So you’re a new CISO and you just arrived at the organization. What should your personal interaction project plan look like? I tell CISO’s that they should plan on a few days to simply spin up their technology, get their communications in place, and figure out how to get into the buildings. Every executive I have met has been process oriented to insure reliability and validity of decisions. Executives tend to filter validity through the sieve of viability. This article though is about getting the CISO portion of the executive role off to a good start.There is an acronym definition section at the end of this post if you are new to some of these concepts.
It is pretty obvious the first few weeks of a CISO being on the ground at a new entity will involve meeting with the other senior management and especially the CIO. In my roles as a senior executive or CISO I like to get to know the people side of the executive coin and the business side of the enterprise. Much of the awareness in my opinion that will determine a CISO capability is driven by data. The analysis and acquisition of data about the current attack surface and security posture of the organization will drive decision cycles and priorities throughout the CISO career. One of the things you are going to try to assess is the maturity level of the cybersecurity enterprise environment of the organization.
The five process maturity levels in the Capability Maturity Model Source: https://commons.wikimedia.org/wiki/File:Characteristics_of_Capability_Maturity_Model.svg
Thus to get started you need to meet with the CIO, COO, CFO, and business unit leaders.
Within the first 90 days a new CISO should be getting the ground truth on what the current environment of the organization looks like. That ground truth is framed by the statutory and regulatory frameworks of the job. In government things like FISMA, and FITARA set the statutory goal posts. Outside of government SARBANES and HIPPA are examples of compliance regimes. The first week should include a meeting with the general counsel on how they see these things fitting together. You will follow up with meetings tackling the budget with the CFO and others. The statutory and regulatory items will determine the fulcrums of policy when weighted by budget and mission needs.
Action Item #1 Set up a meeting ASAP with OGC, topic is regulatory and statutory structures tracked and assessed by OGC as information security topics. Key indicators or maturity level are how much the OGC knows or doesn’t know about infosec risks to the organization and whether there is a lead OGC attorney for the CIO/CISO to lean on.
Depending on the organizational structure I look for reports, assessments, prior audits, and in government reports from GAO and IG entities. Many of these items will drive my interest level into taking on a new organization. How the organization thinks about these reports is invaluable for context. I usually ask for 3 years of previous reports and depending on staff constraints like to have them brief the three year window ASAP. For government three years is basically the budget window for program money. This allows for me to understand the chronic things that are constantly not getting fixed versus the stuff just broke and we fixed it type issues. Almost as important it allows me to see how a staff will brief and how serious they take information security.
Action Item #2 Receive a brief from staff, topic is detailed analysis of last three years on chronic and acute cybersecurity issues as identified by external entities. Metrics briefed should include current and past details as tracked (such as POAMs). Key indicators of lack of maturity is that this is not being tracked as a formal executive dashboard item on a daily basis. Really immature organizations don’t have this built into their strategic plan.
Security architecture is always a top concern. As a CISO I want to know what we can see, how we see it, how we verify it, and who is tasked with reporting it. The senior security architectural entity needs to brief on the security stack from external firewall (core network infrastructure) to the desktop security solutions. There had better be adequate network maps and more importantly a high level of confidence the result is valid. Usually neither of those is true.
One element that is important in architecture is roles and lanes of authority within the organization. These policy considerations are missed as trees in the forest of technology. For senior executives I’m sure I’m telling you something you already know. The roles and lanes of authority within the information technology environment are often in conflict. What is the role of operations versus security and how much of the security apparatus is actually under the role of the CISO? Often the question will come down to how much budget does the CISO control versus the CIO. Within federal government the current implementation of FISMA states that the CISO will report to the CIO and the CIO under most organizations is the signatory assignee of the budget. You will find in some government organizations that even post FITARA implementation the CIO may not have full control of the information technology and records management budgets. Getting a ground truth on the architecture is important for any future success in adapting the enterprise security environment.
Action Item #3 Receive a brief from staff, topic is security architecture from edge to edge of the network. This should include operational responsibility versus security responsibility. Key indicators of lack of maturity is operations ownership of the topic, no resiliency in reporting, and hardware and network knowledge but not information transiting the network. Key simplistic questions are who manages the firewalls and SIEM of the organization.
The idea of data dashboards leaves me cold, but the concept of the information found in dashboards is a pretty hot topic. I can have an extensive discussion on metrics, but I have some key indicators of success I want to see every day. The first data query is number of incident response tickets opened across the agency that day as a running total. Year to year analysis is interesting to me. I also want to see all security incidents with a paragraph or two about what happened on a daily basis. There should be an email alias that announces issues in real time, but a roll up of the last 24 hours is important too.
How is a CISO going to be notified of an incident and what are the characterizations of an incident within the agency, department, or corporation? This kind of information is changing like the weather throughout the day. Experience suggests that nobody wants to bring leadership bad news and managerial level leaders may suborn or stop the flow of current status of the network to executives. The new CISO is well served to set up incentives to insure that bad news flows easily to the top so that incident response decisions are on the front end of a problem set rather than “hair on fire panic mode”.
Action Item #4 Set up a daily feed from the field at a leadership level on what the current security posture and activity level looks like. Mature organizations should have this automated and it might be a push button or even auto-magic email to the CISO inbox. Oh, and the CISO should have a DLL as well as a personal email. This is just one of those little things that helps the field understand that the CISO is both a role and activity within the organization.
Speaking of metrics. I have a long list of program metrics that I like to use and they are all based on a particular book. There are monthly, quarterly, and yearly metrics within that structure, but I am very interested in seeing the current metrics that are being delivered to executives. This will tell me what the CISO team thinks is an appropriate level of surveillance of the network security posture.
