Tag: #ciso

Techniques For Influencing & Changing Security Culture

Throughout my career I’ve participated in varying degrees of organizational maturity with respect to security. This has involved moving from the datacenter to the cloud, moving between different cloud providers, moving to a ZeroTrust architecture, creating a security program from scratch and maturing existing security programs. During each of these experiences I learned valuable lessons on how to influence the organization to achieve my objectives and ultimately improve security. Below I share four different techniques that you can apply in your organization to get the buy in you need.

Jedi Mind Trick

First up is what I like to call the Jedi Mind Trick and this is one of the most effective techniques for shifting organizational culture. This is my go to technique for philosophically aligning major parts of the organization behind the scenes to get ground swell for an idea. Here’s how it works:

First, identify who the key decision maker is for what you are trying to achieve. Alternatively, you can identify people who are in key positions to block or impede the objective. Next, identify the people who influence these key stakeholders. This can be their direct reports, their peers or even their boss. Begin having regular conversations with these influencers about your idea, why it will benefit the business, how to achieve it, etc. The goal here is to get these people to philosophically align with your objective. Spend most of your energy with these influencers, but don’t neglect the key stakeholders. You still need to have conversations with the key stakeholders and discuss your idea, but you aren’t trying to convince them you are simply trying to make them familiar with the idea. At some point (it could be weeks or months) the key stakeholder(s) will begin to repeat your idea back to you and seek your opinion. All of your hard work has paid off because the influencers have finally done the hard work for you and convinced the key stakeholder(s) to pick up the torch for your objective. The key stakeholder will most likely think this is a unique idea or objective that they identified on their own. This is the moment you have been waiting for. Offer support, discuss what success looks like and then move on to your next objective, confident in the knowledge that your Jedi Mind Trick was successful!

Summary of Jedi Mind Trick Steps

  1. Identify key stakeholders
  2. Identify people who influence key stakeholders
  3. Spend majority of time philosophically aligning influencers. The influencers will do the hard work for you by convincing the key stakeholders
  4. Don’t neglect the key stakeholders. They need to be familiar with the idea, but you aren’t trying to convince them
  5. Once the key stakeholders begin parroting your idea back to you, the Jedi Mind Trick has been successful. Sit back and offer advice and support!

Switcheroo

Next up is a technique I like to call the switcheroo. This technique was actually discovered by one of my Lead Security Architects when we were trying to implement ZeroTrust. During this project we found a number of people who were resistant to the idea because their processes, roles and even self identity were anchored in the status quo. We found the switcheroo to be extremely effective in getting hold outs and naysayers to jump sides and support the objective. Here is how it works:

First, identify people with influence or in critical positions that can derail your project. This may take some time because it won’t be immediately apparent. People don’t usually just say no to something outright. They instead resist change through inaction or by countering your arguments. There is no easy formula for identifying these people. You need to have a strong network throughout the organization and approach your objective in your normal way. Eventually, conversations with stakeholders, influencers, etc. will identify these people as holdouts. Begin spending time with these hold outs to explain the why of your project, how it will benefit the business, etc. Give this person room to voice their opinions, counter arguments, etc. Eventually, it will become obvious that his person is entrenched in their way of thinking and it is now time to break them out of it. During your next meeting continue to explain the objectives, the why and how it will benefit the business, but this time when they voice their objections ask them this simple question:

“I understand your objections for why this won’t work, can you give me a few reasons why this will work?”

Sometimes all you need to do is shift someone’s perspective and I have found the switcheroo to be very effective in doing that. What ends up happening is the person actually convinces themselves for why something will work and in effect you use their own psychology against them. Next time you are up against a hold out that doesn’t want to get on board, try shifting their perspective with the switcheroo.

Summary of Switcheroo Steps

  1. Identify key stakeholders
  2. Identify key holdouts
  3. Spend time with key holdouts to explain the why behind your idea and allow them to express their objections
  4. After a few times listening to the objections of key holdouts, ask them to give a few reasons why your idea will work.

The Noise Breakthrough

The Noise Breakthrough is a similar technique to the Jedi Mind Trick, but it is more direct. The Noise Breakthrough is most useful when you have regular conversations with someone and are trying to convince them to support a particular objective. Regular interactions with key stakeholders across the business are essential for a CISO to be successful, but this can also have diminishing returns. This regular interaction makes it difficult for your stakeholders to parse signal from noise or, said another way, this means your stakeholders are unable to discern when you are saying something that is really important vs. the normal business as usual.

