Author: Lee Vorthman

I'm a U.S. Navy veteran and the Global Chief Security Officer (CSO) at a Fortune 100 cloud company where I've built a successful security program from the ground up and have partnered with the business to increase trust and reduce risk. I have over 25 years experience across a wide variety of industries such as technology, government & defense, education and oil & gas. I hold a number of professional certifications such as, EC-Council's Certified Chief Information Security Officer (C|CISO), Digital Director's Network (DDN) Board Certified Qualified Technology Expert (QTE) and ISC(2) Certified Information Systems Security Professional (CISSP). Previously I was the Chief Technology Officer (CTO) for Civilian Agencies and Cybersecurity Initiatives at NetApp U.S. Public Sector and the Chief Information Security Office for an Oil & Gas software company. I am available for consulting and speaking opportunities. Thoughts and opinions are my own and do not represent any employer past or present.

Proposed SEC Rule Changes For Cyber

In April of this year the proposed amendments to the cybersecurity disclosure rules are expected to be finalized. These rule changes will have change the way companies report cybersecurity in two main areas. First, it will change when and how companies report security incidents. Second, it will require companies to report how they manage and govern cyber security risk. Let’s dive into how these changes will impact companies, the overall industry and how CSOs can help their businesses navigate the changes.

Changes To Incident Disclosure Requirements

The first major change will standardize how companies disclose cybersecurity incidents. These changes will require companies to report a material incident after four business days and provide updates to past incidents for up to two years after. The effects of these changes are expected to make it easier for consumers and investors to evaluate the impact of a security incident and ultimately how well a company deals with security incidents over time.

The long term results of these incident disclosure requirements may mean publicly traded companies begin to see impact to their stock prices as more material incidents are disclosed. The loss in shareholder value will ultimately result in companies investing more in their cybersecurity programs to better handle incidents or recover more quickly with the goal being to maintain investor or consumer trust. Also, requiring companies to disclose incidents within a specific time period may initially result in more lawsuits, which in the long run may force companies to invest more in security to reduce or manage risk.

For a CSO, I recommend evaluating your existing incident response and disclosure plan. Discuss with your legal and finance team about the criteria for declaring an incident, what constitutes a material incident and how to report this information within the SEC timelines. Four business days is a tight timeline for determining what happened, how it happened, the scope of what happened and accurately reporting this within the standard SEC forms. It will also be challenging to comply with the new SEC rules, while at the same time notifying the appropriate partners, customers or consumers so they aren’t learning about it first from the SEC disclosure. This may result in businesses rushing out the disclosure without all of the details, which could erode investor and customer confidence. Or, it could result in the company changing their rules for determining a “material” incident, which might buy them some time to delay the disclosure for more accurate reporting. This will be a fine line to walk and I highly recommend the CSO partner with the Chief Legal Counsel and Chief Financial Officer so they don’t run afoul of the new rules.

Lastly, a CSO will also want to help their organization navigate the risks of these disclosures. It is possible that a company will still be remediating or recovering from an incident when they are required to disclose the incident in their SEC forms. This could disclose details about the incident, the attack and vulnerabilities in a public forum, which could invite follow on or copy cat attacks. A CSO will need to guide their organization how to manage these disclosure risks, while dealing with the ongoing incident. I strongly recommend you run your executive staff through one or more tabletop exercises that runs through various scenarios you may encounter.

Disclosure Of Cyber Security Risk Management & Governance

The second major change will require companies to disclose how they are managing and governing security risk. This will require companies to provide details into their security strategy, security policies and criteria for selecting third party service providers. It will also require disclosure of management’s role and qualifications for assessing and managing security risk.

Overall, I think these changes will have a positive effect on the CSO role. Organizations that previously gave lip service to establishing, funding and governing a comprehensive security program will now be evaluated by investors and consumers in a standardized public forum. Stiff penalties will follow in terms of loss of market value, loss of consumers or even fines from regulatory agencies if organizations fail to adequately meet “industry standard” or investor expectations for security programs.

Additionally, CSOs can now “strut their stuff” by continuing to build, document and lead comprehensive security programs that measure and manage risk. These programs will stand as evidence to the investment and preparedness of the organization to deal with security incidents and manage risk. The new SEC disclosure requirements will allow investors to evaluate and ultimately reward organizations that are meeting expectations for security maturity and resiliency.

Requiring boards and executive management (named officers) to disclose their role and qualifications for assessing and managing security risk will also have a positive impact in how CSOs and security organizations are treated throughout the company. First, it will become common place for organizations to seek seasoned security veterans for a position on their boards. There will be an initial rush to find appropriate talent and in the long term these board positions will become a new career path for former CSOs and security executives.

Second, the addition of security experience to boards will mean CSOs have an ally at the senior levels of the company who understands risk and can help drive conversations around security that would otherwise be glossed over or dismissed. For boards that don’t hear directly from the CSO, security minded board members can explore security topics with their representatives (like the CTO, CIO or Chief Legal Counsel). The end result will elevate security and risk as a topic of importance within board rooms, beyond the current discussions.

Third, supply chain security will continue to receive focus now that organizations will be required to disclose their selection and evaluation criteria for third party suppliers. Publicly traded companies will seek to identify and manage this risk through comprehensive security evaluations of third parties or even developing comparable capabilities in house. Publicly traded companies will also look to limit their liability from third party suppliers and so I expect increased contract language to meet specific security requirements and penalties passed on to the third parties as a result of security incidents caused by them.

Possible Ripple Effects

Overall, I consider these new rules to be a good thing. They will elevate the conversation of cybersecurity risk to the board level and require companies to prove their maturity through standardized disclosures that investors can evaluate. However, there will be some interesting ripple effects as a result of these rule changes.

First, as organizations begin to comply with these rules and disclose aspects of how they govern cybersecurity there will be a chaotic period where publicly traded companies seek to find the line between disclosing too much information and not enough. The industry as a whole will begin to evaluate these disclosures for what is considered acceptable or “good” and this will eventually drive the industry to a steady state where the disclosures become normal or standard.

Second, the third party evaluation and disclosure requirements will have a trickle down effect to the third party vendors (both publicly traded and private companies) because they will be forced to meet the elevated security standards of the companies they provide products or services to. Third party vendors will also need to worry about any new legislation coming out that will hold them liable for security issues in their products and services as specified in the new National Cybersecurity Strategy. This will ultimately raise the bar or maturity for the entire industry, which is a good thing.

Lastly, I expect a niche industry of board level security certifications to pop up that certify executives for board level service. Service on a board as a certified security representative will also be the new resume builder or LinkedIn credential that senior security executives aspire to in the later stages of their career. This may also become an area the SEC chooses to define in the future, such as number of years of experience required to serve on a board, credentials required, certifications, etc.

