cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CISOScott
Community Champion

Into the weeds...

A little perspective on the CISO experience. Sometimes I have seen a person in the CISO role try to stay in the clouds and manage security from a pedestal. They talk about frameworks, policy, risk, blah, blah, blah.. However they overlook opportunities to come down off the pedestal and go into the weeds. Now the weeds can be a dangerous place if you stay too long, as you lose the ability to see from 30,000 feet or from the top. Alternatively, if you stay at the top level you miss opportunities to prove worth or actually help make the improvements you suggest. For example:

 

At one place I worked the previous CISO had made a demand shortly after he got there that he needed to be paid $180K (from his current $115) and he needed a staff of 20 people (from the staff of 0 that he currently had). That may have been absolutely true, but he had done nothing to prove his worth to deserve such pay or proven the need in the agency for a staff that large. He did eventually get a staff of 5, but they all left after being under him for a little while, and management never backfilled the positions.  I inherited his mess. I agreed with a lot of the things he was saying. There were a lot of things that needed to be fixed in the agency, however; I disagreed with his method. I have always had success in first proving worth or a true business need and THEN asking for the resources. In doing it this way I have built bridges with different departments, often repairing past damage. I have built up a team of allies who can second my decisions or vouch for my competence. He kept complaining that people were not doing security stuff like creating System Security Plans and other security documents while never providing them templates or guidance. He made demands of them that they didn't know how to perform. He never offered his advice or assistance. When they didn't provide them to him, he blasted them to executive management. He then also blamed/blasted executive management for not providing him the support he required. He blamed everyone else for his failures. Needless to say he didn't have very many friends in the agency.

 

I came in and saw that yes, while what he was saying was true, things needed to be done, there was literally either no one to do it (no resources) or no one that knew how to do it (no competency or knowledge). I started out by looking at what small things that I could help with. I needed to provide metrics that security was being done and was needed in this agency. I started with the anti-virus. There were a few people doing AV work even though they were not assigned to security. I looked at what these people were doing and gathered metrics. I asked for and got access to the AV console. I found out that we had experienced over 250 virus infections the previous year and the team had taken action to either clean it or reimage the machine. The CIO knew nothing about this. He thought that the only viruses we got were when a SOC alert came through and those were few and far between, maybe 5 a year. I proved to him that we already had some things that were working and that some of his team was competent and that there was security work being done in the agency. I did this for several other things as well. I kept doing this and won the CIO over to my side. I looked for ways to understand the why of the IT staff. Even though  some of their decisions were based off of old technology or old ways of doing business, I never blasted them or made them feel incompetent. I showed them how attacks have changed since then and how as an attacker I could use the current situation to my advantage. I gained the trust and respect of the IT staff.  None of the current staff knew how to do investigations and collect the information needed to take action for egregious internet misuse. I showed them how to do it by doing a few investigations that led to successful prosecutions and then turned it over to them with instructions and guidelines. This won me additional friends in the IT staff as well as friends in HR, employee relations and  legal. I started rebuilding the trust that had been broken by the previous CISO. The executive management team even gave me an analyst when I asked for one. I even told them that I wanted 2 analysts a Jr. and a Sr. in the future.

 

I know some of you may be saying, but you're the CISO! You shouldn't have to be going so deep into the weeds to show them how to do their jobs. Maybe you are right. Maybe you are in an organization or agency that has the funds to hire the right people in sufficient quantities to do these jobs correctly. You would be very blessed to be in that position and may never need to go down into the weeds. But that was not my case. The whole point of this is this; If you are complaining that something is not getting done, the people may not know how to do it or are afraid of messing it up. If you have the expertise or knowledge, go show them how to do it or what kind of result you are expecting. One of the previous CISO's favorite sayings was "That's not my job!" He acted like he was the king and all the employees were his subjects. They were expected to be able to go and "Google" everything and deliver to him the results he wanted, even if they didn't know what his expectations were. He was very unapproachable and none of the staff wanted anything to do with him. This caused such discontent between himself, upper management and the staff that no one wanted to help him or fight for his retention. This lead to his departure from the agency via a termination.

 

If you are asking for something from someone, sometimes you have to show them what you expect or want. You may even have to handhold them through the process. If you help people you will have more success as a CISO. Don't sit in your ivory tower and never come down to help. YOU are the security expert, you know what you expect or are looking for. Don't make people guess or feel stupid for not knowing. Help them and you will be helping yourself.

8 Replies
Baechle
Advocate I

Ken,

 

It sounds like you filled the role that most technologists abhor.  Documentation.

 

I have similar issues when I talk with folks about investigations.  Technologists are so eager or under such pressure to run a tool, that they often don't understand the whys behind it.  When I'm doing forensics for example, I may decide that I want to run a tool or step incrementally through a process - but I spend 30 mins before hand documenting what I'm about to do, probably spend 30 seconds doing it, and then another 30 mins documenting the results.

 

If I understood you right, this is my take away from your post: Pacing folks so that they slow down enough to evaluate their own actions and are able to communicate them is really a strong skill for a leader in the CIO, CTO, or CISO position.  Then reaching a mutual understanding allows for collaboratively refreshing skills and processes for the team.  In order to have that communication, you have to be able to dip far enough into the weeds to talk with your team and understand their needs.  In order to plan for the future, you have to stay out of the weeds long enough to document and present solutions to the folks that hold the purse strings.

 

Sincerely,

 

Eric B.

 

 

Early_Adopter
Community Champion

Amen, and looks like a carthartic post to write...you have to build a coalition of the willing, and work out who you can delegate to. To do that without base understanding and the ability to mix it up in the cheap seats then being a CISO or any other leader is going to be tough.

