Security Strategy: If you want to run a SOC, you’re not ready to be a CISO

EditoratLarge

5 years ago

In my article last week, I wrote about who should line manage the Chief Information Security Officer. Not surprisingly there was a lot of reaction – mostly positive! The comments section lit up with lots of interesting points, some in agreement and some still wedded to an entrenched point of view. I guess I am similarly guilty – but I am definitely open to a compelling argument as to why my PoV is wrong! Some of the comments though made me pause…is it an attitude challenge preventing aspiring information security leaders from moving to the next level and gaining the credibility of senior leadership? Is this attitude preventing the delivery of a solid security strategy? I think it is. I think one major problem is that many incumbent CISOs still see themselves as operational people and that is holding them, their organisations and future CISOs back. A CISO is a strategic role, not an operational role – if you still want to run a Security Operations Centre (SOC) then (attitudinally at least) you’re not ready to be a CISO…here’s why…

Security Strategy: Stop thinking operational and start thinking strategic

With the exception of micro-businesses and start-ups (to nip any pedantry in the bud), when was the last time you saw a COO inputting a customer application, or a CFO processing an invoice, or a CIO modifying a GPO? The answer, most likely never! The reason is that these C-Level roles are no longer operational roles. Sure once upon a time, they were at the coalface themselves but in their current role, it’s no longer their job to deal with day-to-day operational issues – the mantle for this work has been passed on.

These C-Level roles are strategic level roles. Their primary concern is facilitating the CEO’s strategic vision for a company by providing aligned strategies for their areas of responsibility. The COO will develop a strategy for administrative functions of the business, The CIO will develop the strategy for technology and the CFO will ensure the strategic financial planning is in place to ensure each strategy is fully funded. The Chief Risk Officer (CRO) will develop a risk management strategy.

Now, as a CISO (or potential CISO) ask yourself these five questions:

Do I know the CEOs strategic vision for my organisation?
Have I provided input into the strategies of the COO, CFO, CIO (and others)?
Have I written an Information Security Risk Strategy? Is it aligned to the CEOs strategic vision?
Have the Senior Management Team reviewed and endorsed the Information Security Risk Strategy?
Is the Information Security Risk Strategy funded?

If the answer to some or all of these questions is no (and you’re not just starting your first greenfield CISO role), then how are you providing strategic leadership for information security? The short answer – you’re not. Recognising that it’s an issue which needs addressing is the first step. If this isn’t a capability you currently have and you need help developing an information security risk strategy, take advantage of our security advisory service or just get in contact – we can help!

“How are you providing strategic leadership without an approved, aligned strategy?”

If, however, you’re still focused on the operational. If you’re still keen to get your hands dirty with the latest Metasploit toolset or want to get neck-deep in the MITRE ATT&CK framework or you’re still attending CAB meetings. That’s fine. You’re just not ready to be a CISO.

Security Strategy: Think soft power not hard power

I don’t know whether it is some form of Napoleon complex but a lot of CISOs feel they need to build massive empires and in particular have a NASA style SOC at the centre of their empire. These SOCs, with loads of wall-mounted flat-screen TVs, showing threats coming in from all over the globe on a fancy map (usually on a black background), are pretty sexy. I can only assume CISOs feel this projects their hard power. Other CISOs feel they need to own everything related to information security in order to have any comfort that security is being properly managed – because no one else is capable. They say CISOs can’t be effective if they aren’t directly dealing with day-to-day operational issues.

Need a Security Advisory Service (SAS) – Get in Contact

Now contrast this with the Chief Risk Officer role. How much infrastructure do CROs actually control? Very little indeed. Most CROs are perfectly comfortable managing credit risk without needing to review every single loan application that comes into the Bank. The CRO does not need to own the General Ledger to do their job. They demonstrate their credibility through the use of soft power. Similarly, a CISO does not need to own the whole security apparatus of an organisation in order to ensure security. They should be applying the same soft power techniques employed by the CRO. To micromanage shows you haven’t got the right mindset to think strategically. If you really can’t let go of operational thinking and leave that to those at the operational level to manage, you’re just not ready to be a CISO.

Security Strategy: Think less about operations and more about risk

Now I know not everybody knows about the three lines of defence model. The first line being the business applying controls, the second line providing governance and oversight and the third line being Internal Audit. In the information security world that would split down into Security Operations (Sec Ops) in the first line, Security Assurance/Information Risk in the second line, and then specialist information security auditors in the third line. Hopefully, that’s enough to bring everyone up to the speed.

