As a CISO/CSO/Security Manager, you were hired by your organisation to perform a role. How many people go back to the advertisement they responded to and check-off what you are actually doing now, versus what the original role description stated the role would/should be?

I know talking with many people out there that this is one of their biggest issues in their role today – either the role not being as it was promoted/advertised and/or you not having the support to perform the role your were hired to do.

It’s made cynics of so many people in our industry and in a weird way, has also kept people, albeit unhappy in organisations longer, given the fact that there’s a belief that wherever security people go, it will be much of the same…..so at least, “better the devil you know”. This blog is full of posts, (since day 1 about the trials and tribulations of Information Security people) trying to do their job and battling every step of the way for even small gains. I won’t link to these posts….to many but have a search here if you want further references.

I’m not going to go over all the old issues again here. What I am going to put forward is another idea, that at a minimum, may provide Information Security professionals with a sense of worth, accomplishment and within their organisation, a position whereby an organisation can choose to accept professional opinion, views and recommendations – or not, but at least the Information Security professional can rest secure in a position of having at least gone on record from an overarching management, governance and strategic perspective. (The following need not only relate to the most senior Information Security person in the organisation – but anyone who holds to a belief that things should be better than they are now). Read on……

If you are in a position where your role is that battle, I recommend an annual, end of year; “State of Information Security Report – Organisation X, 2010″.

This is not a targeted Audit report or something prepared by an external consultancy. This is purely and simply, your opinion, thoughts and recommendations on where your organisation sits, in your opinion, and based upon your expertise and experience, from a security perspective. It is a concise and to the point current state analysis documented by you, (who in theory, should have the best overarching view and understanding of Information Security in your organisation). It is something you present to the highest levels within the organisation to people that you believe are the stakeholders and influencers in regards to IT and Information Security.

Now before the cynic in you tosses the idea out the window with the belief that no one, or few people will care, at a minimum, consider the weight off your shoulders in having something in writing that covers ALL your concerns. Something that should issues arise in the future, you can remind people of. Yes, you’ve covered your butt and most importantly, you will at that time have demonstrated that you were on top of this, knew about it, raised it and have always been the right person for this role – albeit, no one listened. So many times I have seen security people have to justify and explain why a breach, incident etc took place and why the organisation was not prepared, when the realities were totally different. At this time, the horse has bolted and the Information Security person is the scapegoat as the blame game within an organisation has started. Get where I am coming from?

On a more optimistic note, you may also be surprised that such an end of year “State of Information Security Report” may actually be well received by senior management and other stakeholders whose roles and focus is elsewhere throughout the year and they’re too busy to be as directly involved with you day-in and day-out as you would like. It may well be that something like this, in such a format is exactly what will work to get that awareness and support you’ve always wanted.

In our role as an external consultant, I’ve lost track of the number of times I’ve spoken to a CEO or the Board of an organisation to talk about our findings and the issues and risks they are facing. I can honestly say, it is very rare that we’ve not had real and sincere interest in hearing about these issues and risks…..with the parties then very keen to understand what it is they can do to rectify things. In most cases, I wonder why it is that it has taken us to highlight this for them to become aware of this, or take true notice, when they’ve got a very smart and capable CSO right there in their office.

Sure, you can, should and probably are reporting your concerns as you go and so you should, but nothing works better than a definitive and all-encompassing statement presented in a big-picture format – a one hit, here’s where we stand in my opinion. They [senior management] can choose to;

- ignore it, in which case as mentioned, at least you are on record (and possibly now definitely know it’s really not the place for you)
- question it, in which case you have their attention
- verify it, in which case you again have their attention and have some actions to go with (including possibly requests for more information)
- accept your findings and possibly ask for action plans and roadmaps for improvement

Either way, any of this is better than just sitting back and fighting multiple battles on multiple fronts as your ONLY way of existence as a security professional. ie; “just putting out fires”.

Being an Information Security Professional takes a certain breed of person…not generally people who give up on things they believe in easy. But let’s not just accept that battling and “putting out fires” is our life and we just have to learn to deal with it. Lets try better ways to make change. This alone is not it, but it’s one thing, one suggestion that should help….if you’re not already doing it. (And I know many of you are but if you’re not, give it a shot!).

