Don’t help the CSO out, build him up!

One of the reasons why organisations ultimately fail at Cyber Security, is because the office of the lacks power. In this post I’ll explain why that is and what we can do about it. CSO Why The CSO Lacks Power The Cyber industry constantly strives to produce better products and services. Engineers work tirelessly to improve deployment practices. There are dozens of courses and certifications designed to improve skills. These endeavours whilst helpful to the CSO, do little or nothing to improve his standing within the wider organisation. Improvement in these areas is essential and welcome but provides only a tactical advantage. This is because CSOs are not rewarded or promoted merely for avoiding disaster. Their standing only improves when they are perceived as competent managers of risk. An appearance of confidence and control will do more for the CSO in practical terms than any marginal gain from a new security product, service, or technology. Security In order to improve Cyber Security outcomes in the long term, the CSO must increase his power and persuasiveness. It is at this strategic level that the greatest gearing will be achieved. I had lunch recently with a CSO from one of the UKs largest companies. He was quitting. The job wasn’t as described. He had no real power or influence, and without it he could see himself becoming just a fall guy at the next major security breach. He put it to me: “Security isn’t a delivery function.” Security must work with IT and the business. It has to influence, enlighten, and improve operating procedures. It’s the difference between explaining to people why they should take care of their environment, versus running around after them with a litter spike, picking-up every discarded item. Rarely does the security function have enough manpower to directly impose control at every level across every device. We are entering an age where even light bulbs have IP addresses. At the same time there is no sign that software or hardware is being designed more securely. Unless the CSO operates strategically, his position will always be precarious. It used to be that boards weren’t listening. Cyber Security was a mystery to them, abstract, distant, obscure. Seemingly unconnected with their quarterly concerns. I don’t think this is the case now. Legislation, regulation, breaches, fines, prosecutions, and a few high-profile resignations mean that boards are more likely to listen now than at any time in the past. The problem is that not enough CSOs are talking their language. While vulnerabilities, remediation, and initiatives can be measured and reported on, none of this means much to boards. The CSO must talk the language of risk instead, but conversation is only the beginning. Documentation matters too. If you really want to command a board’s attention you must frame your information in a format they are familiar with. If you’ve observed boards you’ll be familiar with “the pack”. This is the collection of documents the board requires in order to make decisions and have informed deliberations. It presents an opportunity for the CSO to increase the power and persuasion of his office. The most important part of any board pack is the balance sheet and its associated trends, ratios, and comparables. What To Do About It What if a CSO could present his information in the form of a balance sheet too? Not a balance sheet of pounds or dollars, we know how hard it is to equate those things with security in a robust, defensible way. One can however imagine security analogies to assets, liabilities, goodwill, impairments, debt, and deferred costs. How would that change a CSOs ability to communicate and to persuade? How would that improve his standing in the organisation? How much more effective would he be at getting things done? It’s my contention that the CSO’s position would be transformed immediately and permanently. He’d become a full member of the “C-suite”. Assuming I’m right, what might the intrinsic properties of a Cyber Security balance sheet be? For a board to have confidence in a new way of representing their Cyber Security, it will need to withstand scrutiny and be endorsed by a respected pillar of the accounting, audit, or governance world. It would need to be standardised across all business, such that executives, non-execs, and shareholders could compare companies, in much the same way is used today. GAAP It would need to be derived from simple principals and irrefutable truths. While products, technologies and methods all change over time, the Cyber Security balance sheet must be above these implementation details. There should be no hiding from its reckoning. How might such a balance sheet be derived? Raw inputs would be collected. Continuously, automatically, just as financial data is. This information would be stored. There may need to be corrections and restatements. Calculations would be made. Totals, ratios, trends, derived. One can imagine such information published under the same auspice as a financial balance sheet. After all, company annual reports routinely contain statistics for customer satisfaction, diversity, staff churn, and other metrics. Given the impact of a breach on share price and long-term company prospects, equity analysts should be paying attention to the cyber balance sheet. A CSO armed with the persuasive power of his own balance sheet would be in a much better position to act strategically. Both in the interests of shareholders and customers. If vendors and service providers truly want to improve outcomes for the CSO, not to mention his spending power, they should think less of helping him out and more of building him up. To build anything, you must begin with the right tools. Only once the CSO is built-up will he truly have the ability to grasp today’s Cyber Security challenges. Originally published at blog.eutopian.io on February 20, 2018.