This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our PRIVACY POLICY for more information on the cookies we use and how to delete or block them.

The Art of CISO - Master of Warfare

10 December 2018

Tommy Babel , Head of the Cyber Resilience & Intelligence Services |

No one has ever achieved anything of note, without having alliances

Identify which functions in your organization have similar interests to yours. Align them to push for change and transformation where you feel yourself heading to resistance. Strengthen your Alliance by practicing eye-for-an-eye and returning the effort to push their agenda as well.

When practiced wisely, such alliances tend to develop a web of trust within the organization, where you'll be able to share your toughest spots and earn the far most genuine support.

The strong overcomes the weak, so know your own strengths and weaknesses

Which kind of a CISO are you? If you are a TISO (technical CISO) you might find it difficult to communicate security to management. If you’re a BISO (business CISO) you might find it hard to align IT with your agenda.

The greatest of weaknesses is that of character

Believe it or not the next generation CISO is more of a Yes-Man, rather than more of a No-Man. Better find a way to enable business than 'disable' it. Find a way you and your agenda are respected and not feared. Maintain solid and respectful relationships and always stay professional, especially in those moments your principals are "under attack".

There's a difference between being patient and persist

Don't wait for processes or people to knock on your door. Be proactive and persistent. Make sure you are perceived as much as a client to a process as the business is.

Don't be an open book to opponents

Leave regulation or law to be the last tools you use to prove your point. Make sure you 'talk the talk', speak Business, speak Value and speak Risks. Always make sure you understand where the business is headed and why. Leave some cards hidden away and surprise the business by offering some professional insight to their process and goals.

Your greatest strength can be turned into your greatest weakness

Obviously security is your strength, but limiting your knowledge just to security will eventually turn into a weakness. Make sure you thoroughly study and learn your business and your business environment. Know where's the business headed to and what its goals are, for near and far future. Know the different players effecting your business environment including partners, customers and even competitors. Not deeply understanding your business and being brilliant in security will diminish your strength and eventually will be perceived as a weakness.

As situation changes, change your behavior

Your business and stakeholders have a Risk Appetite. They may be willing to accept the risk to achieve certain value. Align yourself to the business risk appetite. Don't be the CISO which insists on remembering his objections or the CISO who pokes the eye with an "I told you so". Take the calculated risk yourself and find the way to assist in creating that value.

You can change your behavior, without changing your character

Playing along doesn't mean you have to give up your principals. Remember you have built some very close relationships. Ask those colleagues to help you navigate between being a TISO, thru being a BISO to being s SISO - Strategic CISO.

Take a close look at those you have surrounded yourself with

Building tactical and strategic alliances often mean you have to share. You have to be open to share your weaknesses, your thoughts and doubts, your mishaps and the relationships that didn't developed as planned. This is the most effective way to build trust. Find the people in your organization you want to build this web of trust with, and take the steps of being closer to them.

Know the ambitions of your friends

Everyone around you has ambitions. Starting from your own team, through other people you interact with, even your managers and other leaders as well. You have to nurture these ambitions and help people get where they headed by practicing your own risk tolerance, rather than caving in to principals which are then, hard to walk away from.

Know how to use yourself as well as those around you

It's an environment dominated by soft skills. Make sure you develop your soft-skills as hard as you work on staying knowledgeable. Use soft-skills rather than experience or seniority to motivate people around you to 'play along'.

You cannot safely judge what is an advantage or otherwise, without knowledge and experience

Soft-skills are a tool, they alone won't be enough to sail the boat. Don't neglect your knowledge, always seek ways to educate yourself and enhance your area of expertise, your knowledge about the business and the business environment.

Proofs of Concept (POCs) are great for feeding your experience. You are working in fast changing environment; make sure your keep your knowledge and experience up to date.

Stop hobbling your army

Let your people go. Your team is an inherent part of your success. Build a team of professionals you trust and hand them as much rope as they need to follow their ambitions. Better let them learn from mistakes than be afraid of making decisions and being creative. Your team's race to pursue their ambitions will create enormous value.

A tired army is a defeated army

Everyone on your team needs an occasional break. Small breaks from loads of work are nice, but more effective breaks are the ones from Organizational Culture and Structure. Do not put your team in 'the line of fire'; don't let them engage in battles over principals. Eventually every security team falls into that corner, it is your job to teach them which fight is worth engagement and will win the most points in the long run.

Do not procrastinate. Do not showboat. Know your problems, enemies and challenges and face them

You have the nastiest job. Threats are always around the corner. Threats are at least one step ahead of defense capabilities. If you feel safe, that means something is wrong. Think like your enemy; ask yourself why would you attack and how. A simple principal states, a Successful Attack is made from 3 ingredients: a lucrative prize, a reason for the attacker to be persistent and a weakness he can exploit. Mostly you can only control the 3rd ingredient, make sure you are up to date with all the weaknesses and are able to control them.

Deal with it when it's a small problem, or better yet prevent the problem becoming a problem to begin with

Be proactive. Don't wait for problems to surprise you. Make sure everyone knows you and is Aware of your practice. People should know that "When in doubt or suspicious" they have the CISO to contact and request assistance from. Make sure your response and level of service are consistent.

On the field of battle, the spoken word does not carry far enough, hence the institution of 'gongs and drums'

Awareness is your best tool to achieve engagement. Awareness doesn't stop at an occasional lesson or guidebook. Make sure your Awareness program has the 'gongs and drums' effect. Make sure you repeat it often and avoid fading away the 'ringing ears'.

Nor can ordinary objects be seen clearly enough, hence he institution of banners and flags

Gamify Awareness. Make it a competitive game with rewards and organizational wide recognition. Capture the flag games are very effective.

Saying what you mean and meaning what you say, sounds good but it has nothing to do with being understood or understanding what people are trying to get you to understand

Awareness has to speak in different languages for the different audiences. Make sure your Awareness program speaks the correct language then facing Senior Management, Special Business Units, IT, DevOps, R&D and so on.

There is no defense against self-deception

Prevention is over rated. Defend as if your enemy has already breached your perimeter and is inside your network. Focusing on perimeter security or focusing on trying to prevent a breach, will eventually catch you with your pants down, "explaining yourself" to management on what went wrong.

Make sure your Detection & Response capabilities and practices are at least as strong as your prevention efforts. Early detection and a quick and professional response will most likely minimize the damage as long with the amount of "explaining yourself" you'll need to do.

Warfare is based on deception

Deception is under valued. It is strongly recommended to deploy deceptive objects both within the business and the technical environments. Deception is the best way to capture your enemy in action and even better, before action, sneaking and sniffing around.

Not long ago the problem was a lack of knowledge, now it's dealing with the flood of information we are faced with

Data produced by your deployed security measures is not fully utilized, missing a substantial ability to capture abnormal activities within your business and technical environments. In the worst case these could suggest a process is malfunctioned or isn't running as expected, but actually using smart mining and analytic techniques will also be really useful to capture your enemy in action and before action, snooping around.

Strictly adhere to method and discipline

Make sure you have a proper methodology. Adopt an Information Security Management System and work with it to build your own method for managing assets, risks, threats, vulnerabilities and communications with the relevant entities inside and outside of your organization.