Most people interested in a career in Security wonder what it is, exactly, that Security people DO. And, as the profession has grown and matured, what Security people DO has grown and matured too. A quick Google of “cyber security mind map” will reveal any number of maps showing the intricacies of Risk Management, Security Operations, Integrations, and the like. I really like these maps. They show me all the things I might be overlooking in my own program, and they let me know if I’m putting emphasis on the right, or the wrong, things.
As I’ve spent more time in the Chief Information Security Officer (CISO) role, I’ve noticed something a bit alarming: these professional domains are NOT where I am spending the majority of my time. Oh, sure, my TEAM is spending their time here, of course. And I’m lucky to have found really talented people who can work these domains with little to no micromanaging on my part. But as a CISO trying to encourage the organization to take Security seriously, to understand the strategic business value of a well funded Security program, and to ensure Security is a partner involved in making decisions and not simply responding to decisions, these are not the topics I delve into day after day. Nope, I’m working in the spaces adjacent to Security, and trying to wrap it all in a narrative which articulates my vision for Security in the enterprise. For the old-school technologists, these might be the seven circles of hell, but whatever they are, this is the life of this CISO.
The First Circle: Technology
Given that Cyber Security is about, well, cyber, and given that in my organization my administrative reporting line goes through the CIO, I spend a fair amount of time working on technology strategy. Not in an architect/design way (some of the Security team do that), but in a “what is the IT strategy” kind of way. Cloud versus On Premise, Mobile versus Wired, Tablets versus Laptops. It’s good to be in these discussions, because it helps me set the resulting Security tools/services strategy. It’s also good that my IT partners are having these conversations at all, because it suggests they are also strategically managing their assets.
The Second Circle: Data
I actually dislike the term “Cyber security” — it’s a tad overused. I prefer the term “Information security”, because really, what else does the “I” in “CISO” mean? And since we’re talking about Information, and therefore Data, this means I’m spending time with my Data management partners: Privacy and Data Operations. It’s sometimes really hard to untangle Security from Privacy and DataOps. The folks writing the regulations around data protection are certainly confused, and that means those of us in the trenches step on each others toes on a regular basis. Whenever a new privacy regulation shows up (hello GDPR!) the CISO is one of the first people called. So yes, I spend a lot of time talking about Privacy, and Data Cookbooks, and other Data Governance kind of things.
The Third Circle: Business
As a CISO, I use my MBA skills a lot more than my Computer Engineering skills. I am working with Legal deciphering contracts and Compliance, writing and responding to regulations and policies. I’m working with Finance, and Purchasing, working out how to best structure a deal so the organization can see the best benefit for the investment, or the best efficiencies in our operating model. I’m certainly dealing with Human Resources — building the Security team, but also determining how to deal with other employees who violate all kinds of policies (not just Security policies). And, more than ever, I’m dealing with Marketing and Communications to sell the Security program internally, and to ensure our partners and customers understand our security posture as well.
The Fourth Circle: All The Other Internal Stuff
When a school designs a cyber curriculum, they rarely think about the other bits of an organization which are touched by Security that don’t directly involve computers. For example, Industrial Control Systems and other facilities related stuff. Dealing with lock and key, egress points, steam valves, security cameras, and the like, are interesting. They add a variety to typical days of application security and identity management. And folks in Facilities are sort of surprised when you show up (although the Occupational Health & Safety folks are glad to see you). Then there’s records management, which actually ties in pretty closely to the custodial staff (because that’s often who handles the shred bins, or finds weird stuff in the regular trash). As CISO, I’m there to let them know how important they are to maintaining a Secure environment, even if they don’t want to believe it.
The Fifth Circle: Vendors and Partners
Interesting dynamic here. They either want to take money from you (vendors) or give money to you (partners). As a CISO, I get to be in many of the conversations with other parts of the organization who want to do business with vendors (why they should be more securely handling our data) and with partners (why our approach to security is sufficient to address their concerns). These conversations will continue, even if there are national security standards, because Security is a Risk Management Exercise, not a Compliance Exercise, and each organization has a different risk tolerance (even within the same industry) so will have different approaches to security. As CISO, I can help the business with these relationships — if I know they exist.
The Sixth Circle: Law Enforcement
Thanks to a variety of laws and regulations, there are always opportunities for CISOs to spend time with various law enforcement groups. Sometimes, we’re just chatting about current trends. Sometimes, we’re working a specific case. The partnership with these agencies can be rewarding and frustrating all at the same time — so a CISO will spend time here as a representative of the organization, trying to make life a bit easier for everyone involved.
The Seventh Circle: Customers
I love our customers. Not just because, in Higher Education, they are right outside my door at any given moment, but also because they help me keep the rest of the organization focused on what matters: them. Every now and again a customer (either an individual or a company) will make a request for more security (rarely do they ask for less), or a better way of delivering Security, and I am happy to engage.
The Most Important Circle: The Security Team
As the CISO, my role is to keep the team trained, effective, motivated and engaged. Sometimes I don’t manage to do this very well; my time with the team is spent on things less specific than playbooks and processes, and much more about staff development and motivation. Nothing is more rewarding than seeing a team member succeed at a particularly gnarly problem, or getting another job which is exactly the kind of job they wanted (even if it’s outside our organization), or being recognized by a partner or customer for a job well done. Also, if I’m being completely honest, it is my team that keeps me sane as I deal with all the other circles.
So, if you were wondering what a CISO does, now you know. CISOs may have risen up through the traditional ranks of Security Operations, or End Point Protection, or Vulnerability Management, or Risk and Governance. But this is not where we live now. Now, we spend our time on all the spaces that touch Security, or are touched by Security, but are not the core of Security. We spend our time working with partners, vendors, employees and customers, trying to make a holistic case for the benefits of Security to all those groups. So if you’re thinking you might one day want to be a CISO, keep working on all those traditional Security Domains — and be prepared to pivot to all the non-Security stuff about half way through your Security career. And if you’ve decided you will never, ever be a CISO, that’s OK too. We’ll still be working together someday.