The inability to discern signal from noise isn’t a new phenomenon and it isn’t unique to the business world. Consider your parents growing up and how they would nag you to clean your room or do some other chore. Eventually, you learn to filter them out. The same with a spouse, partner or best friend who is regularly on your case about something. The constant feedback for the same thing has diminishing returns until eventually it won’t even register as something that is important. How can we break through the noise and get back to a signal?

Enter the Noise Breakthrough and here’s how it works. Let’s say you are trying to get the CTO to resolve a security problem, which has been an issue for several months. You’ve been discussing this with the CTO and they philosophically agree it needs to be fixed, but the problem remains. Like other influencing techniques you need to identify who are the key influencers for the CTO. This could be their lead architect, their chief of staff or one of their direct reports. Spend time with this person and get them to align with you. Then ask this person to spend time with the CTO to convince them to take action towards your objective. Sometimes someone just needs to hear something explained in a different way from a different person. Usually, this is enough to break through the noise and get your project back on track.

Summary of Noise Breakthrough Steps

  1. Identify key influencers for your stakeholder
  2. Spend time with influencer to get them aligned to your objective
  3. Ask key influencer to spend time with key stakeholder to help align them to your objective

Compliment Sandwich

The last technique I have found successful is the Compliment Sandwich. The Compliment Sandwich is most useful when you have to deliver constructive criticism or feedback when something is not going as planned. The compliment sandwich allows you to disarm the recipient by first paying them a compliment. The person is then primed to receive additional feedback and this is where you give them the constructive criticism. Finally, you end with something positive such as another compliment or a positive affirmation that the situation will get resolved. Let’s use an example to see how this works:

“Hey Alice, I really liked your lunch and learn last week. It was really informative. However, I couldn’t help noticing you didn’t ground the objective of the presentation in an industry standard control. As a result, your audience failed to grasp “why” your topic was important. It is important to explain “the why” and the priority of what you want people to do so they can prioritize accordingly. Next time let’s work on this together so your message is more impactful. This is a really important concept for your career development and I know you’ll master it after we work on it together.”

Summary of Compliment Sandwich Steps

  1. Give a compliment, praise or positive feedback
  2. Give constructive criticism
  3. End with a positive affirmation or positive statement

Wrapping Up

Security organizations often find themselves at the tip of the spear for technological and organizational change. As the CISO you need to apply different techniques to effect change so you can improve security and manage risk. The techniques above are simple and effective methods for winning over key stakeholders or breaking through barriers that are preventing you from achieving your security objectives.

Chip War Book Afterthoughts

I recently read Chip War by Chris Miller and found it to be a thought provoking exploration of the global supply chain for semi conductors. Most interesting was the historical context and economic analysis of the complexities of the current semi conductor supply chain and how the United States has wielded this technology as an ambassador of democracy across the globe. This book was particularly interesting when considering the recent efforts by the U.S. Administration to revitalize semi conductor manufacturing in the United States via the CHIP Act. Even though the U.S. maintains control over this industry, their control is waning, which is placing the U.S. at risk of losing military and economic superiority.

The US Leads With Cutting Edge Design & Research

One advantage maintained by the U.S. is it leads the way with the latest chip design and research. The latest computer chip architectures increase computing power by shrinking transistors to smaller and smaller sizes, roughly following Moore’s Law to double the number of transistors per chip every two years. In the late 1970’s, the United States was quick to recognize the military and economic advantages provided by semi conductors. Overnight, bombs became more accurate and computing became more powerful allowing decisions to be made quicker and spawning an entirely new industry based on these chips. However, as the U.S. began to rely more and more on semi conductors, the cost needed to come down. This was achieved by outsourcing the labor to cheaper locations (mainly Asia), which subsequently made these countries reliant on the U.S. demand for chips. This allowed the United States to influence these countries to their advantage.

A Technology with Geo-Political Consequences

One side effect of outsourcing the manufacturing of semi conductors is the supply chain quickly became dispersed across the globe. Leading research was conducted in the United States, specialized equipment was manufactured in Europe and cheap labor in Asia completed the package. Until recently, most of this supply chain was driven by the top chip companies such as AMD, Intel and Nvidia. However, other countries, such as China, have recognized the huge economic and military advantages offered by semi conductors and as a result have started chipping away (pun intended) at the United State’s control of the semi conductor supply chain.