I welcome your comments as usual.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



  1. It’s a noble cause you are suggesting and part of me really wants to believe in it.

    You’re advocating the IT Security Jerry Maguire moment.

    Without wanting to be controversial I say ‘leave!’. If you aren’t effective, if you are battling, if even small progress is achieved through pain then you are embroiled in a systematic misunderstanding. There is often no common reference between you and the organisation.

    You are right as soon as something is documented and put in email it will raise awareness, like a safety issue at work raises awareness but you either have a culture of safety or you don’t if you don’t you need to build it, the same way as with Security.

    I worry about the smart, talented IT Security guys sitting down and penning their Jerry Maguire letter only for it to fall on deaf ears.

    You become that old dude in the organisation that kept screaming about the sky falling in and it never did. They will mock you and deride you and your earlier mastery will be gone while you talk of the good old days ;)

    Then you join an accounting and risk firm…

  2. Jay says:

    Just be sure you don’t get shot down for going outside the ‘chain of command’ first. Some organisations (and C level types) are real petty and look down their noses at people for doing that (“who are you again and why are you writing to me?”). Others get realy petty when security types do the right thing and actually put the status IN WRITING. Sigh.

    Too many organisations fall into the first category of ignoring it though. That doesn’t mean its not worth trying however. I agree with you Draz, this is something worth doing.

    In retrospect, I sometimes look back and wish I tried harder or did things a little differently. Hindsight is always fun like that however.

    - J.

  3. Jay says:

    LOL @MB – I joined a consultancy. Worked for me. I think that saved me from changing industries entirely, in all honesty. I was so bitter.

    Sod the baggage that comes for working in house security. Seriously, I admire the guys who battle it out in some ways. But for me, its just not worth it anymore.

    I love helping clients out but yeah, umm, I definitely don’t see myself going back to working in house again – not without a very clear “commitment” to security.

    - J.

  4. Marts McFly says:

    Hi Draz,

    Nice post. I believe this strategy isn’t locked to the security field, but applies to any industry and position.

    I’ve been in previous roles before where you are in place to manage, or are responsible for the smooth operation of business technology, but there is no budget to do anything about the issues you may see formulating on the horizon. ‘Why fix it if it ain’t broke?’ mentality runs deep with management.

    So taking it upon yourself to keep notes on observations and thoughts on the state of things, and emailing it off to the relevant heads as a regular ‘FYI ‘ (Whether they like it or not, read it or don’t). I think at the end of the day your handlers will appreciate being kept in the loop on what is happening in your day-to-day and your professional opinion on things. Not only to cover your arse, but it’s hard for managers to ‘see results’ in a world where your activities aren’t results driven (making sure things run smoothly without incident).

  5. [...] This post was mentioned on Twitter by Drazen Drazic and Drazen Drazic, Cyber Informer. Cyber Informer said: Security Manager/Management – End of Year State of Security Report: [beastorbuddha.com] As a CISO/CSO/Security… http://dlvr.it/3zTmq [...]

  6. Drazen Drazic says:

    @Michael, we’ve seen many of them over the years haven’t we?

    @Jay, I agree with you. Such an action can upset some – usually someone protective of their role and position. The argument then is as Michael mentioned, do you really want to be in such a place? Wait it out? Every scenario is different so people should assess theirs and work it as best they can. It’s not a panacea of course and some people are happy to just get through the day, get their pay cheque and leave work at work. (But as I mentioned, security people are generally a different breed and few I know “leave work at work”).

    @Marts. I agree.

    Thanks for the responses so far guys.

  7. MTC says:

    There has always been this challenge. This challenge exists for leaders everywhere – we are not alone here.

    There has always been a need for security leadership to negotiate and sell risk to senior business and technical leaders, within the Enterprise. Just the same way that a CIO has to negotiate and sell IT or a Sales director needs to sell a campaign.

