blog-header-image
| 6 min read
| Apr 17, 2019
| by Dave Merkel

Dear fellow CEO: do these seven things to improve your org’s security posture


You’re at the helm of a fast-growing company. You’re adding staff rapidly, and your team is starting to specialize.

Hopefully most of your folks now have one job (or maybe two) instead of the five or six everyone had in the early days. Customers are flying at you left and right (not a bad thing!).

Leading a fast-growing org has its perks. And yeah, it’s exciting. But as you scale, you’ll inevitably be breaking things as you stress the organization and look to add more capabilities and maturity everywhere you can.

Oh, and did I mention that the “snake that kills you today” starts to change shape as you grow, too? It used to be that you were crossing your fingers to make the quarter. Now it’s, “Do we have mature enough finance and business processes to support Sarbanes Oxley?” Another challenge that often pops up if it hasn’t already: Do you have any clue what you’re doing around information security? Maybe you started to care about that yourself. Maybe a well-traveled board member started asking some uncomfortable questions.

I get that “information security” is probably toward the bottom of your list of “the snake(s) that’ll kill you today.” But here’s the thing: a reckoning is coming and it usually shows up at a time that’s least convenient.

The good news: You can turn the (information security) ship around. Or get two hands back on the wheel if you’ve been spending your time focusing on other things.

Here are seven simple things you can do right now that’ll get your org’s security posture on track.

1. Hire an information security business executive, and have her or him report to you

Yes, have this person report to you — the CEO. Don’t be tempted to have him or her report the CIO, CTO or general counsel. You want a business executive that owns this domain as a close advisor, someone who can translate from security lingo to the language of your business and back again. This person should be a business executive. Someone that understands what your business does, its value proposition and the fact that their role isn’t “say no” — it’s “figure out how to say ‘yes’ while managing risk.”

Here’s a litmus test on whether or not you have the right person … do the CIO and/or CTO respect the CISO’s technical acumen? Would you hesitate to put this person in front of your board of directors so he or she can educate them on what they should care about and how they should hold the organization accountable for security risk? Do you respect this individual as an executive and can you see yourself proactively seeking his or her counsel? If you answered “no” to any of those questions, keep looking.

2. Identify the org’s top information security risks and write them down

As an executive, part of your job is to think about potential risks to the business and devise strategies to address them — like competitors, markets and external events that may impact your business. Security risks are as important to evaluate as any of the more “traditional” business concerns that you’ve historically considered.

You have capable leaders to deal with risk in all parts of your business. They should all be at the table when you’re talking about security because security impacts every part of your org. If you followed my advice above, you’ll have a CISO — he or she can (and should) drive this process for you. Additionally, have your general counsel think about the potential legal ramifications of a security incident. And what about your CFO? How will a security-related misstep impact your bottom line? You get the idea. Bring all those brains to the table and work together to think through the various risks and the ripple effects they’ll have on the broader org. Your execs need to be bought into that response plan, not victims of it.

3. Create your incident response “brain trust”

When something goes sideways (and trust me, it will) who will you call? Sure, the teams with technical expertise will be on the short list, but remember to think about all those potential ripple effects and make sure the right people are at the table when a bad thing happens. This includes legal counsel and even your corporate communications lead. Once again, your CISO will drive this process, but it needs to be sponsored by you so everyone knows it’s important.

The best way to prepare for a real security incident is to flex those muscles and practice responding as a group. A great way to do this is to orchestrate a tabletop incident response exercise. Your CISO can get started with your own by downloading our guide to tabletop exercises right here, which has everything you need to simulate a security incident: Oh Noes! A New Approach to IR Tabletop Exercises. When the CISO comes to you to get it scheduled make sure you support the initiative and give it weight.

4. Build out a true security team

Create a security team that’s separate from IT. When security is fully subordinate to IT you run the risk of thinking about security as a technology problem instead of a risk management capability. When security is part of IT, it can incentivize bad behavior. Security could be viewed as purely a cost instead of a necessity to manage risk. As a result, it could face significant budget pressures. Putting security under IT can also make it difficult to champion certain kinds of spends. For example, maybe buying security technology widgets is easy since IT is used to buying tech. But perhaps doing thoughtful risk assessments that span not just technology but business objectives, processes and functions becomes more challenging, if not outright impossible.

Radical pro tip: consider having your IT team report to security — we did it and it works. Remarkably well, in fact. IT decisions almost always involve some aspect of cyber risk. By having your IT function report into security you enable security to be woven into your IT processes and decision making. This helps your organization build security into your systems and infrastructure from the get-go rather than “bolting it on” as an afterthought.

5. Put some quick security controls in place while you build a security program

Conducting thorough assessments to understand security risks and technical control gaps are great, but the reality is that attackers aren’t going to take a time out while you get your house in order. That’s why it’s essential that you and your CISO get (or keep) some basic security tools and processes in place quickly, while you simultaneously dive deep into a review of your security processes, programs and tools to figure out what needs fixing.

As you work through your assessment, there are plenty of decisions you’ll need to make as you figure out how you want to operate and lay a foundation that minimizes risk. For example, do you want to build your own SOC or use a vendor? What framework will you use to build and measure your new security program? Do you need new technology or are the tools you already have sufficient?

6. Pick a security framework that you’ll use to assess your org

Work with your CISO to pick a framework — there are plenty to choose from like the NIST Cybersecurity Framework, ISO 27001, COBIT or something more specialized like HiTRUST — and stick with it. This will help your exec team communicate your position and plans in a consistent way among one another and with others (like your board, investors and outside counsel) who’ll want those details.

By using a framework to organize your planning and assessment activities, you’ll be able to develop a coherent strategic plan, figure out where the gaps are and start to close them quickly. As a bonus, if you’ve socialized the framework with your board, they’ll be able to follow where you are on the journey and ask smarter questions.

7. Track your progress and learn from it

Since you hired a CISO first, that person can drive this for you, and he or she will likely use the framework you picked above to backstop their conversations with you and your board about progress. As with so many things, your role is to give this weight. You need to care, ask questions and hold both your CISO and the rest of the organization accountable for delivering on initiatives to improve posture and manage risk.

I know what you’re thinking: “This sounds like any other aspect of my business … get a leader, listen to their counsel, assess business risks and initiatives in their area, take prompt action and posture for future success.”

BINGO. Security is not mystical, as long as you treat it as another function that’s just as important as other key areas of your business, and hire a security leader who is a true peer to the rest of your exec team.


Subscribe

Oh Noes! A new approach to IR tabletop exercises

Welcome to Oh Noes! A role-playing game that makes testing your incident response plan fun A real-life security incident isn’t the best time to test your incident response (IR) plan. It can be stressful. You’ll be dealing with the technical…
Read More