Author: Lee Vorthman

I'm a U.S. Navy veteran and the Global Chief Security Officer (CSO) at a Fortune 100 cloud company where I've built a successful security program from the ground up and have partnered with the business to increase trust and reduce risk. I have over 25 years experience across a wide variety of industries such as technology, government & defense, education and oil & gas. I hold a number of professional certifications such as, EC-Council's Certified Chief Information Security Officer (C|CISO), Digital Director's Network (DDN) Board Certified Qualified Technology Expert (QTE) and ISC(2) Certified Information Systems Security Professional (CISSP). Previously I was the Chief Technology Officer (CTO) for Civilian Agencies and Cybersecurity Initiatives at NetApp U.S. Public Sector and the Chief Information Security Office for an Oil & Gas software company. I am available for consulting and speaking opportunities. Thoughts and opinions are my own and do not represent any employer past or present.

When Risk Management Goes Wrong

Last week I took the opportunity to take some time off and spend a few days with my family at a popular amusement park in California. On the second day my kids and I decided to go to the water park to go down the water slides and during this experience my kids and I were on the receiving end of risk management gone wrong.

Let me explain…

Let’s assume I’m the CSO of this amusement park company and I’m helping the legal team and rest of the C-Suite evaluate the risks involved in this particular activity. So the general question is: “What are the risks involved in going down a water slide?” Here are a few easy examples:

Someone could go down the slide and not be able to swim so they could possibly drown in the splash pool.
Someone could go down the slide and collide with another person in the splash pool injuring them both.

How would you manage these risks as a business to make sure you aren’t continually sued by your guests?

It is easy to take the extreme case and simply try to manage these risks to the point where you have minimized your liability. In example 1, you can simply hire and staff life guards at the splash pool to make sure people don’t drown. You can also minimize the depth of the pool so there is enough water for a safe landing, but not so much that it is over people’s heads. Overall, these risk management techniques would make guests feel safe and not really impact the overall experience of the ride in anyway.

Example 2 is where it gets interesting. How do you make sure people don’t crash into and injure each other? On the extreme case you can make guests wait until the current guest is all the way out of the pool. This would minimize the risk of crash injury and be the safest option, but it comes at a tradeoff. The tradeoff is wait times for the ride, which ultimately impacts guest experience and satisfaction. Waiting for each guest to exit the pool took anywhere from 30 seconds to a few minutes (depending on the guest) before they would let the next guest go down. This doesn’t sound like a lot, but when you add up the time it takes for someone to go down (let’s say 30 seconds) combined with the time for them to get out of the pool (another 30 seconds to several minutes) you are looking anywhere from one minute to several minutes between guests. This means if the line is long your guests are waiting a really long time to ride this ride.

Risk is a difficult concept for companies to navigate because it is subjective. In order to get a reasonable risk outcome you need to use an objective process to make sure you are assessing and managing risk in a consistent way. It is up to the CSO organization to communicate and advise on how to manage risk in a way that is conducive to the business. Most importantly, you can’t let one group dominate the conversation about risk without taking into account other stakeholder perspectives (like legal, sales, finance, HR, IT, etc.).

In this example above the amusement park business minimized their risk at the expense of customer experience. This is equivalent to having extremely long latencies on your e-commerce site as a result of security checks. It may sound like a great idea, but ultimately will impede your business in the long run. In this particular case I am unlikely to go back to that particular amusement park because of the frustratingly long wait times.

As the CSO, it is your job to effectively communicate risk. You could be advocating for a new control to reduce risk, a new process to manage risk or an exception to accept risk. These are all acceptable outcomes as long as the business owners are involved in and acknowledge the ultimate decision. Most importantly, you need to balance customer experience, user experience and the needs of the business when implementing controls and processes to manage risk. At the end of the day not all risk can (or should) be managed because the business has to function and this comes with inherent risk.

A CISO Primer On Navigating Build vs Buy Decisions

Every year CISOs propose and are allocated annual budgets to accomplish their goals for the upcoming year. Within these budgets are allocations for purchasing tooling or hiring new headcount. As part of this exercise CISOs and their respective security teams are asking: should we build this thing ourselves or should we just buy it? It may be tempting to simply buy a tool or to build it yourselves, but both options have advantages and disadvantages. Here are my thoughts on how CISOs should think about this classic business problem.

Strategic Considerations

The first question I ask myself and my team is – will building this thing ourselves become a strategic capability or differentiator for our business? If we build it can we use it ourselves and sell it to customers? Are we building a capability unique to the industry that could lead to patents or a competitive advantage? Most importantly, do we have the resources to develop, maintain and support this capability for the indefinite future? If the answer to these questions is yes, then you should consider building the capability yourself, but this also comes with a cost in terms of people resources.

Use of People resources

While building a capability can look attractive at first, it generally has long term costs that can easily add up to be more than the cost of just purchasing a tool or capability. This is because CISOs will need to staff engineers or developers to build the thing. This means they will need to hire (or borrow) resources who will need coding skills, database skills, AI/Big Data Skills and a bunch of other skills that aren’t typically key skills in a traditional security team.

Let’s say you will need to hire or borrow people to build your new thing. These people have salaries, benefits, bonuses, equipment costs, facilities costs and other expenses that can easily cost as much as (if not more than) the annual cost of purchasing a tool. Additionally, if you hired people, they can’t just move on once the thing is built. They will need to support it, maintain it, etc. If you borrowed resources then you will need to figure out who is going to handle ongoing operations and maintenance of the tool and you need to consider the opportunity cost of using these borrowed resources to build something for you instead of doing something else for the business that could have value.