The US Can’t Compete On Manufacturing Costs

Despite the passing of the CHIP Act, the United States faces a significant battle to wrest chip manufacturing from the countries in Asia (and mainly Taiwan). The cost of labor in the United States is significantly higher than other countries. Additionally, countries such as Taiwan, South Korea, Japan, Vietnam and China have heavily subsidized computer chip manufacturing in order to maintain a foothold in the global supply chain. In order to compete, the United States will have to make an extreme effort to bring all aspects of manufacturing into the country including heavy tax breaks and subsidies. This will effectively turn into economic warfare on a global scale as the top chip manufacturing countries attempt to drive down costs in order to be the most attractive location for manufacturing.

Supply Chain Choke Points Are Controlled by the US and its Allies (For Now)

However, driving down costs won’t be easy. The highly specialized equipment required to manufacture chips needs to be refreshed every time there is a new breakthrough. The costs are tremendous and make it difficult to break into the industry. Instead, the U.S. has been focusing on maintaining control of particular aspects of the supply chain and even blocking acquisitions of strategic companies by foreign entities. The United States also exerts pressure on the countries within this global supply chain to allow it to maintain an advantage. Yet, as new countries rise to power (China) and seek to control their own supply chains, these choke points will dwindle. Additionally, as non U.S. allies (frenemies?) gain market share in the chip supply chain, the U.S. and its allies need to consider the security of the chips they are receiving from these countries.

Final Thoughts

Chip War by Chris Miller is a fascinating look into the history and global supply chain of semi conductors. For the past 50 years the United States has maintained military and economic advantages over its rival countries as a result of semi conductors. However, this advantage has been waning over the past two decades. The CHIP Act is recognition that the United States must begin to claw back some of the globalization of the supply chain and bring critical parts of the industry back to the U.S in order to maintain economic and military superiority in the future.

Your CISO Has Career Goals Too

I’ve been thinking about performance reviews lately and how they are a time for you to receive feedback from your manager about how you have performed over a specific time period. It is an opportunity for the employee to communicate achievements that demonstrate growth and it is also a time for the manager to give direct feedback on behavior that needs to start, stop or continue. These discussions typically involve a conversation around what goals the employee has and how the manager can best support them. However, one thing the employee should keep in mind is your manager has goals too. For the CISO this could be business objectives such as improving incident response times, lowering risk or becoming compliant with a new regulation. There could also be personal goals like speaking at a conference, serving on an advisory board or getting promoted to the next job level (e.g. Director to Vice President). The important thing to remember is – everyone has goals no matter what level they are at. Understanding these goals can help employees understand the personal motivations of their direct manager so they can support them if the opportunity arises.

Managing Up

Managing up is a key concept for employees to understand and master throughout their career. Managing up involves influencing, providing context and helping your direct manager understand ways they can best support you. Yet, employee manager interaction should be a two way dialogue. In the same way managers employ situational leadership to lead employees based on their personalities, employees should also seek to understand their manager’s motivations so they can best support them.

Find Out What Goals They Have

One of the easiest ways to support your manager is to bond with them by getting to know them on a personal level. Ask them what personal goals they have, what motivates them, what parts of their current job do they enjoy and what parts do they try to avoid? Maybe your CISO also wants to gain more responsibility by building a privacy function. Or, perhaps they have identified a new risk to the business and need to put together a team to address it. Your CISO is a human being and they have career and personal goals just like anyone else. By asking questions about their goals, your CISO can discuss them with you and gauge how to best involve you so you can both get ahead. Here is a short list of goals your CISO may have:

Personal Goals

  • Speak at a conference
  • Gain a new certification
  • Obtain an new degree or complete a certificate program
  • Get promoted to the next career level
  • Serve on an advisory board
  • Expand their professional network
  • Learn a new skill
  • Understand an emerging technology

Business Goals

  • Obtain a compliance certification (ISO, SOC, FedRAMP, etc.)
  • Take on a new responsibility
  • Achieve an objective or KPI (e.g. reduce risk, reduce response times, etc.)
  • Establish a new strategic partnership
  • Stop doing something that frustrates them

What Can You Do To Support Their Goals

Once you understand the personal and career goals of your CISO you can begin to align some of your career goals to support them. This could mean completing objectives that directly align to the business objectives for the CISO. Or, it could mean offloading your CISO from activities that frustrate them so you can gain experience and grow your career. This will free up the CISO to take on new activities and you can advance your career by drafting in their wake. This is also an opportunity for you to offer suggestions about where you think you can offer the greatest assistance for areas that align to your own career goals and personal interests.