Wrapping Up

Overall, the new SEC Cybersecurity rules look to strengthen investor and shareholder confidence in the way a company is handling cyber risk or increase transparency around how the company is handling events over the past 2 years, which could become material in how investors view the health of the company. In short, cyber maturity will become another criteria for how to evaluate the performance of a company. Ultimately, these rule changes will elevate the maturity of security across the industry and enhance investor and consumer trust in a company’s ability to manage cyber security risk.

Link to Proposed Rule Changes

Five Take Aways From The New 2023 National Cybersecurity Strategy

In the first week of March, the Whitehouse released the new National Cybersecurity Strategy that outlines areas of focus and investment to “secure the digital ecosystem for all Americans.” Like most strategies, it is high level, broad in scope and forward thinking. Most of the strategy covers expected topics, with objectives like: protecting critical infrastructure, investing in research and development, expanding the qualified cyber workforce and increasing public-private collaboration. However, I found a few of the objectives thought provoking and ambitious because they have the potential to mature or disrupt the industry if enacted into standards or legislation.

Ransomware

The United States has labeled ransomware as a strategic objective that needs attention to prevent disruption of critical infrastructure and other “essential services,” like hospitals. Payments from ransomware support the activities of criminal groups and ransomeware attacks result in not only financial loss, but can result in loss of life through the inability to provide accurate or timely care. Dish Networks is the latest victim of ransomware, resulting in a 20% decrease in stock price, not to mention the amount it costs Dish to recover from the attack, including the loss of revenue from inability to process payments or provide adequate support.

Ransomware is a difficult problem to solve because the government can’t magically secure all of the vulnerable networks and systems in the US. Instead, the US Government plans to target the financial networks that process ransomware payments, disrupt infrastructure that supports ransomware and place diplomatic pressure on countries that continue to provide safe haven to ransomware operations. It will be interesting to see what effect this will have on ransomware attacks, but optimistically, I hope this will have the same result as recent high profile botnet disruptions.

As of yesterday, the administration can claim its first success in taking down part of a ransomware gang in Germany and Ukraine responsible DoppelPaymer and tied to EvilCorp.

Privacy

The Whitehouse considers privacy a strategic objective for the United States. The European Union set the global standard for privacy with GDPR and since then the United States has lagged behind other countries for national privacy regulations. This is evident because several states like California and Colorado have already passed privacy laws that establish fundamental rights to privacy for their residents and there are another three dozen bills in progress across several states in the US. A patchwork of state privacy laws will make it difficult for companies to navigate and satisfy each individual privacy law. Citizens in the United States suffer from poor privacy practices from companies that seek to monetize or use the data for strategic purposes.

There are dozens of privacy bills floating around Congress to address individual privacy, financial privacy, health privacy, and education privacy. These laws would give US Citizens fundamental rights to their privacy, the ability to control how their data is used and shift the collection of data from opting out to requiring consumers opt in to collection. A national privacy law would help consolidate the patchwork of state legislation and make it easier for businesses to navigate the new requirements. It would also place the United States on equal footing with other international standards like GDPR, which has had a significant impact on advertising and marketing business in the EU.

Liability for Third Party Software Security

One of the most interesting strategic objectives in the National Cybersecurity Strategy is the intent to “shift liability for insecure software products and services” to the companies that produce them. This has the potential to mature the technology sector by establishing a standard of security quality through legislation or penalties. The administration intends to do this by establishing a framework that will shield companies from liability if they follow the secure development practices in the framework.

In reality, software development is not that simple. Following a secure software development framework will not address the complex software security supply chain issues facing the technology sector. Use of open source software libraries is a common development practice that accelerates the development of software so companies don’t have to re-develop functions for themselves. This accelerates the software development life cycle and also self regulates by allowing the industry to settle on and standardize certain functions or technologies. While I applaud the sentiment to hold companies liable, it is unclear where the liability stops and this may actually hinder innovation in the technology sector. If a business includes an open source software package in their software are they now liable for the security of a software package they don’t control? Or, does the liability pass on to the random person who built the software package from their basement? Will companies now shift to stop using software they don’t control and develop these capabilities in house, which can waste development resources from producing products and services that generate revenue? What about embedded systems that have limited network connectivity or limited storage space to support continuous updates?

When looking at the history of massive security breaches like Target, SolarWinds, Sony or Equifax, there is certainly a need to hold someone accountable, particularly when the incident impacts consumers, shareholders or critical infrastructure. However, there are too many questions and complexities within existing software supply chains to simply regulate this problem away. I cautiously look forward to seeing how the administration navigates these issues without impeding innovation or levying burdensome penalties.

Federal Cybersecurity Insurance

One of the more interesting strategic objectives is to explore the creation of a Federal Cyber Insurance backstop. The concept is similar to FDIC for banks or disaster relief funds for natural disasters. A government cybersecurity insurance fund could be used to support areas of economic strategic investment that are not mature enough for full blown commercial cyber insurance, but need some sort of financial safeguard. The backstop can also be used for national level services that would have a catastrophic impact to the country if they were impacted due to a cyber event. A federal cyber insurance fund could be meted out like a disaster relief fund to help these critical services restore functionality or shore up finances in a time of crisis. Overall, I think this is a good thing and could provide some stability to the technology sector that is at times beholden to a cybersecurity insurance industry that has high rates and uncertain payouts.

Global Supply Chain

The COVID pandemic broke the equilibrium of a fragile global supply chain. Small disruptions in factory output or the availability of supplies brought several previously stable industries to a halt. As a result, the United States is rightfully considering the security of this global supply chain and what components are critical to maintaining military and economic superiority.

Computer chips are at the forefront of maintaining this military and economic superiority. In 2022 the Whitehouse signed an executive order, called the CHIPS and Science Act, to fund initiatives to make critical supply chain components, like semi-conductors, in the United States. Shifting or changing the global supply chain will take time, particularly with semi-conductors and so it makes sense to start immediately. Almost all of the manufacturing for semi-conductors occurs in Asia (South Korea, Taiwan and China) and it makes sense for the United States to begin to diversify this critical resource from a geographic region that is seeing increasing geopolitical instability. For example, if China invaded Taiwan it would massively disrupt the global supply chain for the rest of the world (including the United States). However, most semi-conductor industries have been built with, or heavily subsidized by, local governments and so the United States will have to match or exceed these subsidies if they truly want to be competitive in the global market, while securing a critical component of the supply chain.

Wrapping Up

Overall, the National Cybersecurity Strategy is a comprehensive and forward thinking strategy that has identified areas of national strategic cybersecurity importance in need of investment. Not all of the strategic objectives are clear on how they will achieve the goal without causing unintended negative consequences, but the intent to improve the resilience and preparedness of the United States is evident.

Thinking About Compensation

In the last quarter there have been a significant number of layoffs at high profile technology companies. The economy has also made these layoffs particularly challenging. If you didn’t receive a raise of at least 12% last year to keep up with inflation, then you didn’t get a raise or even got a pay cut. A job market flooded with candidates combined with top candidates seeking new positions means the job market is heating up for tech positions across the board. Some of these positions will be CISO level jobs and if you are in the market to make a career change you will inevitably run into salary negotiations at some point during the interview and negotiation process. Here are some things you will need to think about as a new or repeat CISO when negotiating for compensation in your new position.