The point is people aren’t cheap and they tend to be the most valuable resources for a business. Using these resources wisely and in a cost effective way is an important consideration for every CISO.

Financial allocation (CAPEX vs OPEX)

One other consideration for Build vs Buy is how your company allocates financial costs towards either CAPEX or OPEX. The reason this is something to consider is it may be easier to get OPEX budget than CAPEX (or vice versa). This can influence your decision to buy something over building it depending on how finance wants you to allocate the cost (or how easy it is to get budget in one of these buckets).

Time to deploy

Another consideration for Build vs Buy is – when do you need the capability and how long will it take to build it vs how long it will take to buy something and deploy it? If you need the capability immediately it may make sense to buy the tool and deploy it rather than trying to hire resources, onboard them, build the thing, support it, etc.

Integration Costs

Similarly, integration costs can be a huge factor towards whether the capability is truly effective or not. For example, if you can stand up the new thing relatively quickly, but it takes six months or a year to integrate it into your existing tools then that could throw your overall timeline off and may sway your decision towards building it yourselves instead.

Security Considerations of SaaS / Cloud Products

Lastly, and most important, CISOs need to think about the security considerations of buying a product vs building it in house. Software supply chain security is a top security risk for businesses and CISOs need to evaluate new tooling to see if they are adhering to the security requirements required by the CISO. If the product is a SaaS or Cloud Product then CISOs need to think about the risk of sending their data, source code or other information to a third party environment they don’t directly control. Similarly, if the CISO chooses to build the capability in house then they will need to make sure the team is making the new capability as secure as possible so the business and their customers aren’t exposed to unnecessary risk.

Wrapping Up

Choosing to build or buy a new capability isn’t an easy decision. Both decisions have explicit and hidden costs that can be difficult to navigate. Like any decision the CISO should weigh the risk of the decision and ultimately choose the option that supports the strategic direction of the business, meets financial and budgeting requirements and is sustainable by the security organization for the life of the capability.

Why Veterans Make Great Security Team Members

Every year the United States honors its fallen service members during Memorial Day. As a Navy Veteran, I spent this past memorial day reflecting on my time in service, the memories I’ve taken away and most importantly remembering the people I served with who made the ultimate sacrifice.

I also thought about the incredible number of people that work for me and with me who are veterans. In general, the veterans I have led, worked next to or served under tended to be the best employees, peers or leaders over the course of my career. Here is why I think veterans make great security team members.

Candor

Anyone who has served in the military or had a military family member knows people who have served tell it like it is. This is a carry over from giving and receiving orders in times of stress that need to be clear and concise. It is also a firm belief that life is too short and at some point you need to stop talking and take action.

Veterans aren’t afraid speak up in times of uncertainty because when we were in the military confusion could lead to loss of life. It is better to ask the question and be really clear than to keep quiet and risk disaster.

This candor is particularly important in a security team. Is there a weakness the business doesn’t know about? Are you seeing something anomalous that other people have dismissed? Do you have a new idea that could improve a process or reduce risk to the business? Veterans aren’t afraid to speak up when they have something to say.

Perseverence

No matter what branch of service you come from, all veteran’s made it through some level of training that was more difficult than the civilian life they left behind. Sleep deprivation, physical hardship and generally being uncomfortable are table stakes in the military. This means veterans are hardened against failure and generally hate to lose. They will persevere through difficult tasks and can be relied upon when things become chaotic and difficult. They also seek out training to better themselves and add new skills to their repertoire because they may come in handy in the future.

This perseverance is particularly useful in all aspects of security. Attempting to change a culture to a security first mindset requires incredible perseverance. Similarly, implementing new controls, resolving an incident or passing an audit also requires perseverance. I’ve found the veterans on my team take these events in stride and enter them with the confidence they will accomplish their task.

Perspective

Veterans also possess a unique perspective. This perspective comes from the hardship they endured during the military and carries over to civilian life. No matter how bad the situation gets every veteran thinks back to a time that was worse in the military and says “hey, this isn’t that bad!” Civilian life can be stressful and I’ve certainly had my share of burnout, breakdowns and disillusionment, but every time I think back to my time in the Navy and am thankful I’m not deployed away from my family, I’m not getting shot at and I’m not being asked to do things that could put me in harms way.

This perspective is useful during security incidents, but can also be useful during every day routine engagements with the rest of the business. Security isn’t always going to go perfectly and sometimes this perspective can help you see the big picture, keep calm and work towards a solution.

Willing To Take Risks

It shouldn’t be surprising that veterans are willing to take risks. Everyone who has served took a huge risk by leaving their civilian safety net behind. We deployed to dangerous parts of the world in order to protect our country. Additionally, veterans will tell you they served because of the camaraderie of the people who sat to their left and right. We are willing to take huge personal risk to protect our fellow service members.

This risk taking attitude is useful in the security space because it lets us try new things. We aren’t afraid to fail because we know we will learn from the experience and can try again. We are also willing to put ourselves out there if we know it will result in a better security posture or reduce risk to the business.