Wrapping Up

Performance reviews and career management shouldn’t be a one way activity. Employees who understand the personal and career goals of their CISO can better align their activities to support them. This can lead to learning new skills, taking on new responsibilities and accelerating their career progression. Next time you have a performance review conversation with your manager, take the time to ask your manager what goals they have and how you can best support them because it will pay dividends in the long run.

Defining Your Security Organization

Whether you are inheriting an existing security team, or building an entirely new function, one of the first things you should do after building a strategic plan and creating an organization plan is to define what you want your security organization to look like. This step builds upon the organization plan by defining what each role in your organization will do (including skillsets), what the career path is for each role and what success looks like for each job function. This will not only help define the details or your organization plan, but it will help lay the foundation for how you want to build your organization (if you are starting from scratch). If you are inheriting and organization it can help you establish your expectations by clearly defining what you want from each part of your organization. It can also help you plan for a re-org or help to diagnose performance issues with a particular team or within the overall security org.

If you are part of a large organization most or all of this will be defined by your HR department, but I still find it useful to tailor the general HR approach to your specific security organization. If you are part of a start up or small organization then you may need to define everything yourself.

Mission Statement

First, I recommend creating a mission statement. This should be a really short statement about the overall purpose of the security organization. This mission statement will not only help to clarify what your group is trying to achieve, but it will also give a sense of purpose to the security practitioners within the security org. I recommend creating a mission state at the org level and then for each function within the security org to help clarify the purpose of that function. This will be useful to explain what your security functions do, especially when interfacing with non-security groups like legal, finance, hr, etc.

Example:

The mission of the security org is to enable [company x] to effectively manage risk related to security and privacy of our products and services.

Role Definitions

Once you have defined the purpose of your org, you will want to look at your organization plan and define what each role will do. Security Engineers, Security Architects, DevSecOps Engineer, Governance & Risk Practitioner, Incident Response Analyst, etc. will all need a short description of what the role will do. Going through this exercise will serve three purposes. First, if you need to hire for any of these roles you can use most of this information in the job description. Second, if you already have people in the role, it will help clarify your vision for the purpose of that role. Lastly, if you need to request budget, these role definitions will help explain what these people are going to do as part of the budget request.

Example Role Definition: Security Engineer

Designs, builds, configures, diagnoses, integrates and maintains security tooling required by the security organization. Establishes requirements, performs trade-off analyses and recommends tool selection. May work with other IT or engineering groups within the organization.

Career Paths

Once you have the roles defined you will want to establish career paths for these roles. Establishing career paths will require you to think about the scope and impact of each level of the role. For example, if you have 5 levels in your organization you will need to define titles for each level, the skillsets for each level and how those skills increase in scope and impact. You will need to do this for both individual contributor roles and management roles. I recommend breaking out the skills into general and role specific.

General Skills

General skills are skills required by all employees in your organization. These include things like communication, strategic thinking, agility and collaboration. If you are part of a large organization, these skills should already by defined so you can work with your HR team to adapt them to your security function and then define what each employee should be demonstrating at each career level.

Example: Communication

  • Level 1 – Able to articulate clearly and concisely when communicating
  • Level 2 – Able to convey thoughts and opinions in a compelling manner to the appropriate audience
  • Level 3 – Gains support for new projects by clearly communicating value and  addressing concerns
  • Level 4 – Builds networks throughout the organization to support large initiatives and future endeavors
  • Level 5 – Champions strategic initiatives in ways that generate organization wide support
Role Specific Skills
 

Role specific skills are skills required by each role. They are unique. An engineer may require hands on knowledge of specific security tooling and the underlying platforms. An incident response analyst will require in depth knowledge of how to respond, contain and recover from an incident. Governance and Risk analysts may require specific regulatory knowledge. Input for these skills can come from the CIS or NIST control sets, industry job postings and industry certification requirements. All of these need to be defined in increasing scope and responsibility so employees know what is expected and can prepare for the next level of the role.

Example: Security Engineer

  • Level 1 – Demonstrates a working knowledge of security engineering concepts such as network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
  • Level 2 – Demonstrates a detailed knowledge of one of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
  • Level 3 – Demonstrates a detailed knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
  • Level 4 – Demonstrates a expert knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
  • Level 5 – Demonstrates and applies expert knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.