Job Level

The management level of the CISO role varies across industry and company size. Some CISO roles are Director level, the majority are VP level (including Sr. VP and Executive VP) and a few are truly C-Level as named officers of the company. The role level should be commensurate with the level of responsibility – the more responsibility, the greater the impact to the company and the more senior the role should be. Likewise, the more responsibility, the more risk you are assuming (or responsible for) and so compensation should recognize and reward this.

Company Size

The first choice you will need to navigate is what type of company you want to work for. Public vs private companies will be the main tradeoff, but government or public sector may also be something else you are considering. The main thing to consider with company size is you typically can get a higher title at a smaller company, but this comes at the expense of a lower base salary or more risk in terms of the longevity and stability of the company or the ability to liquidate your equity. However, this risk comes with the potential for a bigger payout and so it is important to really do your research and make sure it is something you truly believe will succeed.

Government and public sector also offer interesting advantages. These roles can come with high visibility, but will typically offer lower salaries or total annual compensation than the private sector. The tradeoff here is you are forming highly visible connections across government and the public sector. You can also establish your reputation on a nationwide level. Lastly, government and public sector positions offer a pension or some form of retirement after the fact. Private sector companies typically do not offer the same level of retirement unless you self fund or have a match via an employer plan. There is a real tradeoff between private and public sector in terms of immediate compensation or deferred compensation, which will come down to your overall financial goals and associated timing.

Risk vs Reward

Let’s briefly talk about risk vs. reward. The type of company you choose to work for and the sector you choose to work in will dictate how much risk you are assuming, which will directly impact your compensation. On the one extreme there are startup companies. They offer the most risk, but also the most reward. On the conservative end of the spectrum there is government and public sector. These jobs are really stable, but can’t match the big pay offs that are associated with start ups or publicly traded companies.

In the graph above I placed public companies as having more risk than private companies due to the fluctuating nature of equity that typically makes up a large portion of the compensation at these companies. However, the real answer is “it depends” and so I encourage you to do your homework on the company you are considering.

Total Compensation

The next thing to understand is: what is the total compensation for the position and what makes up that total compensation? I often find interview candidates are hyper focused on base salary because it offers the guaranteed paycheck each month. However, there are a lot of other ways to build a total compensation package, especially at the executive levels. My recommendation is to take the time to understand all of the components that go into total compensation at the new role. Carefully evaluate the risks and to determine what you are comfortable with, then use that to discuss options with your prospective employer.

Cash Equivalents

Base salary is the big one here, but not the only one. This is the safest form of compensation because it is explicitly written in your offer letter and arrives at regular intervals. I will also lump sign on bonuses into base salary because they are typically granted when you start employment or are guaranteed payouts over a period of time (subject to remaining with the company for a specific term).

Annual Bonuses, Incentive Compensation Plans, Long Term Incentive Plans and Profit Sharing Plans are next on the list in terms of risk. These are basically cash payouts that are given at some interval (monthly, quarterly, semi-annually, annually) depending on the performance of the company. For example, if you are supposed to get a $100 bonus quarterly and in the first quarter your company misses their financial goals, they may choose to only finance 75% of the bonus amount and so you only get $75 that quarter.

Likewise, commission (if applicable) is essentially cash in your pocket, but assumes an amount of risk depending on your sales cycles, lead times, what vertical you are in, your customer, etc. CISOs who are in a public facing role at a product company may be eligible. Similarly, CISO Advisors who help drive sales may also be eligible for commission.

Commission is a lever you can pull on depending on how much risk you want in your compensation. Sales people typically carry very high commissions as percentage of base salary to incentivize them to get out there and sell. Sales engineers or indirect sales people typically have a much lower commission percentage as part of total salary.

Another common compensation option, particularly at public technology companies, is equity. Equity can come in many forms such as Restricted Stock Units (RSUs), Shares or Stock Options. All of these require some sort of sale to convert them to cash and their value will depend on the vesting schedule, how the company is performing, how the stock market is doing (if a public company) or the terms of your ownership in the company that specifies when and how you can sell your stake.

Equity is a form of compensation that allows the employee to assume an amount of risk in their total compensation and it ties their performance (and compensation) to the performance of the company. For a CSO this can be an incredibly rewarding form of compensation particularly if you help take a company through IPO or help mature a company to grow revenue or increase shareholder value.

All of these cash equivalents are negotiable, particularly things like amounts, vesting schedules, strike prices or even equity percentages. Whether or not you get some or all of these will depend on the company and job level of the role.

Indirect Compensation

Other things that will contribute to your paycheck are the benefits your company will provide. Here is a list:

Healthcare – Do they cover healthcare, what type of plans do they offer and how much does the company cover? Do they have an on site gym or allow employees to expense gym memberships?
Vacation / Leave – Does the company offer unlimited time off or are you limited to a certain number of weeks per year? What is the accrual rate, are there blackout periods, are there times when the whole company is expected to take off?
Retirement – Does your company offer a 401k match and what other type of retirement investment options do they offer? Does your employer offer a deferred compensation plan, which can be useful as you approach retirement age?
Training & Continuing Education – What type of training does your employer cover? Do they support you going to conferences? Does your employer offer tuition reimbursement or even pay for a full executive education program if you are considering going back to school? Do they cover professional memberships and certifications?
Work Permits / VISA Sponsorship – Do you require and does your prospective employer offer VISA sponsorship?
Relocation Assistance – Do they offer relocation assistance if you are being asked to move? What type of accommodations and support will they provide if you are being asked to move to a foreign country?
Travel & Expense Policies – What type of travel policies do they have when you travel? Do they provide you with a cell phone or allow you to expense your current phone and plan? Do they pay for your internet connection if you are a remote employee? Do they cover mass transit passes or parking (if located in a major city)?
Discounts & Perks – Do they offer employees other perks like discounts, free tickets to sporting events or awesome swag?

All of these options will vary depending on the company you are considering and it is important to ask questions and consider all of these additional benefits that will indirectly boost your paycheck.

Other Things To Consider

When negotiating for your new CISO role, there are other things you may want to consider asking for depending on your job level and amount of responsibility.

First, you will most likely want to negotiate a severance if you are laid off or terminated as a result of a security event. Typical severance packages offer some amount of base salary payout, but can also include accelerated vesting schedules, guaranteed bonuses, relocation, cash payouts, etc. Severance packages typically don’t come into play until the more senior levels, but given the high risk nature of the CISO role it is something to ask about during the interview or salary negotiations.