Security Mindset

I’ll generalize here, but I think veterans inherently possess a security mindset. We are evaluating strengths and weaknesses of attackers. We are looking at the physical security of spaces. We are considering if a control is good enough to manage the risk or if we need to push harder to secure something. Serving in the military means serving in an organization whose sole purpose is to ensure the security of the nation it protects. This mindset exists at all levels and is readily transferable to the civilian sector.

This shouldn’t be surprising since a large number of veterans often pursue a post military career in law enforcement, the government sector or private security. However, I also find tons of veterans in the IT sector and particularly in the security space. We have a common mentality and it is usually very easy to spot someone else who has served.

Wrapping Up

If you find yourself lucky enough to lead or work with veterans, like I do, then I encourage you to take some time to explore their background and what they did in the military. I’ve often found swapping stories with another veteran is a quick way to build rapport. Their candor, perseverance, perspective and security mindset can be huge assets to your security team and your business.

Centralized vs. De-Centralized Security Team?

Whether you are building a security team from scratch, expanding your team or re-allocating resources, you may be wondering what is more effective – a centralized or decentralized security team? Both have their pros and cons and I’ll discuss them and my experience with each in this blog post.

Centralized Security Team

This is probably the most common structure for a security team. In most organizations it makes sense to group all people doing the same thing into a single org. Sales people, IT, Finance, HR, etc. all get grouped into a single org with an executive leader at the top. For the security team it has some distinct advantages.

First, the CISO has direct control over the resources in their org. The reality is, whoever is responsible for the performance reviews and paycheck for the resource, is the one who actually controls that resource. This may sound obvious, but I have seen a lot of weird matrixed, resource sharing organization structures that quite frankly don’t work. There can only be one leader and centralizing the security resources under a single security org provides direct control of how those resources will be used.

Second, it provides a single point of contact or “front door concept” for the rest of the business. If there is an incident, security question, customer inquiry, etc. everyone knows who to reach out to and who the leader is for the security group. This can allow the CISO to more easily track metrics, measure risk and dynamically adjust priorities based on the needs of the business.

However, the downside of a centralized security organization is it often gives the impression that the rest of the business is absolved of their responsibility for security. I have heard the following from various parts of the rest of the business:

Why isn’t security doing that?

What is security doing if I have to do it?

What are you doing with all those resources?

A centralized security team can exacerbate the confusion about who is ultimately responsible and accountable for security within the organization. Or, the security team is held accountable for the security failings of the rest of the business even though they aren’t responsible for doing the things that will make the business more secure. These shortcomings can be overcome with a strong security first culture and when the CISO has strong relationships with the other business leaders in the org.

De-Centralized Security Team

A de-centralized security team can improve on some of the short comings of a centralized security team, but it also has disadvantages.

First, a de-centralized security team allows the business to place resources close to and often within the team that is actually responsible for doing the thing. Think about fixing software vulnerabilities. If the development team building the software product has security expertise on their team, that resource can help prioritize and even fix some of the issues as part of an embedded team member. They can raise the security performance of the whole team. This can be an efficient way to deploy resources on a limited budget.

A de-centralized security team can also spread the cost of security around the org in an equitable way. If each function is required to embed a few security resources then those resources (and headcount) are allocated to that business function.

The downside of a de-centralized team is loss of control. The CISO may still be held accountable for the security of the business, but they may not control the headcount budget for these embedded resources. If the CISO is able to hold onto the headcount budget, that is great, but it doesn’t prevent another issue – having the resources go native.

In my experience, de-centralized teams can often go native. This means the resource fails to prioritize the security asks of the team, fail to hold the team accountable or simply start doing non-security work when asked to do so by the rest of the team. If the CISO doesn’t control the headcount then this is effectively a lost (or non) security resource. Even if they do control the headcount, they may have to constantly battle and remind the embedded resources to prioritize security work. This is a particularly glaring problem when there is a weak security culture within the rest of the business.

What Should I Choose?

There really is no right answer here, but if I had to choose one over the other I would choose to centralize the security team and then spend a large amount of time with the rest of the org to articulate their responsibility for security. In an ideal world, that has a large enough headcount budget, I would choose both. Keep a core centralized team like incident response and GRC, but de-centralize application security engineers and architects within the teams that do development work. The structure of a centralized team and even a de-centralized team will be highly dependent on the needs of the business and who is ultimately responsible security.

However, the reality is your organization probably grew organically with the rest of the company and at some point you may be wondering if your organization structure is best to support the rest of the business. Shifting from centralized to de-centralized (or vice versa) is not impossible, but will require careful thought on how to deploy and control the resources so they can be effective. My suggestion is to start small, experiment and see what works for your org.

Leadership During An Incident

At some point in your CSO career you are going to have to deal with and lead through an incident. Here are some things I have found helpful.

Know Your Role

Unless you work at a very small company, I argue your role is not to be hands on keyboard during an incident. You shouldn’t be looking up hashes, checking logs, etc. Your role is to coordinate resources, focus efforts and cognitively offload your team from key decisions. You need to lead people during this chaotic event.

Declaring An Actual Incident

This may vary depending on company size and type, but in general the CSO should not be the one to declare a security incident. The CSO (and their representatives) can certainly advise and recommend, but declaring an incident carries legal, regulatory and business ramifications that should be made by a combination of the Chief Legal Counsel and some representation of C-Suite members (CEO, CTO, etc.). Once an incident is declared, your company will most likely need to disclose it on SEC forms and customers may need to be notified. All of this could impact your company’s reputation, stock price and customer goodwill.