If we look at a very simplistic financial services model as a case study. Credit, liquidity, operational delivery are clearly delineated from their risk functions – there is a clear separation in the lines of defence model. There will a team lending money and a completely different team assessing the likelihood of the Bank getting that money back. There will be a team dealing with deposit accounts and a completely different team working out whether there is enough liquidity, over the right period of time, to cover money lent out. Then there will be individual business process and an operational risk team making sure those processes don’t cause the Bank to lose money. Everyone gets this because operations/delivery functions and risk functions are totally delineated.

The thing is a lot of information security professionals muddy the water between operational delivery of information security and the management of information security risk. There has to be a clear delineation between the functions to be effective and the CISO can’t run both. Let the CIO have the Sec Ops function within IT or perhaps have a Sec Ops function outside IT in the COO’s domain. Wherever it sits it should be run by the Head of Security Operations or a Security Operations Manager in a smaller organisation but the CISO does not own a SOC.

Security Strategy: Stop thinking TCP/UDP and start thinking $$$/£££/€€€

Many information security professionals are technologist, they are work in information security because they like working with technology. I am no different. When I have the time I tinker with the latest functionality on AWS and I regularly security test the Fox Red Riskwebsite and build infrastructure to hack just to keep my technical skills up-to-date but the truth is I do this more for my own interests – as a CISO this is no longer my job.

Those CISOs who are still in the weeds are diverting their time away from their strategic priority – helping the senior management team, make risk-based, informed strategic decisions. How many CISOs reading this are actually doing this effectively by getting caught up in operational issues? How many CISOs are providing their senior management teams with risks categorised as unqualified High, Medium and Low instead of hard financial figures like those provided by Credit, Operational and Liquidity Risk? How often are you showing the cost-benefit of the information security team in pounds and pence? Was that SIEM managed service worth the $20million a year (when it’s still not fully deployed) or, if you were removed from day-to-day operational issues could you have highlighted to the SOC team they could mitigate the same amount of risk by deploying an open-source ELK stack SIEM for a tiny fraction of the cost? Could you have objectively validated there was no business case for yet another IAM tool more effectively if you were not being wowed by vendor marketing and a snazzy user interface?

“But we can’t quantify these risks, how do can you put a monetary value on an open firewall port?”

I hear this kind of thing a lot, we can’t put a financial figure of these things. The things is, you can – there are plenty of proxies that can be used, you just have to validate your model and apply the model consistently. IBM publishes annual figures on data breach costs – why not apply them to your information security risks? If your annual turnover is £300million and you have 200,000 customers why not start by dividing one by the other and show the value of each customer (£1,500 in this example) and then start costing up your technology infrastructure in terms of the customers it supports. The same thing could be applied to downtime to apply a change i.e. cost to apply a change compared to the cost of downtime in the event of a disruption. It isn’t that difficult to do if you spend a little bit of time thinking about it. Remember risk management models don’t have to be perfect, where there is gaps in data you just need to put in a confidence level. If your confidence level is only 60% at the beginning – that’s not a problem, it’s something to build upon! Take the advice from Theodore Roosevelt’s autobiography where he quotes Squire Bill Widener of Widener’s Valley, Virginia:

“Do what you can, with what you’ve got, where you are”

Look at how your other risk functions are quantifying their risks and see if those same methodologies can be adapted for quantifying information security risk. Do the same for cost-benefit analysis. For those of you who are interested in really delving deep into this topic, there is a really good book by Douglas Hubbard and Richard Seiersen called How to How to Measure Anything in Cybersecurity Risk which gives lots of very useful advice on how to do this. If however, you’re not able to quantify the organisation’s information security risk in financial terms or why the organisation needs this new security tool (without relying on a vendor prepared business case) then you’re not ready to be a CISO.

Let go of the SOC…think bigger!

I get you like technology, so do I. I get that a SOC looks really cool and makes you feel like you’re in the NASA control centre. I get that having something tangible to show people can make you feel like what you’re doing is real. If this resonates with you then there is nothing wrong with that. If you want to be the most senior person in the NASA control room there is always going to be a role as the Head of Security Operations but what they do is a completely different set of responsibilities than that of the CISO. The CISO, like the CRO, does not need to have an empire. They instead must think strategically about keeping the empire safe from strategic threats. They must employ soft power, not hard power. The CISO must build effective relationships with senior stakeholders and show them information security risk in the language they understand (i.e financially). If that’s a challenge you want to fix, then you’re probably already a CISO (and a CISO reporting into either the CRO or the CEO!

Click here to carry on to Part 3 of this CISO rant series

About Fox Red Risk:

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.