Second, if you are in the senior management ranks it is important to ask if the role is going to be a named officer of the company. If it is, you will want to ask about being included in the liability policy for Directors and Officers. If not, you may want to ask if the company has a standard corporate liability policy and if you can be included in it, which can help protect you during lawsuits or other legal issues you may encounter while employed in the role. You may also want to negotiate for the company to cover your legal fees if you are sued and have the ability to select and retain legal counsel of your choosing that the company pays for, but represents you.

This brings us to the last point of consideration which is contracts and contract terms. At the more senior ranks it is typically to negotiate for all these things, but agree to stay for some period of time as specified in an employment contract. This contract may also have specific non-compete agreements, specific non-disclosure agreement terms and other terms you may have negotiated. They key takeaway is to get everything that has been agreed to in writing and included in the contract.

Wrapping Up

Salary negotiations can be stressful, but they don’t need to be. Doing research, asking questions and knowing your worth can help make salary negotiations go smoothly. Some states now have pay transparency laws which can make it easier to understand the compensation range for the role. At the higher employment levels you may want to consider retaining a compensation lawyer who can draft and review contract or compensation terms on your behalf. Not all of the options I’ve mentioned above will be available at your employer or at the job level you are applying for and so taking the time to understand what is available is important to make sure you are being compensated and protected appropriately.

How Playing Video Games Can Help Your Career In Security

One of my favorite things to do after work is to sit down and play video games. I’ve enjoyed playing video games ever since my father purchased the first family computer in 1986. Now many years later, high powered video game consoles combined with fast internet connections have made playing video games a truly incredible experience and I believe playing video games helps develop and reinforce the skills that are important in a successful security career. Let’s look at some of the skills required by both video games and security professionals.

Problem Solving

One of the most important skills when playing video games is problem solving. Whether you like first person shooters, role playing games, racing games or any other game, all of them require you to determine how to achieve some sort of objective like getting to the next level or unlocking a secret. The thought processes required to solve riddles and level up in video games are also useful in security.

Problem solving in security is important in every discipline. CISOs need to determine how to best manage risk, while supporting the needs of the business. An incident responder needs problem solving skills to determine the nature of an attack and how to best recover from the incident. Security engineers identify problems, establish requirements and then solve the problem by building the solution. All of these roles (and the rest of the Security Org) need well developed problem solving skills to be successful in their role.

Curiosity

Curiosity is also an important skill in video games. What is in this crate? Where does this path go? How do I open this door? What does this new skill do? Exploring the limits of the game are essential to ultimately beating the game and that is also why curiosity is an fundamental skill for working in security. The security industry is inundated daily with new vulnerabilities, new technologies, new attacks and new methods to defend against them. Persistent curiosity is required to continually advance your knowledge, test the limits, learn new skills and ultimately persevere in protecting the business.

As a CSO, curiosity is an important skill to exercise everyday. Asking questions to understand how regulations will impact your industry, how business processes work, how products function or how customers interact with your business is important to inform your decisions on how to best protect the business and manage risk.

Collaboration and Teamwork

Over the past three decades some of the most popular video games have been multiplayer games that rely on collaboration and teamwork to win. When working in a team you increase your odds of capturing a flag, completing a quest, winning the race or beating the game. Team mates can help you, resupply you and even save your life. Just like in video games, security requires team work and collaboration to be successful.

A CSO needs to collaborate with the rest of the business in order to understand how to best manage risk. CSOs need to understand every part of the business to be successful, incident responders need to work as a team to protect the business, compliance professionals need to work with the business owners to gather evidence and governance teams need to work with the rest of the business to establish processes that are minimally invasive. All of this requires teamwork and collaboration in order to be successful.

Attention To Detail

Video games offer unique challenges and the ability to pay attention to small details is often important to complete quests, solve puzzles or beat a level. Racing games require the ability to absorb small details at incredible speed, sports games require players to pay attention to detail to score a point and strategy games require players to pay attention to small details to beat enemies or unlock new skills. Attention to detail is an important skill when playing video games and it is also an important skill in security because all roles in security require attention to detail, which can be the critical difference in resolving a vulnerability or reducing risk.

Often, the small details make the biggest difference in security. GRC professionals need attention to detail to understand specific regulatory requirements or frameworks and how they apply to specific controls or technologies. Incident response professionals need attention to detail to understand how to respond, how to gather evidence and how to recover. Sometimes, it is the small details that someone notices that lead to an investigation and that investigation leads to an incident. Finally, CSOs need attention to detail to understand how to allocate resources, how to budget appropriately and how threats relate to business risk.

Other Important Skills

In addition to the four skills I’ve described above. Video games and security roles also require a number of other common skills. Here is a short list:

Time Management – Using your time wisely and completing tasks within a specific time period.

Discipline – Setting boundaries for yourself and adhering to them.

Competitiveness – Competing with others, rising to the challenge, conducting yourself with honor and being a good sport.

Perseverance – Never giving up, pushing through and completing the job.

Detachment – The ability to look at problems from different perspectives.

Positivity – Don’t dwell on the losses. Focus on the good and believe in a positive outcome.

Cognitive Performance – The ability to focus, perform well under pressure, react quickly and even get into a state of flow.

Wrapping Up

A successful career in security requires not only focusing on domain specific skills (like GRC, Incident Response, etc.), but also more generalized skills that translate to all aspects of life. I personally enjoy playing video games for the reasons above, but also because of the social component that now exists in games. The ability to share the experience with others or discuss games with co-workers and friends is enjoyable. So, next time you are looking to advance your career don’t forget to work on the softer skills along with the security specific skills required for your job and I hope you will consider video games as a viable way to develop those skills!

How Security Evolves As Organizations Move From the Datacenter To The Cloud And Beyond

Despite cloud growth slowing in the past quarter, the momentum of existing and planned cloud adoption remains. As a new or existing CISO, your organization may be just starting to migrate to the cloud or may be looking to improve efficiency by adopting newer technologies like Kubernetes. Wherever you are in your cloud journey security needs to be in the forefront with careful consideration for how your security org, its governance and controls will evolve along the way.

Avoid The Free For All

I’ve been through multiple cloud migrations and before anyone in your organization begins to migrate, the IT, Security and Finance organizations need to come together to lay the appropriate foundation in the new environment. This means you need to set up the appropriate structure for mapping and controlling costs. You also need to map all of your existing IT and security policies and controls into the new cloud environment before people migrate to avoid having to do clean up later. It doesn’t have to be perfect right away, but doing some preparation and implementation of guard rails before teams migrate will pay dividends later.

Not Everything Is Easier

As organizations migrate to the cloud, security teams need to consider how the tools and processes they rely on may change. For example, if you currently rely heavily on netflow or packet captures to monitor your networks, the methods to get the same visibility may be different in the cloud. Similarly, transferring large amounts of data or security events can incur significant costs and so your logging and SIEM infrastructure may need to be re-architected to keep the events as close as possible to the environment, while only shipping the most critical events to a centralized location.

