Select Page
The Dark at the Top of the Stairs

The Dark at the Top of the Stairs

Alan Levine

Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the organization will complain and you will be put on the defensive. Besides, you can’t hide a forced reboot, so why go it alone?

Instead, communicate your decision, not just to affected parties but to your leadership. Be sure to include the reason for the reboot and how the organization benefits longer-term. It’s also critical that you communicate a reboot’s challenges and risks. Patches have problems of their own, not the least of which is that they sometimes don’t work and, rarely but crucially, make matters worse.

Your leadership needs to know so they can make the proper assessment. If you communicate the need to your leadership, they will support you. You should also be prepared, however, for leadership to decide against the patch. Ultimately, they decide, right or wrong, on matters that affect the organization.

If you don’t communicate cyber security matters to the people who run the business, you harm the organization.

Failing to communicate known or anticipated risk to your leadership is like leaving them in the dark at the top of the stairs. You may be naturally inclined to conceal risks from the prying eyes of concerned leadership that may reflect poorly on you or your team, but you must resist the temptation.

If you don’t communicate cyber security matters – including organizational failures – to the people who run the business, you harm the organization.

You might argue that, as a CISO, you should only communicate the progress of your cyber security mission based on a NEED-to-know basis, and leadership doesn’t always need to know. You might say that you provide regular updates anyway, so when the proverbial stuff hits the fan, you’ll record it and report it as time and attention permit. Otherwise, you seldom communicate “out of cycle” because the subject matter is typically too technical or too sensitive to express in ways your leadership will understand or appreciate. You may even fear that if you only discuss challenges and risks, you’ll be judged a failure.

On the contrary, you are a failure if you don’t speak up. I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore. They failed not because of their mistakes but, rather, their reticence.

When faced with challenges, your senior leaders are the ideal people to ask for help. If you have exploitable vulnerabilities you can’t seem to solve or workplace irritations that are getting in the way of your program’s success, your leadership may provide valuable recommendations or direction.

Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything.

As a CISO, you are no longer a technologist but a leader of your organization’s cyber security function.  You are a member of the leadership team. Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.

Let’s look at three scenarios a CISO is likely to face. Would you communicate these to senior leadership?

Scenario #1

Your Board is focused on key elements that can guide the success of the organization or address any failures or weaknesses. Paramount for most Boards are the focus areas of organizational reputation, ethics and integrity, and regulatory compliance. All Boards are, by definition, strategic. That is, they focus on the big picture. They plan for the future of the organization. They care about whether the organization is executing to meet its business objectives. They care about whether the organization is measuring its performance and understand the ways in which salient and useful measurements can inform organizational strategy.

Boards also care about how well your organization’s performance and priorities compare with similar organizations. Benchmarking is always a useful activity for CISOs, and Boards often lean on benchmarking as a way to measure an organization’s plans and performance.

I’ve known CISOs who didn’t speak up when they should have, and some of them aren’t CISOs anymore.

Scenario #2

Consider a more complicated and inherently difficult situation: insider risk. You are investigating the activity of an employee who may or may not have committed a serious offense. You don’t know enough to communicate anything to anyone quite yet so your natural instinct is to keep quiet. You justify your decision with the logic we are all innocent until proven guilty and you don’t have enough evidence to warrant alerting senior leadership. You may even have been counseled by your Human Resources department not to communicate because personnel issues are ‘private’ issues.

If the activity represents real enterprise risk, then your leadership needs to know about it. It’s their job to manage the organization’s risk profile, to assign appropriate levels of risk tolerance and appetite, evaluate each risk, and decide to accept it or mitigate it.

Your hesitance to communicate this investigation is natural. If word gets out, someone who may be innocent will have their reputation in – and maybe outside – the organization sullied. Certainly, any communication includes its own inherent risk. Trust your leadership’s ability to keep secrets. The leadership team in fact knows lots of things about the organization that you will never know. Confidentiality is an essential characteristic of senior leadership.

You can communicate it privately. Arrange a meeting instead of a phone call and don’t discuss the matter via email. But don’t fail to communicate. Your leadership has a right to know if someone in the organization represents potential risk to the organization.

Successful leaders recognize communication, whether bearing good news or bad, is critical. In short, no one likes surprises when the stakes are high.

Scenario #3

If you remain on the fence, consider this simple example: a cyber incident. You surely would communicate a nation-state attack or a financial fraud matter, but what about a PII data breach resulting from negligence and failure to follow established procedure?

You are contacted by a supervisor who has an employee in her office, in tears. The employee intended to send a spreadsheet to Johnny Jones at your organization’s benefits provider but instead sent it to some other Johnny Jones. The spreadsheet contains personnel records for employees, some of whom reside in the European Union, with GDPR implications.

Your natural inclination might be to keep this incident between yourself, the supervisor, and the employee. After all, this was not a malicious act but rather a mistake. You can hope the wrong Johnny Jones deletes the email once he receives it. You rationalize putting your head in the sand like an ostrich with aphorisms like ‘this too shall pass’ and the New York ‘fuggedaboutit.’

What appears to be a small, inadvertent exposure, however, is instead a spark that may well result in a full-fledged conflagration. Personal data privacy matters. GDPR matters. Certainly, a potential fine of 4% of annual revenue matters. As CISOs, we know it, and regulators continue to remind us.

Don’t try to calculate the odds that the breach may or may not come to light. You are a CISO, and your ethical behavior is everything. Assume the worst, even while you hope for the best. Collect the facts about the breach and report them as you know them to your leadership. Do it quickly, before the wrong Johnny Jones does it for you.

Communicating to your leadership is not just the right thing to do. For a CISO, it’s the only thing. Raise any cyber security issue that is even of remote concern to the folks at the top of the stairs. Don’t just speak up. Speak UP.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This