The Dark at the Top of the Stairs

The Dark at the Top of the Stairs

Alan Levine

Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the organization will complain and you will be put on the defensive. Besides, you can’t hide a forced reboot, so why go it alone?

Instead, communicate your decision, not just to affected parties but to your leadership. Be sure to include the reason for the reboot and how the organization benefits longer-term. It’s also critical that you communicate a reboot’s challenges and risks. Patches have problems of their own, not the least of which is that they sometimes don’t work and, rarely but crucially, make matters worse.

Your leadership needs to know so they can make the proper assessment. If you communicate the need to your leadership, they will support you. You should also be prepared, however, for leadership to decide against the patch. Ultimately, they decide, right or wrong, on matters that affect the organization.

If you don’t communicate cyber security matters to the people who run the business, you harm the organization.

Failing to communicate known or anticipated risk to your leadership is like leaving them in the dark at the top of the stairs. You may be naturally inclined to conceal risks from the prying eyes of concerned leadership that may reflect poorly on you or your team, but you must resist the temptation.

If you don’t communicate cyber security matters – including organizational failures – to the people who run the business, you harm the organization.

You might argue that, as a CISO, you should only communicate the progress of your cyber security mission based on a NEED-to-know basis, and leadership doesn’t always need to know. You might say that you provide regular updates anyway, so when the proverbial stuff hits the fan, you’ll record it and report it as time and attention permit. Otherwise, you seldom communicate “out of cycle” because the subject matter is typically too technical or too sensitive to express in ways your leadership will understand or appreciate. You may even fear that if you only discuss challenges and risks, you’ll be judged a failure.

On the contrary, you are a failure if you don’t speak up. I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore. They failed not because of their mistakes but, rather, their reticence.

When faced with challenges, your senior leaders are the ideal people to ask for help. If you have exploitable vulnerabilities you can’t seem to solve or workplace irritations that are getting in the way of your program’s success, your leadership may provide valuable recommendations or direction.

Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything.

As a CISO, you are no longer a technologist but a leader of your organization’s cyber security function.  You are a member of the leadership team. Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.

Let’s look at three scenarios a CISO is likely to face. Would you communicate these to senior leadership?

Scenario #1

Your Board is focused on key elements that can guide the success of the organization or address any failures or weaknesses. Paramount for most Boards are the focus areas of organizational reputation, ethics and integrity, and regulatory compliance. All Boards are, by definition, strategic. That is, they focus on the big picture. They plan for the future of the organization. They care about whether the organization is executing to meet its business objectives. They care about whether the organization is measuring its performance and understand the ways in which salient and useful measurements can inform organizational strategy.

Boards also care about how well your organization’s performance and priorities compare with similar organizations. Benchmarking is always a useful activity for CISOs, and Boards often lean on benchmarking as a way to measure an organization’s plans and performance.

I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore.

Scenario #2

Consider a more complicated and inherently difficult situation: insider risk. You are investigating the activity of an employee who may or may not have committed a serious offense. You don’t know enough to communicate anything to anyone quite yet so your natural instinct is to keep quiet. You justify your decision with the logic we are all innocent until proven guilty and you don’t have enough evidence to warrant alerting senior leadership. You may even have been counseled by your Human Resources department not to communicate because personnel issues are ‘private’ issues.

If the activity represents real enterprise risk, then your leadership needs to know about it. It’s their job to manage the organization’s risk profile, to assign appropriate levels of risk tolerance and appetite, evaluate each risk, and decide to accept it or mitigate it.

Your hesitance to communicate this investigation is natural. If word gets out, someone who may be innocent will have their reputation in – and maybe outside – the organization sullied. Certainly, any communication includes its own inherent risk. Trust your leadership’s ability to keep secrets. The leadership team in fact knows lots of things about the organization that you will never know. Confidentiality is an essential characteristic of senior leadership.

You can communicate it privately. Arrange a meeting instead of a phone call and don’t discuss the matter via email. But don’t fail to communicate. Your leadership has a right to know if someone in the organization represents potential risk to the organization.

Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.

Scenario #3

If you remain on the fence, consider this simple example: a cyber incident. You surely would communicate a nation-state attack or a financial fraud matter, but what about a PII data breach resulting from negligence and failure to follow established procedure?

You are contacted by a supervisor who has an employee in her office, in tears. The employee intended to send a spreadsheet to Johnny Jones at your organization’s benefits provider but instead sent it to some other Johnny Jones. The spreadsheet contains personnel records for employees, some of whom reside in the European Union, with GDPR implications.

Your natural inclination might be to keep this incident between yourself, the supervisor, and the employee. After all, this was not a malicious act but rather a mistake. You can hope the wrong Johnny Jones deletes the email once he receives it. You rationalize putting your head in the sand like an ostrich with aphorisms like ‘this too shall pass’ and the New York ‘fuggedaboutit.’

What appears to be a small, inadvertent exposure, however, is instead a spark that may well result in a full-fledged conflagration. Personal data privacy matters. GDPR matters. Certainly, a potential fine of 4% of annual revenue matters. As CISOs, we know it, and regulators continue to remind us.

Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything. Assume the worst, even while you hope for the best. Collect the facts about the breach and report them as you know them to your leadership. Do it quickly, before the wrong Johnny Jones does it for you.

Communicating to your leadership is not just the right thing to do. For a CISO, it’s the only thing. Raise any cyber security issue that is even of remote concern to the folks at the top of the stairs. Don’t just speak up. Speak UP.

RELATED POSTS

Stagehand: Episode 4

Stagehand: Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

Relationships in the Cyber Era

Relationships in the Cyber Era

The APT era is here. Attacks are becoming more common and the level of damage increasing in severity. As CISOs, we must prepare for the APT era. We must commit to changing our attitude and not adopting only advanced technological tools. The current awareness is not...

The Importance of Vendor Risk Management for CISOs

The Importance of Vendor Risk Management for CISOs

If a company deals with even one third-party vendor, then vendor risk management should be at the forefront of the CISO's mind. What is vendor risk management? Vendor risk management (VRM) is the process a company takes to verify that their suppliers and providers...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: Episode 3

Stagehand: Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Five Best Practices to do Supply Chain Security Right

Five Best Practices to do Supply Chain Security Right

Supply chain attacks aren’t new. In fact, The National Institute of Standards and Technology (NIST) published their initial report on supply chain risk back in 2015. One of the most well-known supply chain attacks happened shortly after in 2017. NotPetya corrupted...

Stagehand: Episode 2

Stagehand: Episode 2

Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel...

The Risk of Banking

The Risk of Banking

I just came off a big Zoom call with traditional bankers where they discussed changes in client behaviors, and the impact which new technologies bring, that fundamentally challenge today’s traditional European banking models. At the end of 2019, Boston...

Effective Board Communication for CISOs

Effective Board Communication for CISOs

Know Your Board If you’re a CISO, your Board generally knows who you are and what you do. But do you know who they are? No Board is monolithic. Each Board member brings unique value to the Board. Each is selected for what they add to the Board’s perspective, vision,...

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Since the advent of space exploration in the 1960s, every child understands that the success of the space mission is dependent not only on the astronauts, but also on the engineers in the mission operation center. All complex missions or operations are high risk and...

Mitre Disrupting Advanced Persistent Threats
Share This