CISO Policy Decision Matrix

I’ve supported a lot of cyber operations, product procurements, product deployments. I’ve consulted some of the largest Fortune companies in the world, some of the biggest Governments, non-profits, research centers, and so forth. Although all these experiences were unique, there was something that did become apparent to me.

Perhaps there is a model already for what I’m about to explain. Searching online, I couldn’t find any such model, so here I am.

Before I share this, know this will be common sense to most. It’s those things which are so logical when you first look at it, when you have the “why didn’t I think of this” or the “yea, of course its this way…” — these are what I find to be the best models. So, for those who already created such a model or who think its so obvious it needs no further definition, I apologize.

Image for post
Image for post
Figure 1: CISO Decision Matrix. Did the decision improve security? Did it improve productivity? The top right quadrant is the goal, while the bottom left quadrant is where you want to avoid at all costs. Importantly, what first appears to be a decision to push a particular quadrant, after implementation, this can change. Continuous assessment of policies should performed regularly, especially with new instantiated policies.

The goal, for every decision, is to be the top right quadrant. You want every decision to take your workforce and further enable their productivity and improve the security at the same time.

However, for many decisions that won’t be possible. You’ll need to either be the top left or bottom right quadrant. This really should be based on your organization biases… does your organization tend to be more secure at the detriment of security? Or does your organization tend to drive productivity, with security gaps and the residual risks, at a minimum, identified.

Unfortunately, many of my experiences have taught me that if you do lower operational productivity of your workforce, they will find ways around the policies. For example, trying to remove USB devices from the Government, without offering other mediums of data transfer, led to personnel finding even worse means to remove data off systems. This is far from ideal. The security drive to improve security was even defeated. With this example, what started off as a bottom right quadrant decision (better security, worse productivity) ended up being a bottom left decision when all was said and done.

Things aren’t static, especially people and their workflows.

Its the job of the CISO, through partnership of the larger CIO organization and all other mission stakeholders, to drive the right decisions. However, its important they continuously evaluate these decisions. Without doing that, you very well could be running an organization that tends to be in the bottom left quadrant — a place no one wants to be.

Written by

Sr Director, Public Sector Technology Strategy at CrowdStrike. Ex-MSFT, Department of Defense civilian. Advocate of human rights, privacy, decency.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store