The Dark at the Top of the Stairs—CISO Leadership
Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the organization will complain and you will be put on the defensive. Besides, you can’t hide a forced reboot, so why go it alone?
Instead, communicate your decision, not just to affected parties but to your leadership. Be sure to include the reason for the reboot and how the organization benefits longer-term. It’s also critical that you communicate a reboot’s challenges and risks. Patches have problems of their own, not the least of which is that they sometimes don’t work and, rarely but crucially, make matters worse.
Your leadership needs to know so they can make the proper assessment. If you communicate the need to your leadership, they will support you. You should also be prepared, however, for leadership to decide against the patch. Ultimately, they decide, right or wrong, on matters that affect the organization.
“If you don’t communicate cybersecurity matters to the people who run the business, you harm the organization.”
Failing to communicate known or anticipated risk to your leadership is like leaving them in the dark at the top of the stairs. You may be naturally inclined to conceal risks from the prying eyes of concerned leadership that may reflect poorly on you or your team, but you must resist the temptation.
If you don’t communicate cybersecurity matters—including organizational failures—to the people who run the business, you harm the organization.
You might argue that, as a CISO, you should only communicate the progress of your cybersecurity mission based on a NEED-to-know basis, and leadership doesn’t always need to know. You might say that you provide regular updates anyway, so when the proverbial stuff hits the fan, you’ll record it and report it as time and attention permit. Otherwise, you seldom communicate “out of cycle” because the subject matter is typically too technical or too sensitive to express in ways your leadership will understand or appreciate. You may even fear that if you only discuss challenges and risks, you’ll be judged a failure.
On the contrary, you are a failure if you don’t speak up. I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore. They failed not because of their mistakes but, rather, their reticence.
When faced with challenges, your senior leaders are the ideal people to ask for help. If you have exploitable vulnerabilities you can’t seem to solve or workplace irritations that are getting in the way of your program’s success, your leadership may provide valuable recommendations or direction.
“Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything.”
As a CISO, you are no longer a technologist but a leader of your organization’s cybersecurity function. You are a member of the leadership team. Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.
Let’s look at three scenarios a CISO is likely to face. Would you communicate these to senior leadership?
Scenario #1
Your Board is focused on key elements that can guide the success of the organization or address any failures or weaknesses. Paramount for most Boards are the focus areas of organizational reputation, ethics and integrity, and regulatory compliance. All Boards are, by definition, strategic. That is, they focus on the big picture. They plan for the future of the organization. They care about whether the organization is executing to meet its business objectives. They care about whether the organization is measuring its performance and understand the ways in which salient and useful measurements can inform organizational strategy.
Boards also care about how well your organization’s performance and priorities compare with similar organizations. Benchmarking is always a useful activity for CISOs, and Boards often lean on benchmarking as a way to measure an organization’s plans and performance.
“I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore.”
Scenario #2
Consider a more complicated and inherently difficult situation: insider risk. You are investigating the activity of an employee who may or may not have committed a serious offense. You don’t know enough to communicate anything to anyone quite yet, so your natural instinct is to keep quiet. You justify your decision with the logic we are all innocent until proven guilty and you don’t have enough evidence to warrant alerting senior leadership. You may even have been counseled by your Human Resources department not to communicate because personnel issues are “private” issues.
If the activity represents real enterprise risk, then your leadership needs to know about it. It’s their job to manage the organization’s risk profile, to assign appropriate levels of risk tolerance and appetite, evaluate each risk, and decide to accept it or mitigate it.
Your hesitance to communicate this investigation is natural. If word gets out, someone who may be innocent will have their reputation in—and maybe outside—the organization sullied. Certainly, any communication includes its own inherent risk. Trust your leadership’s ability to keep secrets. The leadership team in fact knows lots of things about the organization that you will never know. Confidentiality is an essential characteristic of senior leadership.
You can communicate it privately. Arrange a meeting instead of a phone call and don’t discuss the matter via email. But don’t fail to communicate. Your leadership has a right to know if someone in the organization represents potential risk to the organization.
“Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.”
