The Dark at the Top of the Stairs

The Dark at the Top of the Stairs

Alan Levine

Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the organization will complain and you will be put on the defensive. Besides, you can’t hide a forced reboot, so why go it alone?

Instead, communicate your decision, not just to affected parties but to your leadership. Be sure to include the reason for the reboot and how the organization benefits longer-term. It’s also critical that you communicate a reboot’s challenges and risks. Patches have problems of their own, not the least of which is that they sometimes don’t work and, rarely but crucially, make matters worse.

Your leadership needs to know so they can make the proper assessment. If you communicate the need to your leadership, they will support you. You should also be prepared, however, for leadership to decide against the patch. Ultimately, they decide, right or wrong, on matters that affect the organization.

If you don’t communicate cyber security matters to the people who run the business, you harm the organization.

Failing to communicate known or anticipated risk to your leadership is like leaving them in the dark at the top of the stairs. You may be naturally inclined to conceal risks from the prying eyes of concerned leadership that may reflect poorly on you or your team, but you must resist the temptation.

If you don’t communicate cyber security matters – including organizational failures – to the people who run the business, you harm the organization.

You might argue that, as a CISO, you should only communicate the progress of your cyber security mission based on a NEED-to-know basis, and leadership doesn’t always need to know. You might say that you provide regular updates anyway, so when the proverbial stuff hits the fan, you’ll record it and report it as time and attention permit. Otherwise, you seldom communicate “out of cycle” because the subject matter is typically too technical or too sensitive to express in ways your leadership will understand or appreciate. You may even fear that if you only discuss challenges and risks, you’ll be judged a failure.

On the contrary, you are a failure if you don’t speak up. I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore. They failed not because of their mistakes but, rather, their reticence.

When faced with challenges, your senior leaders are the ideal people to ask for help. If you have exploitable vulnerabilities you can’t seem to solve or workplace irritations that are getting in the way of your program’s success, your leadership may provide valuable recommendations or direction.

Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything.

As a CISO, you are no longer a technologist but a leader of your organization’s cyber security function.  You are a member of the leadership team. Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.

Let’s look at three scenarios a CISO is likely to face. Would you communicate these to senior leadership?

Scenario #1

Your Board is focused on key elements that can guide the success of the organization or address any failures or weaknesses. Paramount for most Boards are the focus areas of organizational reputation, ethics and integrity, and regulatory compliance. All Boards are, by definition, strategic. That is, they focus on the big picture. They plan for the future of the organization. They care about whether the organization is executing to meet its business objectives. They care about whether the organization is measuring its performance and understand the ways in which salient and useful measurements can inform organizational strategy.

Boards also care about how well your organization’s performance and priorities compare with similar organizations. Benchmarking is always a useful activity for CISOs, and Boards often lean on benchmarking as a way to measure an organization’s plans and performance.

I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore.

Scenario #2

Consider a more complicated and inherently difficult situation: insider risk. You are investigating the activity of an employee who may or may not have committed a serious offense. You don’t know enough to communicate anything to anyone quite yet so your natural instinct is to keep quiet. You justify your decision with the logic we are all innocent until proven guilty and you don’t have enough evidence to warrant alerting senior leadership. You may even have been counseled by your Human Resources department not to communicate because personnel issues are ‘private’ issues.

If the activity represents real enterprise risk, then your leadership needs to know about it. It’s their job to manage the organization’s risk profile, to assign appropriate levels of risk tolerance and appetite, evaluate each risk, and decide to accept it or mitigate it.

Your hesitance to communicate this investigation is natural. If word gets out, someone who may be innocent will have their reputation in – and maybe outside – the organization sullied. Certainly, any communication includes its own inherent risk. Trust your leadership’s ability to keep secrets. The leadership team in fact knows lots of things about the organization that you will never know. Confidentiality is an essential characteristic of senior leadership.

You can communicate it privately. Arrange a meeting instead of a phone call and don’t discuss the matter via email. But don’t fail to communicate. Your leadership has a right to know if someone in the organization represents potential risk to the organization.

Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.

Scenario #3

If you remain on the fence, consider this simple example: a cyber incident. You surely would communicate a nation-state attack or a financial fraud matter, but what about a PII data breach resulting from negligence and failure to follow established procedure?

You are contacted by a supervisor who has an employee in her office, in tears. The employee intended to send a spreadsheet to Johnny Jones at your organization’s benefits provider but instead sent it to some other Johnny Jones. The spreadsheet contains personnel records for employees, some of whom reside in the European Union, with GDPR implications.

Your natural inclination might be to keep this incident between yourself, the supervisor, and the employee. After all, this was not a malicious act but rather a mistake. You can hope the wrong Johnny Jones deletes the email once he receives it. You rationalize putting your head in the sand like an ostrich with aphorisms like ‘this too shall pass’ and the New York ‘fuggedaboutit.’

What appears to be a small, inadvertent exposure, however, is instead a spark that may well result in a full-fledged conflagration. Personal data privacy matters. GDPR matters. Certainly, a potential fine of 4% of annual revenue matters. As CISOs, we know it, and regulators continue to remind us.

Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything. Assume the worst, even while you hope for the best. Collect the facts about the breach and report them as you know them to your leadership. Do it quickly, before the wrong Johnny Jones does it for you.

Communicating to your leadership is not just the right thing to do. For a CISO, it’s the only thing. Raise any cyber security issue that is even of remote concern to the folks at the top of the stairs. Don’t just speak up. Speak UP.

RELATED POSTS

Five Best Practices to do Supply Chain Security Right

Five Best Practices to do Supply Chain Security Right

Supply chain attacks aren’t new. In fact, The National Institute of Standards and Technology (NIST) published their initial report on supply chain risk back in 2015. One of the most well-known supply chain attacks happened shortly after in 2017. NotPetya corrupted...

Stagehand: Episode 2

Stagehand: Episode 2

Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel...

The Risk of Banking

The Risk of Banking

I just came off a big Zoom call with traditional bankers where they discussed changes in client behaviors, and the impact which new technologies bring, that fundamentally challenge today’s traditional European banking models. At the end of 2019, Boston...

Effective Board Communication for CISOs

Effective Board Communication for CISOs

Know Your Board If you’re a CISO, your Board generally knows who you are and what you do. But do you know who they are? No Board is monolithic. Each Board member brings unique value to the Board. Each is selected for what they add to the Board’s perspective, vision,...

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Since the advent of space exploration in the 1960s, every child understands that the success of the space mission is dependent not only on the astronauts, but also on the engineers in the mission operation center. All complex missions or operations are high risk and...

Stagehand: Origins

Stagehand: Origins

I’m sitting at a table in one of the offices of my private security firm in a tense, but now familiar, setting. No matter who the client is, there’s always a strange energy when extremely wealthy and powerful people are asking you to accomplish the seemingly...

Cyber Trends and Predictions for 2021
Share This