The acceleration in digital transformation has had enormous impact on the role of security teams within enterprises. But despite the glut of threats, it remains true that the biggest transformation our teams need to improve your security posture is cultural rather than digital.
This was the key takeaway from one attendee at Telstra’s recent New In Role community virtual event, where experienced and new CISOs swapped experiences and insights about security best practice amid unprecedented circumstances for all of us.
Our most recent session explored the relevance of failing fast in innovation, the challenge of finding the right balance between risk and reward, and the emergence of an enhanced level of integration between IT and the broader business.
The security landscape is perilous – and requires proportionate investment
The new-in-role security stakeholders were quick to agree that the landscape for security is at its most dangerous.
As one expert noted, “We’ve seen a real uptick in cyber-crime. The threat landscape has changed wildly.” Another confirmed that, saying that they had seen cyber-enabled fraud double in recent months.
For security practitioners who are new to their businesses, that represents a steep learning curve – especially in an organisation or an industry that is very different to others you’ve worked in over your career. And time isn’t a resource many CISOs have the luxury of.
One new CISO noted, “I needed time to understand the threat landscape. We had solutions in place to intercept attacks but the volume had increased and changes to vectors still needed adaptations. Plus, physical fraud and refund fraud have also increased in this time.”
“So, we’ve had to begin conversations to discuss that if threats are evolving budgets need to evolve with them,” he continued.
While the need for appropriate funding was a theme that was echoed strongly by all speakers, the challenge remained to communicate that need, and the return it would provide, to the CISOs’ ultimate decision-makers – the board.
Identifying and developing key board relationships
Hitting the ground running as a new-in-role CISO necessitates getting buy-in from your board level stakeholders.
As one speaker said, “It’s good to have two or three senior executives whom you can influence in your first 90 days, especially when the strategy you need to implement needs three years and not three months.”
So, how can people entering a business for the first time achieve that? First and foremost, it became quickly plain that networking broadly with clearly defined goals is a great means to not only understand organisational hierarchies but to spread your message widely.
But second, it is important to remember to find the people that the board listen to and to build trusted relationships with those people.
Identifying influencers isn’t easy though. It requires nuance and a thoughtful consideration of the role each stakeholder plays in an organisation beyond their title and job description.
But that investment is worth it. As one CISO put it, “I listened to who the board listened to and then I made sure that individual understood my strategy. It really helped me get the message through.”
Telling your story
Influencing the influencers is only half of the battle though. Once you get in front of the board, it is essential that you’re able to get the message across in a language that they can understand and relate to.
“The board get more engaged when you add a bit of humanity or even humour to your story,” said one new-in-role CISO. “Story telling is a powerful tool for influence change because the board don’t necessarily understand the technical language.”
Best practice is to use emotional language and analogies to real-world situations they are passionate about or have experienced themselves.
This is a critical point that trips up some new CISOs who focus on technical detail or dire warnings about security breaches. But when telling a story, you have to closely tailor your content to the audience.
One event attendee took it even further. “When I joined my new organisation, some of the things I asked were, what do the board read on their way to work and where do they get their news?”
“I was able to change my pitch based on those answers, because what they read about affected how they received my message.”
Transformation is not only about tech
But this point reveals a wider trend. The role of the CISO doesn’t begin and end with the technological side of transformation. Instead, the CISO has to be the catalyst of cultural change across the business, defining and promoting secure behaviour in every staff member.
But influencing behaviour may not be a skillset many CISOs use often. That’s why it is best practice to bring in the experts.
“For me, I benefited from having a really good comms team,” said one attendee. “After that we started looking at bite-sized awareness programmes for staff that would benefit them when using their work devices, but also their personal web use on their own devices.”
It also means understanding the new circumstances your employees are working in. Another attendee noted, “Working remotely has made it more difficult for staff to understand the scope of the risk. We used HR to spread our messaging, but we also instituted security gossip sessions to talk about security news stories and promote security awareness.
“Using news stories and relating them to employees’ everyday work helped with engagement. For example, we used a BBC story about the remote hacking of an electronic chastity belt by PenTest Partners that was an entertaining story in itself, but it was still a security breach which had relevance to the daily working practices of our staff. People become really interested and engaged if you make it topical and funny.”
Chastity belt or not, it’s clear that communicating culture across the organisation – from the boardroom to each remote home office – is critical to success for new-in-role CISOs.