I add to this a daily threat briefing that should answer who has been targeting the organization, what does that targeting look like, and how far/deep has the security team dug in the last 24 to 72 hours to insure bad guys are not in the network.
Brigadier General Greg Touhill (ret) wrote a book called “Cybersecurity for Executives” that details a list of metrics that anybody with strategic responsibility for a network should consider. Chapter 8 of his book has an extensive list of metrics from staff levels, training, and tenure to system events and discussion of vendor requirements. I find many organizations have very low fidelity on the security metrics question and putting the book in the hands of security staff causes immediate returns. It is also a good book for a new CISO to present to a CIO on day one which I have done.
Action #5 A brief on the current status as measured by the metrics in the book. This will set the maturity baseline and the CISO understanding of the strategic capability of the organization. In some cases this may be the first time this kind of view has ever been had by leadership.
There are several myths about cybersecurity and attacker capability. One myth is that everything is moving forward so fast we can’t keep up. The second myth is things happen in cyber so fast that no human can keep up. Yet the core technologies of networks and those that secure networks are older than many of the people operating them. Consider TCP/IP at over 40 years old, and the current processor crop has it’s roots in the 1980s. As to how fast things happen on a network. Mandiant has reported breaches of organizations that have existed for years. The average dwell time for an adversary on a network is over 100 days. The fact that a bullet comes down range really fast doesn’t mean you shouldn’t dodge, assess for continuing fire, or consider the ramifications of your current lack of cover.
The key elements you want to identify are the mechanisms for handing off incidents between the incident response team and forensics, the feedback mechanisms used by the security team to mitigate known events. This action is about determining the effectiveness over time of mitigation activities. It is related to the other items but the focus is on the security operations team. In some organizations this may belong to an operations chief rather than the CISO. The details of what threat intelligence teams are looking at and how they are communicating it are important feedback mechanisms.
Action #6 Receive a daily brief on the current security posture as measured by the security operations team. That brief should be consistent with the mitigation strategy from the awareness the threat intelligence types are accomplishing.
Every day at the end of the day I expect that the security operations team, the incident response and handling team, and the threat intelligence team (tri-team model) will report on their current significant activities. In the DoD world there is usually an IAPM role that may report to the CISO. Similarly it depends on whether the CISO or CIO is the AO for systems. The IAPM role may be the senior managerial leader between the CISO and the security team. Regardless a Tri-Team model may be the best way to surveil current status of the enterprise. These are EXSUM paragraph statements of who, what, where, when, and why of no more than 150 words or five to seven paragraphs. This is the daily close out of the events of note to the CISO.
Events or incidents that are declared or may be declared under formal legal or policy constructs are separate from these end of day reports. The operations tempo even during an incident needs to keep pace. A key indicator of maturity is how well the daily business gets done in an organization when an incident is occurring. The more chaos or executive time spent on decisions or awareness the less likely the organization will succeed at keeping adversaries out. The daily EXSUM and details within it give the new CISO a good idea of what people are spending their time on and thus information for prioritization and decision criteria.
Action #7 Mandate a daily EXSUM from each team reporting to the CISO that details the activities of the day in a short one paragraph. Other details if needed would filter into more long form reports, but in general these provide a heads up that something is happening.
What a new CISO will find is usually an amalgamation of people making decision based on different biases and concerns that are as much cultural as they are policy and law. If you are the first CISO in an organization there are going to be turf battles over who controls what. I usually make the assumption of infinite power and total control until told otherwise. I have in the past suggested to a new CISO that he change staff on day one of his tenure based on the issues we found during an audit. Many of the previous decisions of an organization will have been driven by consensus, absent data or evidence, and may have been absent any consideration of security controls. As such I like to get to know the team and I start out with a data call on just who is going to be the most trusted agents on the network.
Action #8 Require a briefing and document that details the current tenure and employment churn within the security teams. The briefing should detail job title, managerial level, years with the organization, and departures over the last 90 days. I also like to see the resumes of the entire supervisory staff within the security organization. key indicators of maturity are how detailed this briefing is and whether they lead with a security organization chart or asecurity business line alignment chart. That will become part of the playbook (which is another topic).
So with that you have the basics of eight action items and mini projects to get the staff started down a path to working with you. Of course if you are about to hire a new CISO these might be things you prepare as a CIO or CISO staff for the new CISO. This entire article is heavily in the camp of data driven decisions and analysis versus myth and bias leadership. There will be a lot of data massaging that is attempted within organizations. That is to be expected but also it will show a sense of the organization in how that kind of leadership massaging is done by a professional staff.
You might have noticed that each of the action items regardless can lead to a leadership metric. Whether overtly or covertly many of the categorical items can be rationalized into a numerical form should it be desired. The art of metrics development much like preparation of a battle book and incident playbook are beyond the scope of this discussion. However, given answers to all of the action items above and the subsequent work of developing the answers. A CISO will find with good reliability and validity the maturity level of the organization. That will drive what projects will be voluntarily take on.
Acronyms we got lots of acronyms
AO Authorizing Official
ASAP As soon as possible
CFO Chief Financial Officer
CIO Chief Information Officer
CISO Chief Information Security Officer
EXSUM Executive Summary
FISMA Federal Information Security Management Act
FITARA Federal Information Technology Acquisition Reform Act
GAO General Accounting Office
HIPPA Health Insurance Portability and Accountability Act
IAPM Information Assurance Program Manager
IG Inspector General
POAM Program Objectives and Milestones
SIEM Security Incident Event Management
OGC Office of General Counsel