InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
As a tight-knit and justifiably reticent group, CISOs don’t typically share their best practices. So at the end of 2017, my firm, IANS, completed a research study based off the responses of 218 top information security professionals. Below, I’ll be highlighting
key takeaways from the research, which paints a picture of how CISOs make decisions.
How do effective CISOs make good decisions? Here are the three main findings:
1. CISOs rely on peer networks to help them succeed in their role, but access varies.
The world of digital threats is constantly evolving. There is so much input, so many new attacks to understand and defend against. So, the ability to talk to peers and understand what matters — and, just as critically, what doesn’t —
is tremendously important. CISOs are intrinsically collaborative. There’s a culture of sharing knowledge with trusted peers and experts. But developing and maintaining a quality network requires time and effort:
Many respondents cited participating in events as a common practice, but they also complained of a lack of access to experts capable of fueling new approaches and innovative thinking.
Still, our study revealed that when CISOs do connect with experts or well-informed, equally passionate peers — individuals who share their challenges and aren’t trying to sell them something — they work hard to maintain and cultivate
2. They understand the value of social media.
One successful CISO, who directs information security for a large financial services firm, is not the sort you’d expect to be active on social media. Meet him and a few trusted colleagues or peers in a conference room and he will open right up.
But if he doesn’t know and trust everyone he is communicating with online or in person, he is extremely reticent.
So, I was surprised when he told me that he counts social media as a critical source of information. Here’s the catch – he doesn’t share his concerns openly online. He rarely posts. Instead he listens, lurks, and reads. He watches, following
hashtags and threads, and makes sure that he’s tracking new potential threats in real time.
Our study backed up his insistence on the value of social media:
Social media is never the sole source of information or news, but it is a critical tool. The CISOs we surveyed don’t wait until the mainstream media breaks a story. As one CISO put it:
“When I have a need, I turn to the community. The community disseminates the latest threats and issues usually before the media knows it’s happening. It is a global affair and not a local one.”
3. They actively communicate with business leaders.
The best CISOs meet regularly with line-of-business leaders, department heads, and product managers. These conversations can be awkward at first. But they are critical.
One West Coast CISO summarized the problem well:
“So many [CISOs] still talk in terms of technology, infrastructure and apps, but no one can understand them. This causes a real disconnect. They don’t trust us when we don’t communicate well.”
Another respondent noted that the differing mindsets of security and line-of-business executives:
“We’re not in a position to say ‘do this or die.’ You have to negotiate… You are right with your security view but understand that we’re still a business. It’s a balancing act.”
But, the best CISOs have overcome these challenges and are involved with ongoing, active dialog with business leaders. These discussions are not only about addressing business risks, but supporting business opportunities as well. As one high performing
CISO summed it up by saying:
“We need to embed ourselves into the guts of the business and help our company grow and win in this market…”
November 13, 2019
By Phil Gardner
CISOs need to observe, understand and act with regard to protecting consumer privacy and regulations associated with the downside of new technologies, including facial recognition, machine learning and AI.
April 4, 2018
Why do some CISOs consistently command the budget and resources they need while others struggle? What can budget-constrained CISOs do to garner the support they need for their programs? Find answers in our 'Battle of the InfoSec Budget' research report.
July 10, 2018
The last day of RSA is usually a ghost town. So I was surprised to find hundreds of folks crowding into seats for a Friday morning session, all to hear Robert Jones and Garin Pace of AIG discuss “Debunking Myths for Cyber Insurance.”