The career paths will help you during budget requests to justify why you need a specific role level. For example, maybe an upcoming initiative is really critical and has a tight timeline so you need to hire someone very senior so they can start making an impact right away. Alternatively, maybe you want to hire a more junior person because it will fit in the budget, but now you need to plan to train them and ultimately, the project will take longer to complete.

Career paths will also help clarify what your team members should be working on to get promoted to the next level. They are also useful during goal setting, career conversations, performance reviews and mentoring sessions.

Example Career Path: Security Engineer

  • Level 1: Associate Security Engineer
  • Level 2: Security Engineer
  • Level 3: Senior Security Engineer
  • Level 4: Principal Security Engineer
  • Level 5: Distinguished Security Engineer

Scope and Impact

The last thing you should do as part of this exercise is define the scope and impact for each career level. Defining scope and impact gives further clarity to your team members about how they should be thinking about their role and what success looks like. It defines what part of the organization they should spend their time in and who (or what level) they should think about interacting with.

Example: Scope & Impact

Scope and Impact

At the end of this exercise you will be left will a very detailed explanation of not only what your security organization looks like, but what success looks like as well. Your Role Definitions will provide a short description of each role, your Career Paths will help define the levels and performance expectations for each role and the Scope and Impact will define the level where each role is expected to contribute. All of this will become a reference guide for every single member in your security org and will help you as the CSO to budget, plan, diagnose and shape your organization to achieve success.

Proposed SEC Rule Changes For Cyber

In April of this year the proposed amendments to the cybersecurity disclosure rules are expected to be finalized. These rule changes will have change the way companies report cybersecurity in two main areas. First, it will change when and how companies report security incidents. Second, it will require companies to report how they manage and govern cyber security risk. Let’s dive into how these changes will impact companies, the overall industry and how CSOs can help their businesses navigate the changes.

Changes To Incident Disclosure Requirements

The first major change will standardize how companies disclose cybersecurity incidents. These changes will require companies to report a material incident after four business days and provide updates to past incidents for up to two years after. The effects of these changes are expected to make it easier for consumers and investors to evaluate the impact of a security incident and ultimately how well a company deals with security incidents over time.

The long term results of these incident disclosure requirements may mean publicly traded companies begin to see impact to their stock prices as more material incidents are disclosed. The loss in shareholder value will ultimately result in companies investing more in their cybersecurity programs to better handle incidents or recover more quickly with the goal being to maintain investor or consumer trust. Also, requiring companies to disclose incidents within a specific time period may initially result in more lawsuits, which in the long run may force companies to invest more in security to reduce or manage risk.

For a CSO, I recommend evaluating your existing incident response and disclosure plan. Discuss with your legal and finance team about the criteria for declaring an incident, what constitutes a material incident and how to report this information within the SEC timelines. Four business days is a tight timeline for determining what happened, how it happened, the scope of what happened and accurately reporting this within the standard SEC forms. It will also be challenging to comply with the new SEC rules, while at the same time notifying the appropriate partners, customers or consumers so they aren’t learning about it first from the SEC disclosure. This may result in businesses rushing out the disclosure without all of the details, which could erode investor and customer confidence. Or, it could result in the company changing their rules for determining a “material” incident, which might buy them some time to delay the disclosure for more accurate reporting. This will be a fine line to walk and I highly recommend the CSO partner with the Chief Legal Counsel and Chief Financial Officer so they don’t run afoul of the new rules.

Lastly, a CSO will also want to help their organization navigate the risks of these disclosures. It is possible that a company will still be remediating or recovering from an incident when they are required to disclose the incident in their SEC forms. This could disclose details about the incident, the attack and vulnerabilities in a public forum, which could invite follow on or copy cat attacks. A CSO will need to guide their organization how to manage these disclosure risks, while dealing with the ongoing incident. I strongly recommend you run your executive staff through one or more tabletop exercises that runs through various scenarios you may encounter.

Disclosure Of Cyber Security Risk Management & Governance

The second major change will require companies to disclose how they are managing and governing security risk. This will require companies to provide details into their security strategy, security policies and criteria for selecting third party service providers. It will also require disclosure of management’s role and qualifications for assessing and managing security risk.

