Creating a 'Department of How'
Nov 07, 2021
About 20 years ago, one of my friends, a CISO at a Fortune 30 company, called me to ask about a situation. He met with his executive team, and the CIO said he wanted to implement a complete BYOD program. My friend spoke up, arguing there were massive security concerns and warned against it. After the meeting, the CIO asked my friend to stay and said, "In two weeks, you're going to come back to me with a plan on how to implement BYOD safely, or in three weeks, I will have a new CISO."
The message was clear. I told my friend that he needed to turn his "Department of No" into a "Department of How."
To a large extent, cybersecurity professionals tend to limit what people can do. We put in place controls that limit capability and functionality. We interfere in workflows. It is our job. While some people look to us in disdain, there is a statement I've heard a few times that comes to mind: Cars don't have brakes to prevent them from moving. Cars have brakes to allow them to go fast.
A car would be reckless without the ability to stop it when and where desired. I like to think of cybersecurity in the same way. Can you imagine e-commerce without securing credit cards and personal information? Can you imagine banks moving money without the appropriate controls? Can you imagine creating self-driving cars that are not secured? The list goes on. While cybersecurity is often late to be integrated into product or system development, it will eventually find its way into significant efforts.
Turning back to my friend, while he wasn't involved in the decision to move to BYOD, he became involved because he was in the right place at the right time and found a way to influence the implementation. Luckily, we were able to create an architecture that provided reasonable, although likely imperfect, security.
What my friend experienced was happening regularly with the adoption of mobile devices: Companies didn't want to buy and acquire service for cellphones for all of their white-collar workers. As organizations adopt new technologies and take advantage of advances in process and practical concepts, CISOs have to figure out how to enable those technologies securely.
If you are a technology executive who is not cybersecurity-focused, you need to ensure that your CISO is brought into new efforts as early as possible. Whether you are rolling out Secure Edge, 5G, new AI, or Machine Learning tools, she can be critical and powerful for the business. At the same time, a CISO could become your Achilles' heel if implemented insecurely. Depending on the nature of the application, tool, and process, a security vulnerability can be disastrous for various reasons that are only limited by the nature of the technology. You have a responsibility to be proactive in the integration of cybersecurity into technical implementation.
Bring the CISO as early as possible for input and ensure that the budget and resources are made available to integrate security technologies. As necessary, ensure that the CISO has the appropriate authority to implement her input. That is not as easy as it sounds when developers and engineers face deadlines and don't like interference.
If you're a CISO or other security executive, you may have some authority and maybe can veto aspects of new technologies. In that case, you should never forget that your function in the organization is to enable other functions.
On the personal side, I naturally took to penetration testing and social engineering because I immediately see the problems in a situation or setting. I can spot the one file cabinet in an office that is left unlocked. I can look at a computer system and quickly identify the vulnerabilities in the configurations. While it irritates my wife, it makes me good at seeing where security needs to improve.
Like my friend, I learned to identify workable solutions as quickly as I recognized the vulnerabilities. However, I had to learn to temper how I react to the exposures I see, which is not easy. And as a matter of fact, it may be impossible on certain occasions.
When you have to frame something as impossible, the business will respect your claim if this is the rare occasion you make such a claim. It may not go unchallenged, but your peers and management should consider your statements as valid. Fundamentally though, you again must be perceived as the "Department of How." In business, most people appreciate the person who has a reputation for getting things done. They might not always find the most sophisticated way to get things done, but they understand the accomplishment. You have to develop the reputation of being that person. It's not just a good security practice. It is a good business practice in general.
What to read next