Penetration tests are also different in the cloud. If you regularly penetration test your environment or have third parties conduct pentests for contractual, compliance or regulatory reasons, then these will need to be scheduled and coordinated with your cloud provider so you don’t accidentally disrupt another customer. When you move to the cloud you no longer “own” or control the network and so you have to operate within the terms laid out by your cloud provider. As a result, pentests may be less frequent or may need to have their scope adjusted as appropriate for the environment.

Asset inventory may also change. If you are used to assigning your own DHCP addresses and having these addresses be relatively static in your inventory this will change in the cloud. Your asset inventory will change based on how frequently your organization spins up and down resources. This could be a few hours or days. Your associated inventory, reporting, vulnerability scanning, etc. will all need to be adjusted to the frequency of resource utilization and this can make tracing security events difficult if your inventory isn’t correct.

Processes aren’t the only thing that will need to be adapted to the cloud. Let’s consider how the scope of security changes as you move to the cloud.

In The Beginning

Consider a traditional technology stack where an organization has purchased and manages the storage, network, compute, OS and software running in the stack.

In this model the security organization is responsible for ensuring the security of not only the physical environment, but the security of all of the other technology layers. In some ways this environment offers simplicity because a production application maps directly to a network port, firewall rule, operating system, physical server and dedicated storage. However, this simplicity comes with the full scope of security of the entire environment and technology stack. The leading tech companies largely moved away from this model in the early 2000’s because it is inefficient in terms of resource utilization, portability of applications and velocity of deploying new software at scale.

Enter Virtualization

Organizations looking for more efficiency and utilization from their technology assets found an increase as virtualization came onto the scene. Now companies can run multiple Operating Systems (OS) and application stacks on a single stack of physical hardware.

For security teams, virtualization increases the density of their asset inventory compared to physical assets. This means the asset inventory no longer has a 1:1 correlation with physical assets and the attack surface for the organization will shift towards the OS, Application and Network layers. In this model security teams still need to focus on the full scope of security, but it also allows the organization to begin taking advantage of modern IT infrastructure and deployment concepts.

One extremely important concept is the idea of immutable infrastructure. With immutable infrastructure the organization no longer makes changes to things in production. Instead, they update, patch or improve on their virtual machine images and production applications in their development or test environments and then push those into production. This means development teams can increase the velocity of the software development lifecycle (SDLC) by fixing once and deploying many times. It also means security teams can more tightly control the production environment, which is the highest area of risk for the business.

Moving To The Cloud

At some point your organization may make the decision to migrate to the cloud. Migrating to the cloud offers a number of benefits such as no longer having to purchase and manage depreciating assets, no longer having to staff people to physically manage hardware, no longer having to pay to protect and insure physical assets, increased development velocity and the ability to scale compute, storage and network as needed.

For the security organization, moving to the cloud means you no longer need to worry about physical assets such as network, storage or compute. Your cloud provider now takes care of those layers and so your team has reduced physical scope, but increased logical scope, which results in increased attack surface. Development teams can now deploy with increased velocity and so it is incredibly important to enforce good security hygiene. Shifting security as far left as possible within the CI/CD pipeline and automating the security checks are incredibly important. Similarly, putting guard rails in place to control the environment will be really important to avoid magnifying security issues at scale. Some things to think about are:

Tagging is required for security, finance, development, etc. otherwise the deployment fails or the instance is shut down
Object storage private and encrypted by default
Only specific and required network ports allowed
NACLs, ACLs, WAF and/or proxies configured and deployed by default based on service or application
Applications are not allowed in production with critical or high vulnerabilities
Security logging at each layer sent to object storage, filtered and then sent to a centralized SIEM
Control software libraries to minimize software supply chain risks
OS images patched, hardened and loaded with required agents
Identifying and controlling the flow of data to avoid data leakage
Setting and enforcing data retention policies to no only control costs, but reduce the volume of data that needs to be protected

Moving to the cloud allows organizations to dramatically improve the velocity of development and as a result security teams need to shift their controls left in order to improve security and increased visibility without impeding velocity.

Commoditizing The OS Layer

Lastly, once organizations are in the cloud they can begin to ask questions like – what if the OS didn’t matter? What if memory, compute, storage and everything below the application layer was taken care of automatically and all developers need to worry about is the actual application? Enter containers and kubernetes.

Containers and kubernetes allow organizations to scale their applications with incredible speed. All developers need to worry about is to package up their application in a container, deploy it into the cluster and let everything else happen automatically. This model presents both a challenge and an opportunity for security teams.

First, all of the security checks we discussed previously need to happen within the build process and deployment pipeline to make sure organizations aren’t amplifying a vulnerability across their applications.

Second, security teams will continue to make sure the underlying kubernetes clusters meet their security requirements, but the main focus will be on the application layer. Controlling ingress and egress of network traffic going to the application, making sure software libraries are approved and free of vulnerabilities, ensuring software security checks like SAST, DAST and even fuzzing of interfaces are performed before deploying to production will be incredibly important. It will also be important to maintain an inventory, but this wont be a typical inventory of who owns an OS or compute instance. Instead, this inventory will map which team owns a particular application. This will be important for events like Log4j so the appropriate dev team can identify and remediate software libraries or flaws in their applications quickly and then re-deploy. Remember the environment should be immutable so security teams will need to scan, monitor and respond to vulnerabilities detected in production quickly since the attack surface will be much larger in this model.

Wrapping Up

No matter where your organization is in their cloud journey security teams need to identify their scope of responsibility and apply security best practices within their environment. Organizations still in data centers will require security teams to address the full scope of security from the physical layer to the application layer and everything in between. As organizations begin to adopt technologies like virtualization, development velocity should begin to increase and security teams will need to adapt. Moving to the cloud is a big step, but will pay dividends to the organization in terms of increased velocity. Organizations no longer have to acquire or focus on physical hardware and so they can staff more software developers. Likewise, the security teams will need to adjust their requirements and controls to focus on the OS layer and above. Lastly, organizations that have moved to container technologies or embraced kubernetes will have tremendous velocity and security teams will need to make sure the appropriate checks are integrated into the CI/CD pipeline so vulnerabilities aren’t magnified across the entire environment. In order to avoid this security teams need to focus primarily on the application layer and automation will be key.

Conquering Impostor Syndrome

Over the past eighth years I have been shifting my personal interests from reading technical books to reading books on mental performance. Navy SEALs like to say their training is 10% physical and 90% mental and I think this holds true for a lot of endeavors in life. The security industry is inundated with training courses about how to penetration test, how to be an incident responder or how to become a CISO. However, if you want to strengthen your mind to handle the stress of a security role you have to leave the community and seek answers in other places like extreme sports, the military or even self help.

Mental Health is an extremely important aspect of career management that often gets overlooked or neglected. The security community is notorious for burnout because the issues we deal with on a daily basis have a sense of urgency or feel never ending. One important mental health issue that is particularly pervasive within the security community is Impostor Syndrome, which is when people who are otherwise talented or successful still feel as if they are a fraud.