Use A War Room

A war room is simply a place where everyone can gather for updates, questions, etc. It is a place that is dedicated to this function. If you are physically in the office, it is a dedicated conference room that has privacy from onlookers. If you have a virtual team it is a Zoom, Teams, WebEx, etc. that gets created and shared with people that need to know.

The CSO’s role in the war room is to keep the war room active and focused. Once the war room is created and the right people join, everyone should discuss what happened, what is impacted and what the course of action should be. Document this somewhere and pin it to the appropriate channels. If people join and start asking basic questions, send them away to read the existing documentation first. If people want to have a detailed technical discussion then send them to a breakout room. The point is to keep the main room clear for making decisions and directing resources.

Bridge The Gap

Your role during an incident is two fold – 1) Communicate to other leaders within the company about what happened so you can get the appropriate support to resolve the incident and 2) Direct the appropriate resources to focus on resolving the incident quickly, while following appropriate chain of evidence, legal requirements, customer notifications, etc.

Communicating To Executive Leadership and the Board

Keep it short and sweet so they can respond as needed. The purpose of this email is to inform them so they can give you the support you and your team need. Make sure to invoke legal privilege and keep the audience small (I discuss this in my post about Legal Privilege).

I use the following email template when communicating about an incident.

Subject: PRIVILEGED – Security Incident In [Product/Service X]

A security incident was detected at [Date / Time] in [product x] resulting in [data breach/ransomware/etc.] At this time the cause of the incident is suspected to be [x]. Customer impact is [low/medium/high/critical].

The security team and impacted product team are actively working to resolve the incident by [doing x]. This resolution is expected [at date / time x].

For any questions please reach out to me directly or join the war room [here].

Next update to this audience in [x time period].

Communicating To Responders

Your job here is to get the team any resources they need, offload them from decisions and then get out of their way. It is also important that you buffer them from any distractions and protect them from burnout by enforcing handoffs and reminding people to take breaks. It is easy for your team to get caught up in the excitement and sacrifice their personal well being. Learn to recognize the signs of fatigue and have resource contingency plans in place so you can shift resources as needed to keep the overall investigation and response on track.

Designate someone to help coordinate logistics like meeting times, capturing notes, etc. Capture action items, who owns the action item and when the next update or expected completion time will be.

Have A Backup Plan An Practice Using Them

Hope for the best and prepare for the worst. Can your incident response team still function if your messaging service is down? What if your paging program doesn’t work or you can’t stand up a virtual war room? Part of your incident response playbooks should include fallback plans for out of band communications in the event of a total disruption of productivity services at your company. Practice using these during table top exercises so everyone knows the protocols for when to fall back on them if needed.

Wrapping Up

Incidents are both exciting and stressful. It is up to the CSO to lead from the front and provide guidance to their team, executive leadership and the rest of the organization. CSO’s need to buffer their teams to allow them to focus on the task at hand, while protecting them from burnout. CSO’s also need to remember the conduct and response of the organization could be recalled in court some day so following appropriate evidence collection, notification guidelines and legal best practices are a must.

Do You Need A Degree To Work In Cyber?

In the timeless debate of What qualifications are needed to work in security? (or even the broader IT sector), I want to first start off by saying there are no hard rules. I am not going to gate keep people from the industry by stating you have to have a degree or specific certifications. On the contrary, I think anyone who is sufficiently motivated is welcome to pursue whatever career gives them personal satisfaction. I have seen plenty of individuals who are self taught, without a degree that are amazing. I have also seen plenty of people with degrees that are absolute garbage and so a degree is not a guarantee of quality or suitability for a role. That being said, if I had to choose between two equally qualified candidates in terms of years of experience, qualifications for the job and culture fit, I would choose the candidate with a degree every time and the rest of this post will explain why.

Follow Your Destiny

I want to start by re-iterating that a degree is NOT required to work in cyber or really anywhere in the information technology sector. With the right motivation, curiosity and ambition, anyone can achieve a meaningful career of their choice. There are plenty of online courses, books, certifications, local meetups and professional groups that can offer support to individuals seeking the right knowledge. I think this really comes down to financial opportunity and motivation. If you are unable to afford a four year degree program, are unwilling to take on student loans or are the type of individual that knows without a doubt they want a career in security, then a degree will simply delay you from your destiny.

Setting aside socio-economic, financial and other considerations, I do think degrees offer candidates a number of distinct advantages to individuals in the field of security.

Trade vs Profession

Some of the oldest jobs in the world have made distinctions between trades and professions. Trades like plumbing, electricians and general contracting can offer lifelong job prospects, but don’t offer a lot of flexibility to move between them without re-training. Trades also aren’t typically designing things, establishing standards or inspecting completed work. Contrast this with engineers who are designing the components, establishing standards, certifying designs and inspecting completed projects. The difference is an engineer requires a minimum standard of education to make sure the designs, plans and inspections aren’t going to cause loss of life. Simply put an electrician installs the circuit breaker, but an engineer designs it.

This can be true in the security industry as well. It is certainly easier to gain knowledge and grow in your security career without a degree, than it is in physical trades like plumbing. However, without a degree you are committing yourself to that specific field and assuming a certain amount of personal risk if that field declines or gets oversaturated with candidates. Having a degree offers the flexibility to switch careers or blend disciplines based on the company, economy or personal interest. A degree allows you to diversify your knowledge and specialization outside of your specific job and therefore offers advantages over non-degree holders.

