The Effective CISO Needs More Than a Control Framework
Chief Information Security Officers (CISOs) often talk about reducing the risk of financial loss to their organizations – whether it be through reducing the likelihood of unauthorized disclosure, ensuring information reliability and integrity, or reducing the risk of a breach causing downtime, unavailability, and damage to information assets and their respective systems. One of the first activities a new CISO will undertake is the selection of a control framework to increase the maturity of the cybersecurity (or information security) program.
There are many to choose from, such as ISACA’s recently updated COBIT 2019 framework, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), ISO27001 Information Security Management System, Center for Internet Security (CIS) Security Controls, Information Security Forum (ISF) Standard of Good Practice for Information Security, or the NIST 800-53 Security and Privacy Controls for Information Systems and Organizations. We can also look to the various standards, laws, and regulations, such as the Payment Card Industry (PCI) Data Security Standard and other various sectoral laws and regulations regarding cybersecurity to determine an appropriate framework. Further, we can utilize overarching frameworks that have mapped the controls of each into one tool, such as the Cloud Security Alliance’s Cloud Control Matrix, or the HITRUST Common Security Framework, which harmonizes multiple standards and frameworks. Or, we can choose a big four consulting firm to provide its own proprietary framework to advance the maturity of the program. New approaches such as the CMMI Cybermaturity Platform, which focuses on a risk-based approach to cyber resilience and building board confidence, also are emerging.
That Feel Good Feeling
Now that the CISO has chosen a framework, all is good, right? The big part of the job is done! Not so fast -- the problem with control frameworks is that we fixate on the current level of maturity (the ‘as-is’) and where we would like to be (the ‘to be’), and drive the efforts until we arrive at the desired end state destination. This is the place where all the reds and yellows turn to greens, and/or the twos and threes on our one to five maturity scale programs turn to fours (because we would never have a one in our assessment of maturity!).
We feel good, senior management feels good, and the board feels good when we can light up the charts with all green or all level 4 level of maturity. And herein lies the problem – we become fixated on turning as many sub-goal items as possible into the desired level of maturity. The more controls we can flip the colors on the better – quantity often wins over quality. What constitutes quality? Investing in those areas where the likelihood is high, and the impact is high, as determined by the risk assessment – first. Many CISOs tend to attack control deficiencies using the same method as working off the home project ‘honey-do’ list – cross off as many items as possible to feel a sense of achievement while leaving the most important and most difficult tasks for tomorrow – which never comes.
Accounting for the Politics
For example, maybe the most important control for the organization is to work through the politics of ensuring that critical business functions, systems, and information assets each have a business owner/ data owner specified. Furthermore, the business owner needs to understand the application, the accesses available, who should be authorized to access the application, and where the data resides throughout the process. The business owner also needs to review and certify the appropriate access on a periodic basis. Achieving this for many organizations is a difficult process. However, this ‘hard stuff’ is necessary to truly support privacy regulations such as the General Data Protection Regulation (GDPR). Unfortunately, acquiring a new technical product that is easier to implement than managing organizational politics often becomes the investment choice, so that we can cross off another item on the control framework ‘honey-do’ list.
The CISO needs much more than a control framework to remain successful in his or her job. Paying attention to the company revenue streams, product innovations, risk analysis vs. gap analysis, and developing the executive-level soft skills of negotiation, listening, budgeting, influencing, presenting to the board, emotional intelligence, executive presence, presentation and communication skills, while understanding the differences between the generational and individual personality preferences of their teams, peers and executives, are equally important. The cybersecurity strategy will remain digital dust by focusing solely on moving the maturity curve up via a control framework. These frameworks are essential tools for the CISO and should be regarded as necessary, but not sufficient.
About the author: Todd Fitzgerald is an author and is currently the Managing Director CISO of SPOTLIGHT, LLC. This article, including the development of comprehensive strategies, privacy concerns, data protection, generational differences, learning from recent incidents, and CISO soft skills, are detailed in the author's upcoming book, CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.)