Why CISOs are highly valuable in crisis situations

What should a CISO's value and role be during a crisis?

This is a contributed article by Steve Moore, chief security strategist, Exabeam.

 

Businesses encounter many types of crises in a lifetime, such as recessions, data breaches and global conflicts. While most people think of the CEO, CFO and board members as critical at these times, chief information security officers (CISOs) must be seen as integral in both security and business decisions.

Amid a crisis, the most common emotion we all have is fear. We're fearful of the unknown, fearful for our health, our jobs, our family, the future. No one truly knows the endgame, but we still wait anxiously for directives from world leaders and health experts.

Within a business organisation, one leader and source of truth to whom everyone turns in a state of fear or panic is the CISO. In their day-to-day, the CISO is responsible for safeguarding corporate, customer and employee data along with intellectual property, staying informed on potential internal and external threats, building trust among stakeholders and serving as an advisor to the rest of the C-Suite. They should be constantly communicating to the rest of the organisation regarding notable events and incident status, as well as whom to engage both internally and externally in a crisis. The role of a CISO should never be categorised as non-essential.

In a time of crisis, pressure mounts on CISOs to bring ultimate clarity for the entire organisation. CISOs are expected to relay a message of security and reassurance to not only end users and staff but other members of the C-Suite, investors and board members. These stakeholders expect truth, candour, adaptability and self-awareness from the CISO. 

The CISO has to focus on the core needs of the company and also prioritise the right things for the business through to the other end. They want to know that the CISO is going to make decisions that will maintain as much normalcy as possible during contentious times. 

 

Preparation is the only way out

Benjamin Franklin's words "By failing to prepare, you are preparing to fail" rings in many ears at times like these. A good CISO knows there are two internal assets that must always be one step ahead: their personnel and their network.

The security team - The worst time to make a team introduction is during a crisis. Normally this is most true when dealing with the executive leadership team (ELT) and the board. However it's even more important for the CISO's span of control. Get human for a moment. Everyone within the security department should know one another and have a comprehensive understanding of each other's roles. The CISO needs to meet all of his or her staff and clearly communicate their mission to everyone, ideally one on one. In some larger organisations, it might come as a shock to know that the CISO hasn't met their team. Does the CISO know the capabilities of their team? In terms of the needs today, is there a built-in process that allows for the flexibility to work from home effectively? Remember it's not just the workforce, but also the operational standards of the security team that require a comprehensive plan. 

Technical capabilities - Tactically, most organisations aren't ready for the mobile workforce, or at least not ready for 100 percent remote operations. Considering not even 10 percent of Americans usually work from home on a part- or full-time basis, organisations likely never felt as if purchasing software to support large amounts of varying remote endpoints was constituted. However, a CISO will understand the intricate technical capabilities of its current infrastructure and be able to react quickly if a crisis were to occur. What can the current network provide, what are the gaps in processes, capabilities, and what's required to fill the gap? That also means knowing the IT market well enough to be able to formulate an actionable plan when and if a shift in technical capabilities is needed. 

Communication - Communication must be flat, frequent, and full of candour. When times are difficult, people look for a leader, a voice. Many say Churchill's speeches won the war while FDR's fireside chats calmed the fears of a nation; the CISO and the rest of the ELT should be delivering mixture of the two several times a week, if not daily. Flat communication means that all are invited, there are no clubs in crisis. Have someone follow up, nicely, if you see someone hasn't made the regular meetings; it's likely they feel left out or are struggling. Lastly, a direct message - the truth - is needed in times of fear just as much as an inspirational message. The CISO must provide an accurate view into the situation.   

 

CISO's value in crisis

A CISO and their team are similar to first responders in a business setting - their collective value lies in their ability to bring about a measure of calm in crisis when a business risk or interruption is present. The benefit to the company is their security team is ‘always on', their operations never sleep, and they arguably have one of the riskiest positions in the C-Suite. They understand risk, and they know stress. They are in-house protectors and responders; hopefully they've made the relationships required prior to the crisis, and their communication plan is tested and viable. 

 

The challenges CISOs face

As we entered into the new "remote work experiment" in mid-March, millions of Americans worked from home for possibly the very first time in their career. Remote work might be routine for some, but it's a foreign concept to many professionals and the operations that support them. There are two main challenges most CISOs experience during a time like this.

First is the challenge of security monitoring and response from afar. When end users or employees aren't coming into the same office every day, security teams must protect assets and operations in several locations using tools in ways they may have not been intended. For example, traditionally a SOC is a physical space as well as a virtual one, but this new work structure is putting a huge strain on that.

A second challenge is that of communication. This is a core value among security teams, and CISOs are responsible for dictating how their teams communicate with one another and their audience (be it end users, staff or board members) through a crisis. Whatever communication method a CISO had in place beforehand must be twice as frequent but even more succinct now. The importance of communication cannot be stressed enough at a time when teams are working so untraditionally.

 

Build a ‘Tiger Team'

A sensible approach amid a time of crisis is to build a core "Tiger Team" whose sole purpose is to manage new problems that emerge in a very quick and well-organised way. Like a true tiger, the team should aim to accomplish three main things:

-           Its players should display the different stripes of the organisation. The team should be expert but cross-functional. It is not just a collection of the most tenured staff; there should be people that are in the trenches each day as well. A good response team, in a time during a shift to remote work, would consist of a provisioning person who manages accounts, a SOC analyst, a system engineer, and someone who can document and take action on it all. Whoever makes up a tiger team must be able to respond during the crisis by having the ability to pull the metaphorical trigger, access data logs, etc.

-           It will leap at the problem: They act with quickness and speed. A small and focused group of decision-makers can move faster through difficult problems than a larger party, which is, of course, important during times such as this. Remember, in many cases, traditional change management processes will be intentionally avoided. 

-           It can sink its fangs deep into a security problem: The tiger team has the ability, assuming it has support from the top, to claw at the hardest problem and not let go until it is solved. Please caution against making the team too large as it could become a committee of inaction as opposed to a solution center. 

Note: The ELT may want to create a similar concierge team for remote executive and front-line support, such as for remote caregivers, field workers, high stress / high need staff. 

 

Be a leader first

A CISO must be ready to give more than anyone else on the security team, and as the severity of the crisis grows, the cooperation within the organisation must increase. They'll be the first person everyone calls and the last to sign off at night. People will want to reach them at all hours of the day to talk about work and maybe even vent about the stress the situation is causing in their personal lives. It's about earning trust over time. People want to know that they can trust their CISO to take care of the company's valuable resources, and a good CISO understands this great responsibility requires a commensurate amount of time, effort and energy. 


Stephen Moore has been Vice President and Chief Security Strategist of Exabeam, Inc. since August 2017, and is also the host of The New CISO podcast. Moore has more than 15 years of experience in information security, intrusion analysis, threat intelligence, security architecture and web infrastructure design. Prior to joining Exabeam, Moore spent more than seven years at Anthem, in a variety of cybersecurity practitioner and leadership roles. He was the architect of the new 6,000 square-foot Anthem Cyber Security Operations Center in Indianapolis.