Trust Me: I’m From Security

I’ve been thinking a lot lately about how important Trust is to Chief Information Security Officers (CISOs).

Trust is the reason why Security exists as a profession — we have to be able to trust our systems are available, our privacy is protected, and our data is reliable.

Of course, the issue of Trust isn’t new to Security Pros. Bruce Schneier’s 2012 book, Liars and Outliers: Enabling the Trust that Society Needs to Thrive, discusses this beautifully.

For a CISO, though, Trust is a much more important quality than industry philosophical underpinnings suggests.

The CISO long game is to change the organizational culture to be Security-aware and Security-Risk-Managed. To change culture, you need Trust.

When you are a CISO (or some equivalently-titled position), you are asking people from the top of the organization to the bottom to change the way they think and work.

Your security program needs to be blessed and actively supported by your leadership. They know next to nothing about Security principles, and even less about the impact of your recommendations to typical operations, and you will need to convince them that this program will be the right horse to bet on.

Hopefully, you bring with you some professional gravitas — your work history, your reputation — and this will help with the WHAT of your proposal. But to get them to buy into the WHY of your proposal, they need to Trust you.

You, personally.

How to get leadership to trust you?

First, remember it is YOUR job to foster Trust In You, not theirs.

Then, start by getting to know them, personally. What do they like, what do they not? What motivates them? What do they worry about? Caring about their success, personally and professionally, goes a long way to establishing a trust-basis for your partnership.

In return, start sharing your motivations and worries with them too. Find common ground. Assume positive intent on their behalf: they want to do the right thing, even if they don’t know what the right thing is. When things get wobbly, and they will, be there to support them.

This will take time and effort, which we CISOs often forget to include in our work hours — but it is so important. Forget talking about Security programs until you better understand what they need. Then when you do start talking about the Security program, link it to their concerns and goals.

You also have to work with upper and middle management. Front line staff are somewhat easier to help — you do this through established processes and procedures. Management, though, are the mushy middle of the organization — and it’s here that Trust in your team is crucial to changing culture.

Management needs to know that your team walks the walk, not just says “do as I say, not as I do”. They need to know that the Security team is willing to make the same changes you are asking everyone to make. If you have an exception for Security teams because they are special snowflake Security teams, this will undermine any changes you are asking everyone else to consider. They need to know that:

  • When your team says something is Risky, it is
  • That your team has the knowledge and experience to give the right advice, and provide the right security services
  • That your team understands their business profile, and the accompanying risk appetite, and will help them manage their risk accordingly

In other words, your team cannot be arbitrary, capricious, or driven by motivators other than reducing risk and improving the profile of the organization.

Trust, as you know, is a two way street. So, in addition to talking about the responsibility each CISO has to build Trust, it cannot go unmentioned that the CISO has to also work on an assumption of Trust from leadership, business partners and their team.

A CISO who expects that the next big breach will end with their head in a basket cannot implement cultural change in their organization. That one scapegoating act by leadership will undermine every other effort. I don’t just say this to protect my own neck — if leadership responds to a breach by firing an individual, it implies that security is the responsibility of one person. This is counter to a cultural shift which requires security to be the responsibility of everyone.

A CISO also needs to have a trust partnership with external parties, or they will get stuck between a rock and a hard place — leading to burnout:

  • That government agencies who plea for information about breach/threat activity won’t use that to penalize/fine the organization
  • That regulatory agencies set compliance requirements that are practical, actionable and achievable
  • That auditors, both internal and external, recognize that the business, led by the CISO, is taking a risk-based approach, which means all compliance requirements won’t be met all the time, and that’s OK

These are really tricky for a CISO, because in all cases the CISO is pretty much powerless to make changes if the partnership is untrustworthy. The CISO has to be the trust-broker, which puts them between a rock (the agencies) and a hard place (the organization).

If Security Pros are going to change organizational cultures to think about and manage Security risks, we have to be a living, breathing, example of what that looks like, and we have to convince leaders and managers that our way is the best way.

This is no easy task, and it won’t get easier any time soon.

So, look at yourself. Look at your team. Look at your organization, and the ecosystem in which you operate. See any areas where Trust is lacking, or flat out missing?

Start there.