Depth and Perspective

A standard four year college degree also provides depth of education. Degrees introduce students to topics of learning they most likely would never explore or discover on their own. Degrees also broaden perspectives by introducing students to new cultures via languages, travel or exchange programs. In my case, after performing horribly in math for my entire high school career, college helped me discover I was not only good at math, but excelled in a specific field of math called Operations Research.

Degrees also provide a standard of education that require students to master basic subjects like finance, public speaking, communication and writing. These skills are invaluable within the technology sector, which is typically dominated by a technical meritocracy at the expense of softer people skills. They are even more important within the management ranks to help explain and lead initiatives at all levels. It fundamentally doesn’t matter how technically proficient you are if you can’t communicate that knowledge and purpose to others in an effective way.

Perseverance and Commitment

Another benefit of a degree is it provides basic insight into the character of an individual. Degrees demonstrate several key traits that are important for a candidate. First, a college degree conveys an individual is able to take on a long term endeavor and complete it. It shows an ability to commit to and persevere when faced with a challenge. Second, a degree demonstrates willingness to learn and flexibility of mind. You are daring yourself to confront new ideas and grow stronger as a result. Third, a degree demonstrates a basic appetite for risk and a willingness to learn from failure. Students are launching themselves into unknown experiences and confronting failure on a daily basis in order to learn and grow as part of their degree program. Lastly, a degree demonstrates the ability to exist and function within a larger community. Existing, functioning and participating in a group setting is a basic life skill that is essential at all career levels.

Officer vs Enlisted

The military is a good example of why degrees are useful. A four year college degree is a minimum requirement to become an officer in the United States military. Officers have a breadth of knowledge along with some specialization in a specific field that provides an inherent advantage for leadership. General education skills like writing and communication are table stakes for military officers because they help explain mission purpose, gain support from senior leadership, develop tactical and strategic plans, or prioritize courses of action that can snatch victory from the jaws of defeat.

A degree affords the same advantages to management and leadership within the security industry as it does to the military. The ability to understand a variety of topics, think critically, communicate effectively and lead people to desired outcomes is increased when you have a college degree.

Final Thoughts

Degrees are NOT necessary to have a successful career in security. Choosing to pursue a degree should not be compulsory for any role in security and is a highly personalized choice. Information technology fields like security have demonstrated that the barrier between a trade and a profession can be torn down with the right motivation and support. However, I do think degrees provide distinct advantages particularly if you are interested in moving into management or simply becoming more effective in your career. A quality degree in any subject will teach you to think for yourself and demonstrate basic character traits that are valuable in any career field, particularly security.

Techniques For Influencing & Changing Security Culture

Throughout my career I’ve participated in varying degrees of organizational maturity with respect to security. This has involved moving from the datacenter to the cloud, moving between different cloud providers, moving to a ZeroTrust architecture, creating a security program from scratch and maturing existing security programs. During each of these experiences I learned valuable lessons on how to influence the organization to achieve my objectives and ultimately improve security. Below I share four different techniques that you can apply in your organization to get the buy in you need.

Jedi Mind Trick

First up is what I like to call the Jedi Mind Trick and this is one of the most effective techniques for shifting organizational culture. This is my go to technique for philosophically aligning major parts of the organization behind the scenes to get ground swell for an idea. Here’s how it works:

First, identify who the key decision maker is for what you are trying to achieve. Alternatively, you can identify people who are in key positions to block or impede the objective. Next, identify the people who influence these key stakeholders. This can be their direct reports, their peers or even their boss. Begin having regular conversations with these influencers about your idea, why it will benefit the business, how to achieve it, etc. The goal here is to get these people to philosophically align with your objective. Spend most of your energy with these influencers, but don’t neglect the key stakeholders. You still need to have conversations with the key stakeholders and discuss your idea, but you aren’t trying to convince them you are simply trying to make them familiar with the idea. At some point (it could be weeks or months) the key stakeholder(s) will begin to repeat your idea back to you and seek your opinion. All of your hard work has paid off because the influencers have finally done the hard work for you and convinced the key stakeholder(s) to pick up the torch for your objective. The key stakeholder will most likely think this is a unique idea or objective that they identified on their own. This is the moment you have been waiting for. Offer support, discuss what success looks like and then move on to your next objective, confident in the knowledge that your Jedi Mind Trick was successful!

Summary of Jedi Mind Trick Steps

Identify key stakeholders
Identify people who influence key stakeholders
Spend majority of time philosophically aligning influencers. The influencers will do the hard work for you by convincing the key stakeholders
Don’t neglect the key stakeholders. They need to be familiar with the idea, but you aren’t trying to convince them
Once the key stakeholders begin parroting your idea back to you, the Jedi Mind Trick has been successful. Sit back and offer advice and support!