I have personally experienced both burnout and impostor syndrome throughout my career and in my experience impostor syndrome is caused by a fundamental lack of belief in oneself. Therefore, in order to overcome impostor syndrome one must somehow boost their own confidence, which can be difficult because it is tough to self assess.

Understanding the problem

In order to overcome impostor syndrome it is important to first diagnose and understand the problem by asking the question:

What part of your life, career or skillset makes you feel like a fraud?

Perhaps you recently received a promotion, but haven’t received training or coaching to build the necessary skills in that role?

Or, maybe you have the skills, but you haven’t received feedback or validation that these are the right skills to have?

Maybe you are worried your skills are sub-par compared to other people you see at conferences or who you interact with regularly?

Whatever the issue, it is important to be honest with yourself about what makes you feel like a fraud. This is an important step because once you identify the issue you can build a plan to address the problem.

Develop A Balanced Approach

One of the most impactful books I’ve read on mental performance is called With Winning In Mind by Lanny Bassham. This book discusses different parts of the human psyche that need to be in balance in order to avoid psychological performance issues like Impostor Syndrome. With Winning In Mind discusses how to balance the Conscious mind, Sub-conscious mind and the Self Image to achieve balance of the psyche and ultimate performance.

In my opinion, Impostor Syndrome is caused by an imbalance in the Self-Image. The self image has not developed in line with the knowledge, career progression or skillsets possessed by an individual. As a result the individual lacks confidence in themselves and needs to spend time building up their self image to conquer impostor syndrome.

Building (Or Rebuilding) Your Self Image

Below are the steps I recommend you follow in order to overcome Impostor Syndrome. These steps require work and dedication, but if you commit and follow through it will be worth it in the end. The steps are as follows:

Identify the skills or character traits in which you lack confidence. Write these down.
Develop a plan to train or develop each area so you can begin to build confidence in that area.
Create positive affirmations to reinforce your training and build your self image. Put these in prominent places (fridge, desk, mirror, car dashboard, etc.) that you see daily and repeat them to yourself whenever you see them.
Record your progress in a journal and review regularly.

Example

Identify skills – I feel like an impostor when I speak in public. “I want to be a better public speaker”
Develop a plan – “I will practice public speaking for 15 minutes a day, while recording myself. I will review the recording each time and make a plan for the following day for how to improve.”
Create Positive Affirmations – “It is like me to be a great public speaker”
Record your progress

Wrapping Up

Impostor Syndrome is a common psychological performance issue, particularly in the security community and it is caused by fundamental lack of confidence in oneself. By honestly identifying where you lack confidence, you can develop a plan that will help you improve your self image and ultimately overcome the feeling that you are a fraud. If you suffer from impostor syndrome I encourage you to speak openly and honestly about it with a mentor, trusted colleague or mental health professional who can help you create a plan to overcome the issue because impostor syndrome can cause you to psychologically hold yourself back from truly achieving your fullest potential.

Building A Security Budget To Address Risk

Over the past 9 months layoffs have been impacting the tech industry amid heightened concern over the economy, increased scrutiny on profits and over investment by companies in areas that don’t positively impact the bottom line.

As organizations tighten their belts it is possible they will look at the security organization with increased scrutiny and whether you need all of those people, tools or other line items in your budget. As the CISO you may be asked to justify your budget and explain how your budget links back to value or reduced risk for the company. You also need to avoid common budgeting traps like getting forced into a percentage or flat allocation. Here is my approach to this exercise.

Consider The Priorities Of The Business

First, review the immediate priorities from your strategic plan, regulatory and compliance obligations and top risks for the company. Are those still the right things to focus on? Did the development org drop a product or service area that no longer requires the security team to monitor or protect? Has there been a reduction in non-technical staff that may reduce the number of people that need security awareness or phishing training? Has your company abandoned investment in a particular business vertical, which means you no longer need to plan to complete a compliance audit or certification (like FedRamp or PCI-DSS)? Is your company planning to launch a new product, complete a merger & acquisition or expand in a new geographic region? Is there a new emerging threat to your business that needs attention?

Ultimately, the answers to these questions will result in a few possibilities:

The business is going to continue to grow and invest, which will require the security team to also grow and invest so the business can mitigate or reduce new risk.
The business will maintain existing investment and exposure to risk, but not increase it.
The business will reduce investment based on contraction of business areas that will result in reduced risk to the business.

Articulate A Plan To Address Business Risk

Second, the CISO’s job is to articulate risk and present recommendations to the business for how to address the risk. However, it is important to remember that the business may choose not to follow your recommendations and that’s ok. A CISO should have strong relationships with the other C-Suite executives, but they also need strong relationships with the various corporate functions like legal, HR and finance.

Whether your company is growing, staying the same or contracting, the CISO still needs to present an appropriate budget recommendation and plan to address the risks to the business. I’ve covered how to build a strategic plan before and that should be one of the primary inputs to this exercise.

Planning For Headcount To Reduce Risk

Generally, when considering people resources you should plan to have at least two years of work for those people to accomplish. This means you should look at your strategic plan and consider what risks you can address with the existing resources in your organizati on over the next two years. Map people to projects with realistic timelines, deliverables and deadlines. Link the priorities back to the strategic plan.

Next, consider what additional risks you could address if you could add additional people to your organization. Are they completing a new compliance audit like ISO27001? Are they implementing a new tool or developing a new process to address an unaddressed risk (such as SBOM or API security)? Do you need additional resources for your SOC to improve chase the sun coverage or to have redundancy when people are on vacation or sick? Is there a particular geographic region that needs investment or that offers similar talent to premium locations, but is currently less expensive? Remember it takes time to identify, hire and train new talent before they are productive.

Lastly, consider what would happen to your plan if people left the organization. Can you still accomplish your goals if you have 5% attrition, 10%, 20% or more? Will it simply take longer to reduce the risk or does less resources make the objective impossible and so now the business will now be exposed? Conduct succession planning to fill the immediate gaps and then build in contingencies in your budget to hire or backfill if needed.

Planning For Technology To Reduce Risk

Taking it one step further, consider what new tooling investments you need to make to address the top risks in your strategic plan. Do you need a new SIEM? Do you need a SAST/DAST scanning capability? Do you need better endpoint detection and response (EDR)? Can you free up people resources by implementing a new tool or automating a process? Determine the best tool and get budgetary pricing for your budget. Depending on how tightly your finance org runs the budget you may also want to add in a tooling contingency to allow the org to pivot or add something new part way through the fiscal year.

