Lessons Learned from a Virtual CISO
Matt Klein, Virtual CISO and Executive Advisor at Optiv, sits down with Steve Moore to share his insights on teamwork, getting visibility at the executive level, and the right prep for effective board conversations.
What is a Virtual CISO?
Think of it as a trusted advisor, an executive advisor, talking about strategic elements of your security program, even some technical elements, at a high to medium level. They are a trusted person to work with a company and make sure that they're headed in the right direction. Also, they are that person to bounce concepts off of and to make sure they're doing the right things as they're building their information security program. There are times where the virtual CISO model comes into play where either the CISO has left the company, or possibly a small to medium size business that doesn't have the need for a full time CISO. Another situation is where a CISO is gone, or they're creating a CISO role, and they believe they had somebody on staff who is capable of doing the role but needs some guidance.
What is a bad CISO?
Usually they're not talking the same language as the business. Everyone tries to get to that language of talking risk, but really talking about the business. What does the business do? What are the crown jewels? What are those elements of the business that are core to protect? Whether it be data in a regulated industry, most industries would love to protect their brand. They don't want their brand drug through the mud in terms of a data breach. It's those types of things. It's really those situations where the CISO is either removed so far from the executive team or from the board of directors, that the voice of the CISO is never heard.
Is the CISO role measurably impossible?
There are folks doing a fantastic job. They have what they need to get the job done and that's really the root of CISO success. It's budget, it's staffing, it's all of those core elements to a security program, but it's more than personal interaction with the business. There's an understanding of what the business does and what protection should be in place. You can't place a blanket over everything, it's impossible, it's expensive. You never have enough staff. You really have to pick and choose what you want to get done inside of your program. In a risk-based approach that makes sense for your business. Set the base line at an executive level.
Interaction with the Board
It was just getting to know who I was talking to. In this case it was the board of trustees of a private state institution. Just understanding who the players were and getting to the point where I was talking at a very rudimentary level about what a security program was. There were no numbers for that initial meeting. It was really concepts. It was bringing some of the concepts of protecting the institution, protecting the brand. It's really a huge asset for them to consider from a protection standpoint. It was really setting a foundation of here's what we're trying to protect, here's the important things to the institution. Not so much asking for what I needed or statistics. It was very high level, get to know what the information security program is and what it does for the institution. You would want to be at least a little bit comfortable with standing in front of a group of folks and delivering a message.
When you're helping create a presentation, there's really two in one. It's a larger presentation, that if you had all the time in the world--the set of slides that you would use, kind of walk through, and give people time to ask questions and be really open with your presentation. And then there's the scenario where you got to cut down to three minutes--that’s maximum two slides. It's really going through those two exercises together, continuously on almost any presentation you do, the long version and the short version. And deciding how you're going to deliver both of those messages.
Leadership during crisis
The first message is that you want to be [physically] together, because [a data breach] is a serious situation and it's something that most everyone had never imagined could happen. So you want it to be together and at least give people an outlet to say, "Can you believe this happened? How could this happen?" And just give people an outlet as a leader.
Number two is just to be calm. Nobody wants to see the leadership running around losing their cool, acting outside of character, and it just doesn't go well. It doesn't give a sense of calm to your staff so that they can deliver you know, the tasks and the activities they need to do to get to the root of the problem and fix the problem. You're always going to have gaps in your program. Yet, always document what the gaps are and certainly document what it would take to fill the gap at a minimal level and then at a perfect level.
Always have a plan
It doesn’t have to be a three year plan, but it at least has to go 12 to 18 months for sure. Things move at light speed in IT and information security of course, we've got to be moving the needle and we've got to be heading in a direction which makes sense. Which means, there's milestones, goals, things to check the box on, that need to happen year in and year out. Make it at least an annual event that you get your own leadership team, your security leadership team, and even some folks in IT or your legal partners, HR and others, and determine what's next in a program. What are the business-aligned objectives in an information security program. How do they align with the business, are we protecting the right things? Are we investing the money in the right places? Create those plans, keep them up to date, keep them rolling forward.
Executive presentation and vetting issues
Make sure you're getting a couple of trusted advisors on the leadership team if you're not on the leadership team. You're going to learn a lot from the folks that you work with and for, on the negative side and the positive side. Take as much as you can from both of those things, determine what your brand is going to be and how you're going to operate. Certainly with a slant toward being as positive as you can, helping people along the way.
We need to really push people that want that leadership track. Push them toward what leadership is all about, push them toward humility, take risks, be innovative, and really inspire your folks to be better. When we start to talk about a strategic plan, a good leader has shown the way to get work done in an efficient way, gives the freedom to do work however they want to do, as long as they get to an outcome, and is helping them progress in their career. It's a two way street with trust. Your people need to trust you that you're doing the right things to lead whatever program their working on to a better place, and their career to a better place. The trust the opposite way is, you need to trust your people to be really smart. You need to have the trust in yourself that you can sit in a meeting and not be the smartest guy in the room anymore and have the humility to say I don't have that answer, but I've got some really smart folks on my team that are going to get me that answer. You're going to have to work together. There's different roles of course, but if we can't treat each other the same, look at each other the same, and have that element of trust, it's really hard to move a program forward.
What’s the career path for a CISO?
It's multifaceted. CISOs can go from being a CISO in a small organization to a medium or a large organization. There's a role as an executive advisor, virtual CISO role. There's lots of experiences once you're a CISO that you can bring to different groups of folks. As we progress in our careers and as we amass all of these experiences, all of us need to be more cognizant of how we give back to the security community. We're hypocritical in the way that we say that we have a resourcing problem, but we're too busy to do the educational things, to set up internship programs, to do the harder things to develop some of the next generation of security professionals.
Resources:
Exabeam - Website
Optiv Security - Website
Steve Moore - LinkedIn
Matt Klein - LinkedIn