    An annual report is only one lever of influence – which will have limited ‘firepower’ given it’s produced once a year.

    What about a structured change program that is based on the premise of delivering real organizational change – in relation to IT Security? Surely that would be a better approach when compared to a ‘pie in the sky’ once-off report.

    If you walk away, give up and leave you only have yourself to blame. I gave up an external locus of control years ago.

    - mtc

  8. Drazen Drazic says:

    @MTC, Totally agreed. The CSO/CISO/Infosec Manager is hired at a senior level to “manage” and you would expect as part of their role and bringing their experience/expertise they would provide advice about risks to the organisation.

    Thus the point of this post – sometimes, no matter how hard people in infosec positions try, it doesn’t work (or to a level the infosec person would expect)…..for one reason or another.

    I’m not proposing this as the only thing an infosec person should be doing. It’s just another suggestion on top of what the person should be doing as their role already. I don’t think you and I are on different wavelengths here.

    There’s probably people reading this that have tried many things and it hasn’t worked to get some attention to the issues in information security in their organisation. What I propose is akin to the annual report – which does have attention from major stakeholders in the business and outside (eg; shareholders)…some stakeholders who don’t necessarily have that time to be involved in the day to day operations eg; in this case here of the CSO, but from which reactionary strategy does evolve post that attention from the stakeholders derived from an annual report.

    You can walk away but at least you have walked away having given it a good shot. Sometimes you just ain’t going to “win” and it’s not always your fault.

    This is just another thing that can be added to the arsenal so to speak with something like what you mention; “structured change program”. Be keen to hear more on your recommendations on that, ie; structured change program.

    DD

  9. mtc says:

    @DD:

    I am talking about leveraging change frameworks like the Kotter 8-step model and aligning it to Security / Risk. I am talking about exploiting existing organisational routines that are embedded within the cultural inertia to deliver lasting change.

    Don’t focus on on the change framework alone – simply use it to guide the process. Focus more on the leadership, negotiation and influence levers that exist within the organisation. You will need all of these tools working together to deliver a successful change program.

    - mtc

  10. BizSkool says:

    Hey MTA. Is all your biz school theory the solution we’ve been waiting for? Provide a case study on how it has worked for u. You seem to have the answers.

  11. Jay says:

    I like MTC’s ideas. I think he’s spot on. I’ve seen some people try and pull it off but seriously, the number of muppets I’ve seen wind up as security managers with the interpersonal skills and EQ of cardboard are insane. People with 0 in both are not going to be able to garner the stakeholder buy-in required to effect positive change.

    I’ve had serious beefs working under some people who meet that description and its one of the big reasons I won’t work as in-house security anymore.

    I’ve also worked under some great security managers, however they are limited by the culture and management of the organisations they work for. And sometimes, even they get disillusioned and quit.

    There is no magic silver bullet to this. Drazen’s point though is that the annual report is simply a stepping stone to bigger and better things. And its a good one IMHO. Andrew Jacquith talks about doing balanced scorecards in his book ‘Security Metrics’. These reports help you to slowly garner the interest and support you need (unless your managers really don’t give a shit about security and you’re just there as a patsy when it goes pear shaped).

    - J.

  12. I should have added more context around this in terms of other CSO activities as it may not have been clear enough in the initial post. I think the following, from my experience and people I have spoken with is also important:
    http://beastorbuddha.com/2007/12/14/starting-a-new-job-youve-only-got-2-3-months-to-make-a-big-differenceany-longer-and-its-tough/

    But overall here that does look at this from a more holistic level. @Jay, also including the importance of some form of metrics (which I cover in other posts and need to find to post here when I do):
    http://beastorbuddha.com/2007/11/10/the-7-reasons-why-businesses-are-insecure/

    Just my thoughts.

  13. mtc says:

    @BizSkool: I am unsure what answers “[you’ve all been waiting for” but it is action research with theoretical reference points. It is is based on a number of real cases that I have worked on. Re: Published study – It is under edit at the moment; watch this space!

    @DD: Worthy comment; all of those components form part(s) of a change management framework – they are some of the specifics that I was referring to.