Other Budgetary Considerations

Depending on the remit of your security org you may or may not have other line items in your budget. Below are some examples:

Penetration tests conducted by an external company
Physical security improvements like cameras, alarms, badge readers, safes, etc.
Compliance Audits (SOC, ISO, FedRAMP, etc.) or other audits and certifications by external firms
Contractors or professional services for short term (1 year or less) engagements
MSSP or service providers if you outsource parts of your security org (like incident response)
BugBounties for external security researchers
Cyber Insurance (with planned increase if you are entering new business areas)
Possible legal fees for lawsuits, contractual reviews, outside counsel or other security related legal matters depending on how finance allocates these costs in the overall budget
Lab, subscription and equipment costs for threat hunting, security research, cyber ranges or training exercises
Executive protection costs for your C-Suite executives
Brand and reputation monitoring
Training costs for conferences, certifications, tuition reimbursement, security awareness, phishing exercises or other training and education related fees
Costs for maintaining specialized security functions like a SCIF, holding clearances, renewing clearances, liaising with law enforcement or other federal agencies
Costs for participating in security trade groups, boards or other industry facing security groups that help influence activities for your business
Outside consulting firms for specific areas of expertise and unique circumstances like VIP security protection or protecting large events (like company conferences or other extremely large events)

Security Isn’t Just A Cost Center

Don’t forget to offset your budget with activities that positively impact the bottom line for the business. Depending on how your organization is structured you may have customer and industry facing groups or groups that participate in activities like Mergers & Acquisitions. If you have Security Consultants, Professional Services, offer Managed Security Services or participate in other activities that positively impact the bottom line, then your org should get credit for these activities and they should help offset the other security budget items that are typically a cost center for the business. You can have your go to market team or customer facing security resources tag activities in your CRM tool and then pull reports based on this tag. You can also do this with a simple spreadsheet that captures the date, the dollar amount, how many security folks were involved and a short description of the activity. This can be really powerful to show how the security org is helping to not only protect the business, but directly or indirectly improve the bottom line.

Final Thoughts

A lot goes into creating a budget for your security organization with the ultimate goal of reducing or mitigating risk to the business. It is easy to fall into a trap of simply looking at the security org as a percentage of overall headcount for the rest of the business and then allocating budget accordingly. There are metrics floating around the internet claiming security budgets are on average some percentage of the IT budget, or some other percentage of the overall technology spend for an organization. This is the wrong approach in my opinion.

Allocating a flat percentage can result in underinvestment in the security org, which means risk to the business will tacitly (or explicitly) go unaddressed. Having a strong relationship with the finance org and linking your budget requests back to your security organization plan and strategic security plan is the best way to plan and execute a budget that is grounded in reality to reduce risk instead of using arbitrary percentages.

The finance org can also help to make sure you are following their accounting process such as spreading costs over quarters, not recognizing costs until the quarter you actually have to start paying for something, reminding the security org when renewals are coming up and making sure you are sent reminders for when accounting is going to reclaim allocated budget if you don’t spend it in time. They can also help you move things around within the fiscal year so you can maintain your budget based on shifting priorities.

Lastly, I encourage all CISOs to have a budgetary dispute resolution process facilitated by finance and decided on by either the rest of the C-Suite or the board. CISOs need to be able to raise critical risks in terms of staffing, tooling or other issues that will ultimately impact the budget and is separate from the normal budget process. This isn’t a blank check, but a process to break through during urgent situations (like breaches or incidents) and get the budget needed to quickly resolve the issue.

Building a budget for the security org is a time consuming, but critical process. CISOs need to be grounded in basic finance and understand the true P&L of the security function so they can accurately articulate value as related to risk management. The finance org is your greatest ally to assist you with this process to make sure you are putting things in the right buckets (Opex vs Capex). While finance may have rigid processes for how they want to plan for the budget, it is up to the CISO to link their budget back to a strategic plan to address risk for the business and present that plan for approval without falling into traps of percentages or flat allocations.

How Will The CSO Role Change Post Uber?

I had a really interesting discussion with some CISO friends last week about how the CSO/CISO role will change after the guilty verdict of Uber CISO Joe Sullivan (I’ll refer to this as the Uber verdict going forward). Here are my personal thoughts:

The Scope of Liability Has Changed

The Uber verdict has now set the precedent that a CSO can be held personally liable for security failures at an organization. This means data breaches, security incidents, regulatory and compliance audits, external inquiries and bug bounties all carry increased weight for them to be handled appropriately according laws, industry regulations, corporate policies and ultimately how you handled the event should it end up in court.

The Uber verdict also demonstrated that there is a limitation to how much coverage and protection a company will provide to a CSO / CISO after major security events have occurred.

While this may sound ominous and extremely concerning, I don’t think it should be. Ultimately, if you aren’t breaking the law, have a well defined security plan and are documenting your progress I don’t think you need to do anything different as a result of this verdict.

Negotiate For Protections

While you may not need to do anything differently with respect to your security program, I do think it will become industry standard for CSOs to negotiate protections as part of an employment contract. Prospective company’s should plan to add CSOs to their corporate liability coverage for executives and can also expect existing executives or prospective candidates to push for written assurances that they will be covered legally and will not be sued by their employer.

The Role Will Be Elevated

Ultimately, all of this will result in elevating the CSO role to be on par with other C-Level positions such as the CEO, CFO and even Chief Counsel who all carry significant levels of risk in their positions. The security industry and ultimately the CSO role are relatively young compared to other C-Level positions and so I think the Uber verdict will give the role a hefty shove forward and help it find equal footing with some of the other more tenured C-Level positions.

In the end this means companies will begin taking the role more seriously as they are forced to add the role to their corporate liability policy, provide legal protections as part of employment contracts and begin offering the same level of weight to the CSO role as they do to other C-Level roles.

Ultimately This Is A Good Thing

While it may sound concerning that a CISO was held personally liable for a security event at a public company I think this is the exception, not the norm. The circumstances of this particular verdict clearly demonstrated non-standard behavior and a good example of what not to do when dealing with federal investigators.

However, I do think it has caused a certain amount of pause and reflection within the CSO / CISO community. CSOs are now beginning to consider if their programs are sufficient to stand up to external scrutiny and they are asking what they need to do to protect themselves going forward. This will result in existing or new candidates asking for protections, which will eventually become standard. As the protections become standard it will cause companies to take the role more seriously and ultimately give it the same weight as other high risk C-Level positions.

Legal Privilege

Disclaimer

First I want to start out by saying I am not a lawyer and I don’t play one on TV. This blog post is a summation of legal advice I have been given over the course of my career as a CSO/CISO. These are my opinions and should not be considered legal advice. If you need legal advice seek out a lawyer within your company or your professional network. Legal advice will differ based on your company’s risk profile, your lawyer’s background and experience, the specific situation, what geographic regions your company operates in and the industry you are in. I highly recommend you and your team have regular briefings from your legal department to refresh the concept of legal privilege and any other legal concepts they think are important.

Ok, with that out of the way let’s dive in.

What is legal privilege?

Legal privilege is a form of protected communication between you and a lawyer for forms of recorded communication (like email). Specifically, this communication needs to seek or convey advice from the lawyer. For example:

“Dear Lawyer, I need legal advice about the following…”

Why Is Legal Privilege Important?

