The Dark at the Top of the Stairs—CISO Leadership
Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the organization will complain and you will be put on the defensive. Besides, you can’t hide a forced reboot, so why go it alone?
Instead, communicate your decision, not just to affected parties but to your leadership. Be sure to include the reason for the reboot and how the organization benefits longer-term. It’s also critical that you communicate a reboot’s challenges and risks. Patches have problems of their own, not the least of which is that they sometimes don’t work and, rarely but crucially, make matters worse.
Your leadership needs to know so they can make the proper assessment. If you communicate the need to your leadership, they will support you. You should also be prepared, however, for leadership to decide against the patch. Ultimately, they decide, right or wrong, on matters that affect the organization.
“If you don’t communicate cybersecurity matters to the people who run the business, you harm the organization.”
Failing to communicate known or anticipated risk to your leadership is like leaving them in the dark at the top of the stairs. You may be naturally inclined to conceal risks from the prying eyes of concerned leadership that may reflect poorly on you or your team, but you must resist the temptation.
If you don’t communicate cybersecurity matters—including organizational failures—to the people who run the business, you harm the organization.
You might argue that, as a CISO, you should only communicate the progress of your cybersecurity mission based on a NEED-to-know basis, and leadership doesn’t always need to know. You might say that you provide regular updates anyway, so when the proverbial stuff hits the fan, you’ll record it and report it as time and attention permit. Otherwise, you seldom communicate “out of cycle” because the subject matter is typically too technical or too sensitive to express in ways your leadership will understand or appreciate. You may even fear that if you only discuss challenges and risks, you’ll be judged a failure.
On the contrary, you are a failure if you don’t speak up. I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore. They failed not because of their mistakes but, rather, their reticence.
When faced with challenges, your senior leaders are the ideal people to ask for help. If you have exploitable vulnerabilities you can’t seem to solve or workplace irritations that are getting in the way of your program’s success, your leadership may provide valuable recommendations or direction.
“Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything.”
As a CISO, you are no longer a technologist but a leader of your organization’s cybersecurity function. You are a member of the leadership team. Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.
Let’s look at three scenarios a CISO is likely to face. Would you communicate these to senior leadership?
Scenario #1
Your Board is focused on key elements that can guide the success of the organization or address any failures or weaknesses. Paramount for most Boards are the focus areas of organizational reputation, ethics and integrity, and regulatory compliance. All Boards are, by definition, strategic. That is, they focus on the big picture. They plan for the future of the organization. They care about whether the organization is executing to meet its business objectives. They care about whether the organization is measuring its performance and understand the ways in which salient and useful measurements can inform organizational strategy.
Boards also care about how well your organization’s performance and priorities compare with similar organizations. Benchmarking is always a useful activity for CISOs, and Boards often lean on benchmarking as a way to measure an organization’s plans and performance.
“I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore.”
Scenario #2
Consider a more complicated and inherently difficult situation: insider risk. You are investigating the activity of an employee who may or may not have committed a serious offense. You don’t know enough to communicate anything to anyone quite yet, so your natural instinct is to keep quiet. You justify your decision with the logic we are all innocent until proven guilty and you don’t have enough evidence to warrant alerting senior leadership. You may even have been counseled by your Human Resources department not to communicate because personnel issues are “private” issues.
If the activity represents real enterprise risk, then your leadership needs to know about it. It’s their job to manage the organization’s risk profile, to assign appropriate levels of risk tolerance and appetite, evaluate each risk, and decide to accept it or mitigate it.
Your hesitance to communicate this investigation is natural. If word gets out, someone who may be innocent will have their reputation in—and maybe outside—the organization sullied. Certainly, any communication includes its own inherent risk. Trust your leadership’s ability to keep secrets. The leadership team in fact knows lots of things about the organization that you will never know. Confidentiality is an essential characteristic of senior leadership.
You can communicate it privately. Arrange a meeting instead of a phone call and don’t discuss the matter via email. But don’t fail to communicate. Your leadership has a right to know if someone in the organization represents potential risk to the organization.
“Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.”
Scenario #3
If you remain on the fence, consider this simple example: a cyber incident. You surely would communicate a nation-state attack or a financial fraud matter, but what about a PII data breach resulting from negligence and failure to follow established procedure?
You are contacted by a supervisor who has an employee in her office, in tears. The employee intended to send a spreadsheet to Johnny Jones at your organization’s benefits provider but instead sent it to some other Johnny Jones. The spreadsheet contains personnel records for employees, some of whom reside in the European Union, with GDPR implications.
Your natural inclination might be to keep this incident between yourself, the supervisor, and the employee. After all, this was not a malicious act but rather a mistake. You can hope the wrong Johnny Jones deletes the email once he receives it. You rationalize putting your head in the sand like an ostrich with aphorisms like “this too shall pass” and the New York “fuggedaboutit.”
What appears to be a small, inadvertent exposure, however, is instead a spark that may well result in a full-fledged conflagration. Personal data privacy matters. GDPR matters. Certainly, a potential fine of 4% of annual revenue matters. As CISOs, we know it, and regulators continue to remind us.
Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything. Assume the worst, even while you hope for the best. Collect the facts about the breach and report them as you know them to your leadership. Do it quickly, before the wrong Johnny Jones does it for you.
Communicating to your leadership is not just the right thing to do. For a CISO, it’s the only thing. Raise any cybersecurity issue that is even of remote concern to the folks at the top of the stairs. Don’t just speak up. Speak UP.
Additional Resources
- Report Benchmark Your Sensitive Content Communications Privacy and Compliance
- Blog Post What Is a Private Content Network?
- Blog Post Kiteworks Utilizes Its Own Private Content Network
- Glossary Third-Party Risk Management
- Blog Post The CISO-Board Relationship: Building Trust And Mutual Understanding
- Blog Post What is a Cybersecurity Fusion Center?
- Case Study What is Mitek Industries?
- Blog Post Selling to a CISO? Practice Empathy