Switcheroo

Next up is a technique I like to call the switcheroo. This technique was actually discovered by one of my Lead Security Architects when we were trying to implement ZeroTrust. During this project we found a number of people who were resistant to the idea because their processes, roles and even self identity were anchored in the status quo. We found the switcheroo to be extremely effective in getting hold outs and naysayers to jump sides and support the objective. Here is how it works:

First, identify people with influence or in critical positions that can derail your project. This may take some time because it won’t be immediately apparent. People don’t usually just say no to something outright. They instead resist change through inaction or by countering your arguments. There is no easy formula for identifying these people. You need to have a strong network throughout the organization and approach your objective in your normal way. Eventually, conversations with stakeholders, influencers, etc. will identify these people as holdouts. Begin spending time with these hold outs to explain the why of your project, how it will benefit the business, etc. Give this person room to voice their opinions, counter arguments, etc. Eventually, it will become obvious that his person is entrenched in their way of thinking and it is now time to break them out of it. During your next meeting continue to explain the objectives, the why and how it will benefit the business, but this time when they voice their objections ask them this simple question:

“I understand your objections for why this won’t work, can you give me a few reasons why this will work?”

Sometimes all you need to do is shift someone’s perspective and I have found the switcheroo to be very effective in doing that. What ends up happening is the person actually convinces themselves for why something will work and in effect you use their own psychology against them. Next time you are up against a hold out that doesn’t want to get on board, try shifting their perspective with the switcheroo.

Summary of Switcheroo Steps

Identify key stakeholders
Identify key holdouts
Spend time with key holdouts to explain the why behind your idea and allow them to express their objections
After a few times listening to the objections of key holdouts, ask them to give a few reasons why your idea will work.

The Noise Breakthrough

The Noise Breakthrough is a similar technique to the Jedi Mind Trick, but it is more direct. The Noise Breakthrough is most useful when you have regular conversations with someone and are trying to convince them to support a particular objective. Regular interactions with key stakeholders across the business are essential for a CISO to be successful, but this can also have diminishing returns. This regular interaction makes it difficult for your stakeholders to parse signal from noise or, said another way, this means your stakeholders are unable to discern when you are saying something that is really important vs. the normal business as usual.

The inability to discern signal from noise isn’t a new phenomenon and it isn’t unique to the business world. Consider your parents growing up and how they would nag you to clean your room or do some other chore. Eventually, you learn to filter them out. The same with a spouse, partner or best friend who is regularly on your case about something. The constant feedback for the same thing has diminishing returns until eventually it won’t even register as something that is important. How can we break through the noise and get back to a signal?

Enter the Noise Breakthrough and here’s how it works. Let’s say you are trying to get the CTO to resolve a security problem, which has been an issue for several months. You’ve been discussing this with the CTO and they philosophically agree it needs to be fixed, but the problem remains. Like other influencing techniques you need to identify who are the key influencers for the CTO. This could be their lead architect, their chief of staff or one of their direct reports. Spend time with this person and get them to align with you. Then ask this person to spend time with the CTO to convince them to take action towards your objective. Sometimes someone just needs to hear something explained in a different way from a different person. Usually, this is enough to break through the noise and get your project back on track.

Summary of Noise Breakthrough Steps

Identify key influencers for your stakeholder
Spend time with influencer to get them aligned to your objective
Ask key influencer to spend time with key stakeholder to help align them to your objective

Compliment Sandwich

The last technique I have found successful is the Compliment Sandwich. The Compliment Sandwich is most useful when you have to deliver constructive criticism or feedback when something is not going as planned. The compliment sandwich allows you to disarm the recipient by first paying them a compliment. The person is then primed to receive additional feedback and this is where you give them the constructive criticism. Finally, you end with something positive such as another compliment or a positive affirmation that the situation will get resolved. Let’s use an example to see how this works:

“Hey Alice, I really liked your lunch and learn last week. It was really informative. However, I couldn’t help noticing you didn’t ground the objective of the presentation in an industry standard control. As a result, your audience failed to grasp “why” your topic was important. It is important to explain “the why” and the priority of what you want people to do so they can prioritize accordingly. Next time let’s work on this together so your message is more impactful. This is a really important concept for your career development and I know you’ll master it after we work on it together.”

Summary of Compliment Sandwich Steps

Give a compliment, praise or positive feedback
Give constructive criticism
End with a positive affirmation or positive statement

Wrapping Up

Security organizations often find themselves at the tip of the spear for technological and organizational change. As the CISO you need to apply different techniques to effect change so you can improve security and manage risk. The techniques above are simple and effective methods for winning over key stakeholders or breaking through barriers that are preventing you from achieving your security objectives.

Chip War Book Afterthoughts

I recently read Chip War by Chris Miller and found it to be a thought provoking exploration of the global supply chain for semi conductors. Most interesting was the historical context and economic analysis of the complexities of the current semi conductor supply chain and how the United States has wielded this technology as an ambassador of democracy across the globe. This book was particularly interesting when considering the recent efforts by the U.S. Administration to revitalize semi conductor manufacturing in the United States via the CHIP Act. Even though the U.S. maintains control over this industry, their control is waning, which is placing the U.S. at risk of losing military and economic superiority.

The US Leads With Cutting Edge Design & Research

One advantage maintained by the U.S. is it leads the way with the latest chip design and research. The latest computer chip architectures increase computing power by shrinking transistors to smaller and smaller sizes, roughly following Moore’s Law to double the number of transistors per chip every two years. In the late 1970’s, the United States was quick to recognize the military and economic advantages provided by semi conductors. Overnight, bombs became more accurate and computing became more powerful allowing decisions to be made quicker and spawning an entirely new industry based on these chips. However, as the U.S. began to rely more and more on semi conductors, the cost needed to come down. This was achieved by outsourcing the labor to cheaper locations (mainly Asia), which subsequently made these countries reliant on the U.S. demand for chips. This allowed the United States to influence these countries to their advantage.