Overall, I think these changes will have a positive effect on the CSO role. Organizations that previously gave lip service to establishing, funding and governing a comprehensive security program will now be evaluated by investors and consumers in a standardized public forum. Stiff penalties will follow in terms of loss of market value, loss of consumers or even fines from regulatory agencies if organizations fail to adequately meet “industry standard” or investor expectations for security programs.

Additionally, CSOs can now “strut their stuff” by continuing to build, document and lead comprehensive security programs that measure and manage risk. These programs will stand as evidence to the investment and preparedness of the organization to deal with security incidents and manage risk. The new SEC disclosure requirements will allow investors to evaluate and ultimately reward organizations that are meeting expectations for security maturity and resiliency.

Requiring boards and executive management (named officers) to disclose their role and qualifications for assessing and managing security risk will also have a positive impact in how CSOs and security organizations are treated throughout the company. First, it will become common place for organizations to seek seasoned security veterans for a position on their boards. There will be an initial rush to find appropriate talent and in the long term these board positions will become a new career path for former CSOs and security executives.

Second, the addition of security experience to boards will mean CSOs have an ally at the senior levels of the company who understands risk and can help drive conversations around security that would otherwise be glossed over or dismissed. For boards that don’t hear directly from the CSO, security minded board members can explore security topics with their representatives (like the CTO, CIO or Chief Legal Counsel). The end result will elevate security and risk as a topic of importance within board rooms, beyond the current discussions.

Third, supply chain security will continue to receive focus now that organizations will be required to disclose their selection and evaluation criteria for third party suppliers. Publicly traded companies will seek to identify and manage this risk through comprehensive security evaluations of third parties or even developing comparable capabilities in house. Publicly traded companies will also look to limit their liability from third party suppliers and so I expect increased contract language to meet specific security requirements and penalties passed on to the third parties as a result of security incidents caused by them.

Possible Ripple Effects

Overall, I consider these new rules to be a good thing. They will elevate the conversation of cybersecurity risk to the board level and require companies to prove their maturity through standardized disclosures that investors can evaluate. However, there will be some interesting ripple effects as a result of these rule changes.

First, as organizations begin to comply with these rules and disclose aspects of how they govern cybersecurity there will be a chaotic period where publicly traded companies seek to find the line between disclosing too much information and not enough. The industry as a whole will begin to evaluate these disclosures for what is considered acceptable or “good” and this will eventually drive the industry to a steady state where the disclosures become normal or standard.

Second, the third party evaluation and disclosure requirements will have a trickle down effect to the third party vendors (both publicly traded and private companies) because they will be forced to meet the elevated security standards of the companies they provide products or services to. Third party vendors will also need to worry about any new legislation coming out that will hold them liable for security issues in their products and services as specified in the new National Cybersecurity Strategy. This will ultimately raise the bar or maturity for the entire industry, which is a good thing.

Lastly, I expect a niche industry of board level security certifications to pop up that certify executives for board level service. Service on a board as a certified security representative will also be the new resume builder or LinkedIn credential that senior security executives aspire to in the later stages of their career. This may also become an area the SEC chooses to define in the future, such as number of years of experience required to serve on a board, credentials required, certifications, etc.

Wrapping Up

Overall, the new SEC Cybersecurity rules look to strengthen investor and shareholder confidence in the way a company is handling cyber risk or increase transparency around how the company is handling events over the past 2 years, which could become material in how investors view the health of the company. In short, cyber maturity will become another criteria for how to evaluate the performance of a company. Ultimately, these rule changes will elevate the maturity of security across the industry and enhance investor and consumer trust in a company’s ability to manage cyber security risk.

Link to Proposed Rule Changes

Five Take Aways From The New 2023 National Cybersecurity Strategy

In the first week of March, the Whitehouse released the new National Cybersecurity Strategy that outlines areas of focus and investment to “secure the digital ecosystem for all Americans.” Like most strategies, it is high level, broad in scope and forward thinking. Most of the strategy covers expected topics, with objectives like: protecting critical infrastructure, investing in research and development, expanding the qualified cyber workforce and increasing public-private collaboration. However, I found a few of the objectives thought provoking and ambitious because they have the potential to mature or disrupt the industry if enacted into standards or legislation.