 

IMHO “That’s not my jobTM” and coverage models without thinking about where things fit in build inefficient organisations, and promulgate the idea of turf, the before you know it you’re TOP heaven with generalists managing an ever smaller number of actual do-ers. The MBA catastrophe beckons...

 

I also think there is a in a hands on leader, that can do quickly to be able to nurture other folks, let’s face it we’ll all be stitching teams together from spare parts. Being a lead horse, having others follow you over the scary jump, before having them take over, first by emulation and then self directing is a way for folks to crossover.

 

Bottom line, people are fungible, and anyone assuming that they have a special importance for title, qualification, certification etc will ultimately fall by the wayside - organisational ossifcation by presenting yourself as the king of the castle is a quick ride to irrelevance with frame rates running like they are.

CISOScott
Community Champion

If there is one area where shows like NCIS-Insert City and the multitude of shows like them have perpetuated a myth that is false it is the glamorization of forensics. They really do a disservice to forensic investigators because they make it:

#1 Seem glamorous. It is not. Forensics is for people who can follow explicit directions and repeatable, tested, proven and reliable steps. It is not just "hack" into a computer, find the evidence and then go arrest the perp.

#2 Make it seem so easy. Yeah just let me hack into the closed circuit TV systems while simultaneously having a script peruse the DMV license plate database, tie it in with the hacking of the cell phone carriers and credit card systems. Voila! Your suspect is at Walmart #23 checking out in the 10 items or less lane with 15 items and using his MasterCard to pay for it all. Which, by the way, is almost at the credit limit. AAAANNNDD here is a cut into the live security camera system at Walmart..... only to lose the suspect on the way to his cabin in the woods...

#3 Make IT people think they know how to perform forensic investigations. I have told the IT staff "There is a line. Once it crosses that line to where it might even seem like it is going to be criminal in nature, WE STOP. We call the appropriate LE agency and let them handle it from there.". For internal investigations we document everything. We print out pages that don't contain relevant information but include them anyways so the defense lawyer can't accuse us of leaving out info that would have "saved" his client. We explain everything. We run all cases through to completion, even the ones that don't turn into adverse actions. We do this so if we get asked "Do you investigate everybody? How do we know you are not just picking on my client? What about the other people on this list?, etc." we have an answer to those questions as well. So far my record is unblemished and I intend to keep it that way as long as possible. I have only had 1 case go to litigation and after his lawyer saw my evidence he said "My client wishes to withdrawal his case." I prepare all of my investigations that way and even do more work if we terminate, just so we have all the ammo we need if it goes to litigation.

 

So yes, when I step in to help I document it through standard operating procedures and other instructional documents. My job is not to live in the weeds, but get in, cut the grass, show people how to cut the grass, and then get out. I also try to look for a solution to every problem instead of seeing the problem in every solution or request.

rslade
Influencer II

> CISOScott (Contributor III) posted a new reply in Career on 08-02-2018 01:18 PM

> If there is one area where shows like NCIS-Insert City and the multitude of
> shows like them have perpetuated a myth that is false it is the glamorization of
> forensics. They really do a disservice to forensic investigators

One of the reasons I like Britain's "Silent Witness" *much* better than the huge
CSI franchise and all its ilk. (Also "Bones," with it's "Angelatron," although I like
the characters and wit on that show a bit better.)

My conference presentation on presenting technical evidence in court is always
subtitled "Why CSI-[name of conference city] is *NOT* Going to Help."

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
[T]his was *magical*. Ordinary men had dreamed it up and put it
together, building towers on rafts in swamps and across the
frozen spines of mountains. [...] They hadn't dreamed, in the way
people usually used the word, but they'd imagined a different
world, and bent metal around it. And out of all the sweat and
swearing and mathematics had come this ... thing, dropping words
across the world as softly as starlight. - `Going Postal,' Pratchett
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II


@CISOScott wrote:
One of the previous CISO's favorite sayings was "That's not my job!" He acted like he was the king and all the employees were his subjects. They were expected to be able to go and "Google" everything and deliver to him the results he wanted, even if they didn't know what his expectations were. He was very unapproachable and none of the staff wanted anything to do with him.

While, overall, I agree with your main point about having to deal with the details on occasion, I would note that it doesn't matter whether you do that or not if you are, in fact, a complete jerk ...

 

 


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Baechle
Advocate I


@rslade wrote:

 

While, overall, I agree with your main point about having to deal with the details on occasion, I would note that it doesn't matter whether you do that or not if you are, in fact, a complete jerk ...

Rob,

 

I just wanted to let you know, in case you screened them out... I gave you a Kudos for that comment.  😉

rslade
Influencer II

> Baechle (Contributor III) posted a new reply in Career on 08-02-2018 03:12 PM in

> Rob,   I just
> wanted to let you know, in case you screened them out... I gave you a Kudos for
> that comment.

Haven't wcreened out anything so far, but thank you 🙂

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If it is not right, do not do it;if it is not true, do not say it
- Marcus Aurelius
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Early_Adopter
Community Champion

I think if you are a ‘complete jerk’ it think it does meter if you do get down in the weeds, but negatively in terms of the damage you do - if you drive people off, or they don’t like what they see, then you’ll compound the problem that bought you into the substrate in the first place.

 

One point in CScorrs reply I really liked - SOPs are really essential as are designs, I work for a vendor and the number of systems I see with please for help where the documents are lacking makes me very nervous statistically speaking.

 

Not writing things down for people prevents them from even considering what they need to - as much as Agile and DevOps improve outcomes from a delivery standpoint in the main - if user stories don’t contain items for runbooks then ... you’re going to have a bad time. Ultimately the Theseus needs to hand on the behaviour used to get out of the maze, as his route won’t work for everyone.