Build a Winning Security System or Get Fired: The Choice is Yours
By Mike Gentile, CISSP and CISOHandbook.com team
Over the years, I have been in hundreds of security programs around the globe. Whether large or small, a financial conglomerate or non-profit, they generally always struggle with one thing: They can’t describe to me what their security program produces and how they produce it as a simple multi-step process. In other words, they do not have a security system. This article, which will be a series of many over the coming months, will explore the art of building a successful security system. It will build on the premise that it is more important in the modern enterprise to demonstrate the repeatable method by which your security effort performs work, than the actual work it is performing itself.
This article will explore the fundamentals of building a winning security system. It will begin with why the development of a security system is important in any organization, some common symptoms that illustrate your organization may be missing one, followed by some actionable recommendations to build a security system within your organization. Before moving on to the why, we will begin with the definition of a system to help get us all on the same page.
System: [sis-tuhm] any formulated, regular, or special method or plan of procedure: a system of marking, numbering, or measuring; a winning system at bridge.
-Random House Dictionary, 2011
Why Build a Security System
There are many reasons in the modern organization for a security program to define, implement, and then utilize an organized approach to how they perform their services to the organization. Most importantly, as W. Edwards Deming puts it:
“If you can't describe what you are doing as a process, you don't know what you're doing.” ~ W. Edwards Deming
Clearly, having a concise method for how your security program delivers its service to the organization is going to make your team look organized, professional, and efficient. This in itself should be enough to make any security leader want to develop a security system. But wait, there is more…
The development of a security system also has some other enticing elements that should be considered. The first one is that it provides consistency and the ability to benchmark. Establishing what you produce and how you produce it allows you to easily explain to the organization what your program does, and more importantly: What it is not doing. The majority of organizations in which I help out are very busy doing all kinds of work from security assessments, to technical scans,to regulatory compliance, to risk management. They deliver these services without a repeatable mechanism for producing them or a consistent definition of the product they are delivering. This makes them appear inefficient, unorganized, and most importantly overwhelmed. Further, this problem is magnified as additional work pours in, which gives them even less time to build a system and on and on. Even worse, since they are not repeatable in their approach, they are unable to provide metrics about why they are overwhelmed. Sound familiar…What a mess! The scariest part is that this is what I see in 90% of the organizations in which I do work; from power companies, to airlines, to government, to financial, and back again.
There are 3 key recommendations to developing a security system. They include:
What to do:
- Stop and build one now If the above scenario resonates with you, then you will appreciate that you are always going to be busy, more work is on the horizon, and the situation will continue to worsen until you break the cycle. The only way to break the cycle is to define what you produce and how you are producing it. With this defined, then you are in a position to start measuring your ability to execute. This in turn makes it easy to have conversations about how your team is understaffed, why you can’t get all the work done that is assigned to your team, or most importantly, how great your team may be doing. Further, over time, it will prevent me from poking my eyes out due to hearing things the same complaints and questions in every organization such as: “Management just does not get we do not have enough resources” or “Mike, we have nothing to measure”, or “Mike, do you know any other places looking for a CISO, I am about to get canned?
- Keep it Simple; most organizations are dumb about security, but not about systems: Security is complex, is generally perceived by most as being technical in nature, and is very nebulous. As a result, most groups and management outside of security (and even some within it) treat it like a trip to the Dentist (this is of course except for large dental provider organizations, I have done work in them too. For them I use a trip to the IRS.) Anyway, bottom-line, they do not get this security stuff nor do they want to. If you make your security system easy to understand, simple, and clearly defined using non-security nomenclature, this will create a bridge of understanding between you and those outside of security. In my experience, presentation of your security system, which is nothing more than what you produce and how you produce it, is easier to understand and consume by most in an organization. This is even more the case if your only other reporting outside the security program has been things like that gnarly security findings report or SOX compliance. Trust me, demonstration of your security system will be a breadth of fresh air.
- Make the health of your security system more important than the work: This may sound wacky, but I have seen many more security leaders fired for simply trying to do all the work that is assigned to their group without definition of their system than those that have a healthy system that accomplishes almost nothing. This is because the security teams with a security system have visibility, the ability to measure, and are organized. All of these things make it easy for them to demonstrate to the organization why they cannot get anything done or how much they have accomplished. The other CISO, who ironically is still often busting his or her tail, cannot demonstrate what they are doing, how they are doing it, or most importantly that they have too much to do. All the while, they are accountable for everything since they cannot show what is not within their realm of responsibility. This equates to a “Dead CISO Walking.”
In the end, you have two options. You can build a healthy security system and be viewed as an organizational rock star, or continue as overworked, understaffed, and un-appreciated until you get fired. In the end choice is yours; you just need to make it. As always, please send you comments to mike@CISOHandbook.com.
Please post any feedback you may have on this article here.