps us spot anomalies, to see the signals and ignore the noise.
By intercepting threats early, we may be able to minimize or entirely eliminate the impact. We may also reduce the effort needed to deal with the threat. Early action may avoid the need for emergency response and a potentially major cleanup effort.
Taking Action at the Speed of Trust
A sixth sense is only of value if the organization can act on it quickly. This requires two things. First, we need the courage to take a leap of faith based on what we believe. This courage is rooted in the attributes I discussed earlier in this chapter, such as being centered and credible, with a clear sense of our mission.
The second requirement is that the organization responds quickly when we inform them about a security issue. This rapid response is only possible if we have established trusted relationships with people across the organization. Because of these relationships, the organization can act at the Speed of Trust, as Stephen M. R. Covey describes it in the book of the same name (Free Press, 2008). Faster, frictionless decisions are possible because people know, from experience, that our information is reliable and that our focus is on enabling rather than spreading fear.
The CISO As a Leader
Above all, 21st century CISOs must become effective leaders who can inspire their teams to enable and protect the organization.
Over the years, I’ve identified three essential themes I try to instill in my team and constantly reinforce in our day-to-day interactions. Our security team members must believe in our mission; feel they belong to our Intel IT security group and Intel as a whole; and feel they matter.
If I can make people feel they believe, they belong, and they matter, they will tackle any challenge. If people understand the greater goal, it helps establish an emotional connection and guide their everyday actions. This is a key reason that I have thought so much about defining our mission, and that I spend so much time helping our team see how their jobs are connected to the business’s objectives and concerns.
For example, a typical operational goal might be to patch all systems within a week of a new software release. This goal is more meaningful if we establish the links to the business using I believe, I belong, and I matter. I believe in the mission of Protect to Enable. If I’m not protecting to enable, the other employees at the organization I belong to cannot do their jobs effectively. The company doesn’t achieve its results, and the company doesn’t execute its vision. Patching systems quickly matters because it helps our users do their jobs, which in turn helps the business achieve its goals.
Learning from Other Business Leaders
As leaders, we can learn a lot from how other business leaders work. Today, managers are moving away from command-and-control to a more collaborative approach that takes advantage of the diversity of employee ideas and strengths. I’m not talking about a consensus process, which can lead to endless debate and indecision. Rather, a leader’s goal is to ensure alignment to a common mission and accelerate decisions. Within this framework, differing viewpoints and debate spark creativity, generating new ideas and a productive tension that can drive results.
Because security can be frustrating, even daunting, it’s vital to find ways to help employees stay motivated. It’s important to help employees feel they are making progress, not just when they achieve major milestones, but in solving the smaller problems they face every day. A key study found that even small wins boost motivation, productivity, and creativity. In the Harvard Business Review article describing the study, authors Teresa Amabile and Steven Kramer (2011) determined that the feeling of making progress is the most important contributor to an employee’s emotions, motivations, and perceptions.
Opportunities to lead occur continually, in every interaction with our teams, with other people in IT, and with business partners. The question we need to ask ourselves is whether we are seizing these opportunities to reinforce our mission, and ultimately to help the organization achieve success.
In highly technical jobs and organizations, we have a tendency to focus on technical challenges while overlooking the “people factor.” I think it’s important to remember the need for personal connections, which foster the sense of belonging. When we know a little more about each other, we care more as a result. I think about this in my day-to-day interactions. If a team member is making a presentation, are we paying attention and asking thought-provoking questions, or are we distracted? And if so, do we think they will feel they belong?
When we meet with a team member to discuss their struggles with a project, are we helping them think through the issues and come up with solutions? Are we helping them believe they can overcome the challenges and that the results will matter to the company and to us? Or are we just taking them to task? Each interaction is an opportunity for coaching and helping employees improve their performance.
It goes without saying that leadership means taking responsibility. Yet some CISOs seem to forget this, at least occasionally. A typical situation goes something like this. The CISO warned of a security issue but couldn’t obtain the budget or resources to address it. So the CISO abdicated responsibility because someone else had made the decision not to fund a solution. I take a different view. I believe even if we disagree with the decision, we should do our best. As partners in the organization’s strategy, we should commit to the decision and share full accountability and responsibility with our peers.
A final requirement of effective leadership is the ability to develop other leaders within the security group. Otherwise, the group’s strengths in managing risk for the business will last only as long as the current CISO’s tenure. By building competence in depth, the CISO can ensure that the organization delivers sustained performance over time.
Looking to the Future
As the technology environment continues to evolve, many people believe we’re moving toward a future in which organizations outsource much of the delivery of IT services. If this trend continues, what does it mean for the CISO?
In this view of the future, the organization shifts away from IT implementation to procurement and management of suppliers and services, while setting direction and establishing an overall IT architecture.
In addition to this, the organization will need to retain the core competency of the security group, the management of information risk. Essentially, organizations cannot outsource risk. We can hire companies to deliver our business systems, but we’re still responsible for compliance with SOX. And if a breach results in theft or leakage of personal information, we’re still responsible for reporting it. Furthermore, we still suffer the damage to our brand, even if the breach was due a failure of the supplier’s systems. As regulations proliferate and more and more personal information is stored in business systems, the risks can only increase.
Therefore the CISO’s abilities will remain essential, even if the job title changes. The organization must retain the management of information risk as a core competency. As CISOs, we are poised to continue providing that core competency as long as we can effectively work within this new environment by developing the abilities I’ve described in this chapter and throughout this book. These abilities enable us to work with others to support the Protect to Enable mission.
In this chapter, I have covered a range of abilities and characteristics that the 21st century CISO requires. Many of these probably sound familiar, but it’s all too easy to forget them amid the demands of hectic daily schedules. I’ve found a good way to remind myself of some of the key attributes is simply to look at my job title. The letters in CISO help me remember that we all need Character, Intuition, Skills, and Objectivity. So if you’re struggling to remember all the details in this chapter, just remember you’re a CISO. You need Character to ensure your actions demonstrate integrity; Intuition to anticipate what’s needed and act accordingly, taking risks when necessary; Skills that span business, technology, and a wide variety of risk areas; and Objectivity in order to avoid falling prey to fearmongering.