Bryan Kissinger, CISO for Trace3, recently presented “The Business Minded CISO.” Bryan’s presentation generated lots of great questions, which he graciously answered below. If you missed his presentation or would like to watch it again, you can view it below.
How do you overcome the "just good enough" mentality with regards to securing one’s environment?
Great question. You need to negotiate where you can accept “good enough” and fight battles where you need a top-notch solution. As an example, I was fine with a “good enough” MDM solution on mobile phones. By contrast, I wanted the best DLP, SIEM and firewalls we could afford. I earned credibility among the budget allocators by going cheap in some areas and going for the best in others.
Which business metrics should a CISO prioritize?
Managing your budget and demonstrating ROI for security investments are the most important. I always try to give money back at the end of the fiscal year, which earns you trust and credibility with your senior leaders. Another important metric is efficacy of your security tooling. For example, be able to prove that your EDR platform catches a high percentage of exploits and performs as expected.
Should companies combine the cybersecurity and privacy functions?
Privacy and security could come together in a single role or department. If they don’t, these interdependent functions must be closely aligned. I have always worked very closely with my privacy counterparts. In one of my roles, I had responsibility for both privacy and security and, while it was a lot of work, it provided me with a full picture.
How do you define a successful hire?
I like to hire “athletes.” They don’t need to know everything about the role, but have to be energetic, passionate, willing to learn, and be a team player. You can teach smart, energetic people anything. Find a candidate with those qualities and then take good care of them. Most managers make the mistake of propping up low performers. Do the opposite. Spend the bulk of your time motivating and taking care of your best people. The poor performers will end up leaving anyway.
How do you address the board following a breach?
You address them honestly, accurately, and calmly. Most boards know it’s not a matter of if, but when, you will have a breach. The board wants to see you have the situation under control and that you have a plan. Don’t be afraid to ask for help and keep them in the loop as you make progress on remediation.
What do you recommend CISOs do to manage the data exfiltration risk posed by personal cloud storage?
Apply outbound security controls to prevent data leakage to these sites. The web isolation platform I implemented had the ability to prevent users from attaching or uploading files to these sites. Also, endpoint DLP and web isolation solutions prevent leakage based on policies and rules you implement.
Should a CISO report to the CIO, or maybe the BOD?
I discussed this on the call however the answer ultimately depends on the company’s maturity.
If you enjoyed this webinar, be sure to visit Second Thursdays for other great cybersecurity webinars.