When seeking legal advice, legal privilege protects the communication from legal discovery. This means if your company is sued and you go to court these communications about this legal advice can’t be used as evidence. It also gives you an option to use a form of recorded communication and invoking legal privilege so that communication is on record, or using an alternate, non recorded form of communication so the communication is not on record. This is a really important concept for a CSO to understand and a tool to use to protect themselves, their team and ultimately the company. By invoking legal privilege for key conversations, that are discoverable, you can ensure those conversations will be protected from a legal standpoint.

How Do I Invoke Legal Privilege?

Generally, legal privilege can be invoked by you to a lawyer, or by a lawyer to you. The exact details of how to do this may vary depending on your company, your legal counsel, etc. but here are a few ways to invoke legal privilege via email.

Include the lawyer in the To: line
Keep the audience to an absolute minimum
Header and Body should include the word PRIVILEGED at the start (or some other indicator specified by your counsel)

How Do I Include Other People In The Legal Privilege?

If you need to include other people in the email (like your management chain), then ask your legal counsel to include them. If someone gets added that shouldn’t be on the thread, ask the lawyers to remove them from the thread. If someone claims they need to be included, forward their claim to the lawyers to evaluate if they truly need to be on the thread or not. The wider the audience, the more difficult it is to claim legal privilege and it is even possible to lose legal privilege.

Can I Lose Legal Privilege Once It Is Invoked?

Yes, if the email thread is distributed to a larger audience than needed this can cause you to lose legal privilege. For example, if you are discussing a security incident with your lawyers and someone unnecessarily copies an email distro to the thread this can cause you to lose privilege. This means all of the emails will now be discoverable.

Are There Other Circumstances Where I Am Not Protected?

This should be a no brainer, but you are not protected from legal privilege if you are participating in crime or fraud.

You are also not protected from legal privilege if you don’t invoke it. This means non-privileged documents are not protected just because they are in the possession of a lawyer.

Is Legal Privilege The Same Everywhere?

No. Legal privilege differs by country. The bar for establishing and maintaining legal privilege can be much higher in some countries, than in others. If you are part of a global company, I recommend you get briefings from lawyers that are familiar with the laws in the countries where your company does business.

Examples Of When To Use Legal Privilege

First off, I just want to say legal privilege does not mean you should copy your legal counsel on every email. Legal privilege is not designed to protect all your emails / communications. It is only designed to protect advice between you and a lawyer. That being said if you are communicating with a lawyer it is a good idea to always invoke legal privilege that way it is protected.

Here are some examples of when to invoke legal privilege:

Discussing A Security Incident

“Dear Lawyer, please advise what course of action we should take due to this incident…”

This is probable the most common way a CSO will use legal privilege. Discussing an active incident, customers impacted, legal ramifications, etc. should all be done under legal privilege between you and your legal counsel.

Changes To Industry Regulations

“Dear Lawyer, please advise how our company should adjust to this new industry regulation…”

I recommend seeking the advice of and invoking legal privilege for changes to industry regulations. I recommend this because the interpretation of the change may indicate your company is not compliant or is going to take some other course of action.

Disclosing Information To Customers

“Dear Lawyer, I am unsure how to respond to this customer, please advise…”

Transparency should always be the goal, but sometimes there are things that shouldn’t be disclosed externally. When a customer makes a request for a new piece of information I recommend seeking the advice of your legal counsel about how to respond and then standardize that response for other customers. Sometimes the response will be – “we don’t provide that information externally”. Or, the response may be a limited set of the information requested. It will all depend on what your legal counsel recommends based on the risk publicly disclosing the information presents to your company.

Legal privilege is a complex area to navigate, but one that is an essential for every CSO to have in their toolbox. Understanding when to invoke it, how to invoke it and how to maintain it is essential for success in the role. The legal department is an essential partner for any CSO and their organization. I recommend building a relationship with them and having legal help you work through scenarios where legal privilege is needed. When in doubt, I recommend explicitly invoking privilege between you and your lawyer.

Giving A Presentation To The Board

At some point in your CSO / CISO career you will need to give an update to the board. This could be monthly, quarterly or yearly depending on the size of your company. Wondering where to start? Here is a template I have found to be successful.

Practice Makes Perfect

If you are new to presenting or are an experienced veteran I highly recommend creating your presentation and then writing down what you are going to say in the speaker notes. Practice the presentation, transitions, etc. until you can do it without reading the slides and so the presentation sounds natural. Record yourself and watch it a few times to catch yourself saying “uh or uhm” and to see what you will look or sound like from the perspective of the audience. Give the presentation to a family member or friend to get their opinion on how to improve. The more you practice the more relaxed and prepared you will be when in front of the board.

Know Your Audience

I often see presenters assume the board knows (or wants to know) specific details about technology, products, services, etc. when presenting. In my experience they don’t. The board are not experts in your day to day operations. They are usually highly compensated executives trying to run large organizations and you are giving them a narrow window into your world. You need to highlight and raise things for them to anchor on or key into so they can orient themselves around making an appropriate decision with the information you presented. I keep technical information in back up slides in case one of the board members wants to go deep, but typically they want to know the following:

How Has Risk To The Business Changed Since You Last Presented?

This section will be a combination of global security trends impacting your industry and the current status of the strategic plan. I like to start out by giving an overview of whether our risk as increased, decreased or stayed the same since the last time. A graph is really helpful here and allows the board to orient their thoughts while you give a short introduction and explanation.

If you are just starting out with the strategic plan then this will focus more heavily on how you are planning to prioritize the security controls in the plan and when the board can expect results.

What Caused This Change In Risk?

Why did risk to the business increase, decrease or stay the same since last time? If risk decreased highlight the controls or process improvements the organization made to achieve this reduction. If risk increased tell the truth and then give your recommendation for how to manage or reduce this risk over a specific time period. This could involve asking for additional funding, personnel or even asking for a particular group, product or service team to focus on a particular area to make progress.

What Are The Top Three Risks To The Business At This Time?

You are the expert and the board wants to hear your opinion on this. These risks probably won’t drastically change between presentations, but I like to remind the board on the risks and then present a suggested plan to manage or reduce these risks in the Look Ahead section.

Metrics For Security Incidents

This is a good section to add metrics on number of security incidents, what caused those incidents, what was the time to resolution, etc. It may also be a good area to give a quick summary on progress with vulnerabilities in production, or maybe the after action results of a specific incident the board wants more information on.

Look Ahead

Lastly, I like to wrap up the presentation with a look ahead about what my team is going to focus on between now and the next board presentation. This could involve implementing new controls or technology to reduce a specific risk area. This is a good place to work in your investment asks. I typically give a list of 3-5 things, what they are, why they are important, what the ask is (if any) and the outcome I’m expecting once the things are completed. I tie these into the top 3 risks to the business and then give a short conclusion before asking if there are questions.

Here is a Security Status Board Presentation Template I created