Scenario #3
If you remain on the fence, consider this simple example: a cyber incident. You surely would communicate a nation-state attack or a financial fraud matter, but what about a PII data breach resulting from negligence and failure to follow established procedure?
You are contacted by a supervisor who has an employee in her office, in tears. The employee intended to send a spreadsheet to Johnny Jones at your organization’s benefits provider but instead sent it to some other Johnny Jones. The spreadsheet contains personnel records for employees, some of whom reside in the European Union, with GDPR implications.
Your natural inclination might be to keep this incident between yourself, the supervisor, and the employee. After all, this was not a malicious act but rather a mistake. You can hope the wrong Johnny Jones deletes the email once he receives it. You rationalize putting your head in the sand like an ostrich with aphorisms like “this too shall pass” and the New York “fuggedaboutit.”
What appears to be a small, inadvertent exposure, however, is instead a spark that may well result in a full-fledged conflagration. Personal data privacy matters. GDPR matters. Certainly, a potential fine of 4% of annual revenue matters. As CISOs, we know it, and regulators continue to remind us.
Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything. Assume the worst, even while you hope for the best. Collect the facts about the breach and report them as you know them to your leadership. Do it quickly, before the wrong Johnny Jones does it for you.
Communicating to your leadership is not just the right thing to do. For a CISO, it’s the only thing. Raise any cybersecurity issue that is even of remote concern to the folks at the top of the stairs. Don’t just speak up. Speak UP.
Frequently Asked Questions
Cybersecurity Risk Management is a strategic approach used by organizations to identify, assess, and prioritize potential threats to their digital assets, such as hardware, systems, customer data, and intellectual property. It involves conducting a risk assessment to identify the most significant threats and creating a plan to address them, which may include preventive measures like firewalls and antivirus software. This process also requires regular monitoring and updating to account for new threats and organizational changes. The ultimate goal of Cybersecurity Risk Management is to safeguard the organization’s information assets, reputation, and legal standing, making it a crucial component of any organization’s overall risk management strategy.
The key components of a Cybersecurity Risk Management program include risk identification, risk assessment, risk mitigation, and continuous monitoring. It also involves developing a cybersecurity policy, implementing security controls, and conducting regular audits and reviews.
Organizations can mitigate cybersecurity risks through several strategies. These include implementing strong access control measures like robust passwords and multi-factor authentication, regularly updating and patching systems to fix known vulnerabilities, and conducting employee training to recognize potential threats. The use of security software, such as antivirus and anti-malware programs, can help detect and eliminate threats, while regular data backups can mitigate damage from data breaches or ransomware attacks. Having an incident response plan can minimize damage during a cybersecurity incident, and regular risk assessments can identify and address potential vulnerabilities. Lastly, compliance with industry standards and regulations, such as the Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST) standards, can further help organizations mitigate cybersecurity risks.
A risk assessment is a crucial part of Cybersecurity Risk Management. It involves identifying potential threats and vulnerabilities, assessing the potential impact and likelihood of these risks, and prioritizing them based on their severity. This helps in developing effective strategies to mitigate these risks.
Continuous monitoring is a vital component of Cybersecurity Risk Management, providing real-time observation and analysis of system components to detect security anomalies. This enables immediate threat detection and response, helping to prevent or minimize damage. It also ensures compliance with cybersecurity standards and regulations, allowing organizations to quickly address any areas of non-compliance. By tracking system performance, continuous monitoring aids in identifying potential vulnerabilities, while the data gathered informs decision-making processes about resource allocation, risk management strategies, and security controls.
Additional Resources
- Report Benchmark Your Sensitive Content Communications Privacy and Compliance
- Blog Post What Is a Private Content Network?
- Blog Post Kiteworks Utilizes Its Own Private Content Network
- Glossary Third-Party Risk Management
- Blog Post The CISO-Board Relationship: Building Trust And Mutual Understanding
- Blog Post What is a Cybersecurity Fusion Center?
- Case Study What is Mitek Industries?
- Blog Post Selling to a CISO? Practice Empathy