A Technology with Geo-Political Consequences

One side effect of outsourcing the manufacturing of semi conductors is the supply chain quickly became dispersed across the globe. Leading research was conducted in the United States, specialized equipment was manufactured in Europe and cheap labor in Asia completed the package. Until recently, most of this supply chain was driven by the top chip companies such as AMD, Intel and Nvidia. However, other countries, such as China, have recognized the huge economic and military advantages offered by semi conductors and as a result have started chipping away (pun intended) at the United State’s control of the semi conductor supply chain.

The US Can’t Compete On Manufacturing Costs

Despite the passing of the CHIP Act, the United States faces a significant battle to wrest chip manufacturing from the countries in Asia (and mainly Taiwan). The cost of labor in the United States is significantly higher than other countries. Additionally, countries such as Taiwan, South Korea, Japan, Vietnam and China have heavily subsidized computer chip manufacturing in order to maintain a foothold in the global supply chain. In order to compete, the United States will have to make an extreme effort to bring all aspects of manufacturing into the country including heavy tax breaks and subsidies. This will effectively turn into economic warfare on a global scale as the top chip manufacturing countries attempt to drive down costs in order to be the most attractive location for manufacturing.

Supply Chain Choke Points Are Controlled by the US and its Allies (For Now)

However, driving down costs won’t be easy. The highly specialized equipment required to manufacture chips needs to be refreshed every time there is a new breakthrough. The costs are tremendous and make it difficult to break into the industry. Instead, the U.S. has been focusing on maintaining control of particular aspects of the supply chain and even blocking acquisitions of strategic companies by foreign entities. The United States also exerts pressure on the countries within this global supply chain to allow it to maintain an advantage. Yet, as new countries rise to power (China) and seek to control their own supply chains, these choke points will dwindle. Additionally, as non U.S. allies (frenemies?) gain market share in the chip supply chain, the U.S. and its allies need to consider the security of the chips they are receiving from these countries.

Final Thoughts

Chip War by Chris Miller is a fascinating look into the history and global supply chain of semi conductors. For the past 50 years the United States has maintained military and economic advantages over its rival countries as a result of semi conductors. However, this advantage has been waning over the past two decades. The CHIP Act is recognition that the United States must begin to claw back some of the globalization of the supply chain and bring critical parts of the industry back to the U.S in order to maintain economic and military superiority in the future.

Your CISO Has Career Goals Too

I’ve been thinking about performance reviews lately and how they are a time for you to receive feedback from your manager about how you have performed over a specific time period. It is an opportunity for the employee to communicate achievements that demonstrate growth and it is also a time for the manager to give direct feedback on behavior that needs to start, stop or continue. These discussions typically involve a conversation around what goals the employee has and how the manager can best support them. However, one thing the employee should keep in mind is your manager has goals too. For the CISO this could be business objectives such as improving incident response times, lowering risk or becoming compliant with a new regulation. There could also be personal goals like speaking at a conference, serving on an advisory board or getting promoted to the next job level (e.g. Director to Vice President). The important thing to remember is – everyone has goals no matter what level they are at. Understanding these goals can help employees understand the personal motivations of their direct manager so they can support them if the opportunity arises.

Managing Up

Managing up is a key concept for employees to understand and master throughout their career. Managing up involves influencing, providing context and helping your direct manager understand ways they can best support you. Yet, employee manager interaction should be a two way dialogue. In the same way managers employ situational leadership to lead employees based on their personalities, employees should also seek to understand their manager’s motivations so they can best support them.

Find Out What Goals They Have

One of the easiest ways to support your manager is to bond with them by getting to know them on a personal level. Ask them what personal goals they have, what motivates them, what parts of their current job do they enjoy and what parts do they try to avoid? Maybe your CISO also wants to gain more responsibility by building a privacy function. Or, perhaps they have identified a new risk to the business and need to put together a team to address it. Your CISO is a human being and they have career and personal goals just like anyone else. By asking questions about their goals, your CISO can discuss them with you and gauge how to best involve you so you can both get ahead. Here is a short list of goals your CISO may have:

Personal Goals

Speak at a conference
Gain a new certification
Obtain an new degree or complete a certificate program
Get promoted to the next career level
Serve on an advisory board
Expand their professional network
Learn a new skill
Understand an emerging technology

Business Goals

Obtain a compliance certification (ISO, SOC, FedRAMP, etc.)
Take on a new responsibility
Achieve an objective or KPI (e.g. reduce risk, reduce response times, etc.)
Establish a new strategic partnership
Stop doing something that frustrates them

What Can You Do To Support Their Goals

Once you understand the personal and career goals of your CISO you can begin to align some of your career goals to support them. This could mean completing objectives that directly align to the business objectives for the CISO. Or, it could mean offloading your CISO from activities that frustrate them so you can gain experience and grow your career. This will free up the CISO to take on new activities and you can advance your career by drafting in their wake. This is also an opportunity for you to offer suggestions about where you think you can offer the greatest assistance for areas that align to your own career goals and personal interests.

Wrapping Up

Performance reviews and career management shouldn’t be a one way activity. Employees who understand the personal and career goals of their CISO can better align their activities to support them. This can lead to learning new skills, taking on new responsibilities and accelerating their career progression. Next time you have a performance review conversation with your manager, take the time to ask your manager what goals they have and how you can best support them because it will pay dividends in the long run.

