Have you ever wondered why people are chosen to become Chief Information Security Officers? I started thinking about my peers and listening to their stories of how they obtained their positions. I then considered why I was chosen to be a CISO. At the end of the day, it really was a choice by the powers that be.
When CISOs hire people, many use some form of skills assessment. Sometimes there are sample assignments. We sometimes have people go through scenarios to see their problem-solving abilities. We apply some form of metrics to the process for many roles in cybersecurity.
With a CISO, everyone likes to believe that there are intangibles and soft skills that cannot be measured. People making CISO hiring decisions look to the applicant’s past roles to predict their potential for success. While this may sound like an oversimplification, in essence the hiring team believes the CISO knows in their gut how to make appropriate decisions and will continue to do so for their organization.
For the most part, this is how CISOs function. We are brought information. We have situations that require our attention. We must determine how to balance limited resources. We must choose how we manage different people. We must choose how we structure our teams. We must prioritize different functions. To do so, we again gather data, take advice, and then make decisions. This is what a CISO does.
A CISO is also in the position where they have to present information to organization executives and boards. Their effectiveness in doing so is mostly believed to be tied to their communications skills, which go above and beyond a typical managerial function. It is largely for this reason why many CISOs tend to be external hires, and not as the result of an internal promotion.
Hiring teams want someone with executive presence and communications skills with a proven track record in working with executives. Even a Deputy CISO inside an organization is rarely looked at for promotion to the CISO role. The reason is that the Deputy CISO has not demonstrated the ability to work with the executives and the board, as an outsider has. They are looked at as probably a competent manager, but they have not proven themselves as a competent organizational officer.
Recently one of my friends made the leap after being a Deputy CISO of a large financial organization to that of a CISO. He did so by essentially putting together a business plan for the organization’s cybersecurity department. Specifically, he analyzed the organization’s security posture, as available from open-source information, highlighted how the organization was deficient compared to their peers, and created a plan as to how he would lead the organization to achieve parity. He also highlighted the cost of the organization’s deficiencies.
Even though the organization might have initially preferred a proven CISO with a proven gut, my friend demonstrated the ability to apply tangible metrics to the role.
Put another way, the seasoned gut instinct of a CISO highlights their craft as something closer to art. They look at situations, look at the numbers, interact with people, and they make reasonable decisions based upon years of experience. And for the most part, their decisions are reasonable and the best to be made.
However, these decisions can be frequently wrong, or possibly not the optimal decisions. My friend, however, applied science. He applied data and analyzed the data to make a plan based upon that analysis. Even though my friend was not a proven artist, he demonstrated himself as a scientist—and executives and boards do like scientists.
Cybersecurity is one of the few corporate disciplines that has not embraced what I will broadly call data science. For example, if a COO wants to retool a factory, they use a variety of mathematical formulas to determine whether or not it makes sense, when there will be a break-even point, etc. They use mathematical models to calculate staffing. Likewise, a CFO will use a variety of mathematical models for just about any decision to be made.
Cybersecurity programs are just beginning to gather metrics to assist in gut-based decision making processes. The metrics can be straightforward, or they can be residual measurements of other activities. For example, I can look at a phishing simulation and the resulting click rates in the simulations, but does that indicate the results of click rates on actual phishing messages?
Instead, wouldn’t it be ideal to be able to tie the impact of phishing simulations to reduced blocked actions by the web content filters? This would demonstrate the value of the phishing simulations. If I had the appropriate mathematical models, I could look, for example, at attack paths and determine which vulnerabilities in an attack path are worth mitigating and which aren’t.
This is just one example of the application of data science to cybersecurity. In the ideal world, all aspects of a cybersecurity program can be modeled. For example, if you want to determine the best use of your budget, you should be able to put it through a system that optimizes a given budget. If you want to increase your budget, you can model the impact of the resources you want to add to the program and then calculate the return on investment. This would serve to justify your requests.
Likewise in times of budget cuts, when asked to cut your budget by a given amount, you can document the increased risk the company will incur with the budget cuts.
At the moment, when most CISOs are asked what they would do with a budget increase or decrease, they would reply to the best of their abilities, but they would not be able to accurately model the impact. Again, a CISO is usually hired for their proven ability to manage a program.
While this may all sound like science fiction, the reality is that the mathematics are available. I have criticized the broad use of the term AI. It is too vague to apply, and at its root, AI is essentially just mathematical algorithms, most of which have been around for decades. It is just now becoming more widely available, as AI algorithms require extensive processing capabilities that use big data sets. The processing power has become available, and we now have the required large data sets and ability to query and process it.
In cybersecurity, we have collected lots of data over the last few decades and it is available to CISOs to begin processing. There are now tools available, such as the CYE Hyver platform, that takes in data available to a cybersecurity, supplements it with proprietary and publicly available data, and applies a proven set of data models against the data to support decision making. Even if a CISO doesn’t want to acquire tools that can simplify the process, they can create a data science team that examines the more pressing questions a CISO has to answer. The resulting models may or may not be better than the commercially available tools, but they can be tailored to specific needs.
The gut instincts of an experienced CISO produce defensible results; however, they might not be the best results. More importantly, gut instincts do not create defensible dollar values that a CISO can use to justify and rationalize their requests and defenses. Whether you choose to acquire commercial tools and/or implement your own data science program, it is critical you start. Again, you can be a true artist as a CISO, but you will be a better CISO when you become a scientist.
About the Author
Ira is the Executive Director of the Human Security Engineering Consortium, former Chief Security Architect at Walmart and author of You Can Stop Stupid. He is considered one of the world’s most influential security professionals, and has been named a “Modern Day James Bond” by the media. He did this by performing espionage simulations, where he physically and technically “broke into” some of the largest companies in the World and investigated crimes against them, telling them how to cost-effectively protect their information and computer infrastructure. He continues to perform these espionage simulations, as well as assisting organizations in developing cost-effective security programs.
