Managing Cybersecurity: Get Away From “No”

I was having a conversation with a colleague this past week (a bank auditor to give you some context). As we were talking about cybersecurity and the banking industry, the conversation came up about a CISO that had been let go from a bank because their philosophies on cybersecurity didn't align with the business goals of the organization.

My colleague went on to explain that new initiatives were often met with a “no”. The executive team, while they wanted to be secure, felt like they were being held hostage. Through the conversation, we mutually came to the agreement that cybersecurity professionals need to get away from “no”, and start focusing on business needs, especially in banks and credit unions.

We are in an age of digital transformation in the financial industry (to read our full letter to community financial institutions regarding this matter, visit this page). Those stuck in their old ways will be left behind. If the information security program cannot evolve and grow to meet those demands, it in itself can actually become a threat to the organization. You get to a point where it's almost like the cure is worse than the disease.

Now this is something I've seen over the past six years in this business. We've been called in to help with situations like this. I have friends that have been in this situation - and it breaks my heart.

So, I'm hoping I can point out a few tips today in this blog post to maybe help avoid that.

Why does something like this happen?

1. It may be that the CISO is missing one or more of the Six Pillars needed to be effective:

• Cyber threats and security
• Information technology
• Compliance
• Banking and business objectives
• Risk management
• People and communication skills

2. It may be that the CISO lacks confidence, which could be attributed to one of the missing six pillars. It also could be due to inexperience, or just overall personality traits.
   
   
3. It could be that they've been placed under a lot of pressure to “keep us secure”, and they have no buy in from the executive team. That can be a very isolating place for a CISO.

When the consequence of failure is so great for a CISO, they often begin to operate from a place of fear, rather than from a strategic point of view.

What can we do about it?

1. You can start by making sure that the CISO is being managed well. The following are 6 ways to do that: (You can read the full article on how to manage a CISO here.)

• Establish a security culture
• Explain business objectives
• Get them involved
• Help them pick their battles
• Coach them on business and communication
• Care about them and their work

2. Do they need a CISO mentor? This is something that I really feel our industry needs more of, and that's why we've been adjusting our pricing - to make it much more available. If you want to know more about it, visit our CISO Mentor page.
   
   
3. And finally, you may just have to ask yourself if the person is a better fit in another area of your organization. You may have named someone the CISO years ago, when things were a little calmer and simpler, and they've not been able to keep up with the changes in the transition. The landscape is much different than it was five years ago. And it has changed in an incredible way over the last decade. There's a different skill set needed now than what there was 10 years ago for a CISO. Is this person really good fit to continue to carry your security program forward? Could they be better suited in another position?

Conclusion

Please don't be confused by this article. It does not mean that we, as cybersecurity professionals, say yes to everything. Instead, it means that we must become risk managers, meaning that we have to accept some risks, and making good decisions on the prioritization of those risks. We have to ask the right questions. We have to communicate the risks in business terms. And finally, we must become business enablers.

When we do these things, we gain buy-in, we prove our value, and then we can start making a difference.

If you'd like to know more about how your cybersecurity program can become a business enabler, let us know. We will be glad to help. Email us at support@bedelsecurity.com.