Pragmatic Risk Management
How to be a CISO
A few months into my second gig as CISO, I sharpen my blade daily on the problem of how to be most effective in a security leadership role.
There are many wrong ways to be a CISO. A few are obvious to you and me, but less obvious to non-technical people: "build a wall to keep the hackers out", "make sure nothing bad happens", "compliance is job #1", etc etc.
Security leadership requires a high comfort level with both uncertainty and imperfection. Risk is a fuzzy concept. All code has bugs, all humans make mistakes, how do we mitigate those risks?
I face extreme failure modes in my current role, and like everyone else I have a scarcity of resources available to manage the risk of those failure modes happening. The scarcest resource is not money, but time--there are only so many security engineers available, and so many hours in their days and mine.
The answer, in my view, is pragmatic risk management.
Pragmatic. Not dogmatic. Favor no technology or process with unearned devotion. What concrete decision will mitigate risk? Ruthlessly make those decisions. I cannot guarantee my employer an absence of risk but I can serve them well by mitigating that risk to the best of my ability.
Risk. Not certainty. Measuring security risk is an unsolved problem in computer science. We have no meaningful actuarial data to demonstrate the probability of a security incident. This makes cyber risk management as much an art as it is a science.
Management. Not just technical. It takes a day or two to learn how Yubikey cryptography works. It takes months of change management to get people to use them. Security leadership is 50% technical and 50% management. As the saying goes, security is a process, not a product. That is, a management process. Getting people to do the secure thing in the secure way, all the time, is a cat herding problem.
Pragmatic risk management requires ruthless prioritization. We face many risks. We have limited resources. What are the biggest risks? How can we mitigate those risks? How much money and time should we allocate to mitigate each of those risks? What's the security ROI for the time/money spent?
Targeting resources at the highest risks with the greatest security ROI is the CISO's proper role. In order to do so, a CISO must deeply understand security at a technical level, and be adept at managing human beings--in order to drive change and make it stick.