Defining Your Security Organization

Whether you are inheriting an existing security team, or building an entirely new function, one of the first things you should do after building a strategic plan and creating an organization plan is to define what you want your security organization to look like. This step builds upon the organization plan by defining what each role in your organization will do (including skillsets), what the career path is for each role and what success looks like for each job function. This will not only help define the details or your organization plan, but it will help lay the foundation for how you want to build your organization (if you are starting from scratch). If you are inheriting and organization it can help you establish your expectations by clearly defining what you want from each part of your organization. It can also help you plan for a re-org or help to diagnose performance issues with a particular team or within the overall security org.

If you are part of a large organization most or all of this will be defined by your HR department, but I still find it useful to tailor the general HR approach to your specific security organization. If you are part of a start up or small organization then you may need to define everything yourself.

Mission Statement

First, I recommend creating a mission statement. This should be a really short statement about the overall purpose of the security organization. This mission statement will not only help to clarify what your group is trying to achieve, but it will also give a sense of purpose to the security practitioners within the security org. I recommend creating a mission state at the org level and then for each function within the security org to help clarify the purpose of that function. This will be useful to explain what your security functions do, especially when interfacing with non-security groups like legal, finance, hr, etc.

Example:

The mission of the security org is to enable [company x] to effectively manage risk related to security and privacy of our products and services.

Role Definitions

Once you have defined the purpose of your org, you will want to look at your organization plan and define what each role will do. Security Engineers, Security Architects, DevSecOps Engineer, Governance & Risk Practitioner, Incident Response Analyst, etc. will all need a short description of what the role will do. Going through this exercise will serve three purposes. First, if you need to hire for any of these roles you can use most of this information in the job description. Second, if you already have people in the role, it will help clarify your vision for the purpose of that role. Lastly, if you need to request budget, these role definitions will help explain what these people are going to do as part of the budget request.

Example Role Definition: Security Engineer

Designs, builds, configures, diagnoses, integrates and maintains security tooling required by the security organization. Establishes requirements, performs trade-off analyses and recommends tool selection. May work with other IT or engineering groups within the organization.

Career Paths

Once you have the roles defined you will want to establish career paths for these roles. Establishing career paths will require you to think about the scope and impact of each level of the role. For example, if you have 5 levels in your organization you will need to define titles for each level, the skillsets for each level and how those skills increase in scope and impact. You will need to do this for both individual contributor roles and management roles. I recommend breaking out the skills into general and role specific.

General Skills

General skills are skills required by all employees in your organization. These include things like communication, strategic thinking, agility and collaboration. If you are part of a large organization, these skills should already by defined so you can work with your HR team to adapt them to your security function and then define what each employee should be demonstrating at each career level.

Example: Communication

Level 1 – Able to articulate clearly and concisely when communicating
Level 2 – Able to convey thoughts and opinions in a compelling manner to the appropriate audience
Level 3 – Gains support for new projects by clearly communicating value and addressing concerns
Level 4 – Builds networks throughout the organization to support large initiatives and future endeavors
Level 5 – Champions strategic initiatives in ways that generate organization wide support

Role Specific Skills

Role specific skills are skills required by each role. They are unique. An engineer may require hands on knowledge of specific security tooling and the underlying platforms. An incident response analyst will require in depth knowledge of how to respond, contain and recover from an incident. Governance and Risk analysts may require specific regulatory knowledge. Input for these skills can come from the CIS or NIST control sets, industry job postings and industry certification requirements. All of these need to be defined in increasing scope and responsibility so employees know what is expected and can prepare for the next level of the role.

Example: Security Engineer

Level 1 – Demonstrates a working knowledge of security engineering concepts such as network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
Level 2 – Demonstrates a detailed knowledge of one of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
Level 3 – Demonstrates a detailed knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
Level 4 – Demonstrates a expert knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
Level 5 – Demonstrates and applies expert knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.

The career paths will help you during budget requests to justify why you need a specific role level. For example, maybe an upcoming initiative is really critical and has a tight timeline so you need to hire someone very senior so they can start making an impact right away. Alternatively, maybe you want to hire a more junior person because it will fit in the budget, but now you need to plan to train them and ultimately, the project will take longer to complete.

Career paths will also help clarify what your team members should be working on to get promoted to the next level. They are also useful during goal setting, career conversations, performance reviews and mentoring sessions.

Example Career Path: Security Engineer

Level 1: Associate Security Engineer
Level 2: Security Engineer
Level 3: Senior Security Engineer
Level 4: Principal Security Engineer
Level 5: Distinguished Security Engineer

Scope and Impact

The last thing you should do as part of this exercise is define the scope and impact for each career level. Defining scope and impact gives further clarity to your team members about how they should be thinking about their role and what success looks like. It defines what part of the organization they should spend their time in and who (or what level) they should think about interacting with.

Example: Scope & Impact

At the end of this exercise you will be left will a very detailed explanation of not only what your security organization looks like, but what success looks like as well. Your Role Definitions will provide a short description of each role, your Career Paths will help define the levels and performance expectations for each role and the Scope and Impact will define the level where each role is expected to contribute. All of this will become a reference guide for every single member in your security org and will help you as the CSO to budget, plan, diagnose and shape your organization to achieve success.