Ransomware

The United States has labeled ransomware as a strategic objective that needs attention to prevent disruption of critical infrastructure and other “essential services,” like hospitals. Payments from ransomware support the activities of criminal groups and ransomeware attacks result in not only financial loss, but can result in loss of life through the inability to provide accurate or timely care. Dish Networks is the latest victim of ransomware, resulting in a 20% decrease in stock price, not to mention the amount it costs Dish to recover from the attack, including the loss of revenue from inability to process payments or provide adequate support.

Ransomware is a difficult problem to solve because the government can’t magically secure all of the vulnerable networks and systems in the US. Instead, the US Government plans to target the financial networks that process ransomware payments, disrupt infrastructure that supports ransomware and place diplomatic pressure on countries that continue to provide safe haven to ransomware operations. It will be interesting to see what effect this will have on ransomware attacks, but optimistically, I hope this will have the same result as recent high profile botnet disruptions.

As of yesterday, the administration can claim its first success in taking down part of a ransomware gang in Germany and Ukraine responsible DoppelPaymer and tied to EvilCorp.

Privacy

The Whitehouse considers privacy a strategic objective for the United States. The European Union set the global standard for privacy with GDPR and since then the United States has lagged behind other countries for national privacy regulations. This is evident because several states like California and Colorado have already passed privacy laws that establish fundamental rights to privacy for their residents and there are another three dozen bills in progress across several states in the US. A patchwork of state privacy laws will make it difficult for companies to navigate and satisfy each individual privacy law. Citizens in the United States suffer from poor privacy practices from companies that seek to monetize or use the data for strategic purposes.

There are dozens of privacy bills floating around Congress to address individual privacy, financial privacy, health privacy, and education privacy. These laws would give US Citizens fundamental rights to their privacy, the ability to control how their data is used and shift the collection of data from opting out to requiring consumers opt in to collection. A national privacy law would help consolidate the patchwork of state legislation and make it easier for businesses to navigate the new requirements. It would also place the United States on equal footing with other international standards like GDPR, which has had a significant impact on advertising and marketing business in the EU.

Liability for Third Party Software Security

One of the most interesting strategic objectives in the National Cybersecurity Strategy is the intent to “shift liability for insecure software products and services” to the companies that produce them. This has the potential to mature the technology sector by establishing a standard of security quality through legislation or penalties. The administration intends to do this by establishing a framework that will shield companies from liability if they follow the secure development practices in the framework.

In reality, software development is not that simple. Following a secure software development framework will not address the complex software security supply chain issues facing the technology sector. Use of open source software libraries is a common development practice that accelerates the development of software so companies don’t have to re-develop functions for themselves. This accelerates the software development life cycle and also self regulates by allowing the industry to settle on and standardize certain functions or technologies. While I applaud the sentiment to hold companies liable, it is unclear where the liability stops and this may actually hinder innovation in the technology sector. If a business includes an open source software package in their software are they now liable for the security of a software package they don’t control? Or, does the liability pass on to the random person who built the software package from their basement? Will companies now shift to stop using software they don’t control and develop these capabilities in house, which can waste development resources from producing products and services that generate revenue? What about embedded systems that have limited network connectivity or limited storage space to support continuous updates?

When looking at the history of massive security breaches like Target, SolarWinds, Sony or Equifax, there is certainly a need to hold someone accountable, particularly when the incident impacts consumers, shareholders or critical infrastructure. However, there are too many questions and complexities within existing software supply chains to simply regulate this problem away. I cautiously look forward to seeing how the administration navigates these issues without impeding innovation or levying burdensome penalties.

Federal Cybersecurity Insurance

One of the more interesting strategic objectives is to explore the creation of a Federal Cyber Insurance backstop. The concept is similar to FDIC for banks or disaster relief funds for natural disasters. A government cybersecurity insurance fund could be used to support areas of economic strategic investment that are not mature enough for full blown commercial cyber insurance, but need some sort of financial safeguard. The backstop can also be used for national level services that would have a catastrophic impact to the country if they were impacted due to a cyber event. A federal cyber insurance fund could be meted out like a disaster relief fund to help these critical services restore functionality or shore up finances in a time of crisis. Overall, I think this is a good thing and could provide some stability to the technology sector that is at times beholden to a cybersecurity insurance industry that has high rates and uncertain payouts.

Global Supply Chain

The COVID pandemic broke the equilibrium of a fragile global supply chain. Small disruptions in factory output or the availability of supplies brought several previously stable industries to a halt. As a result, the United States is rightfully considering the security of this global supply chain and what components are critical to maintaining military and economic superiority.

Computer chips are at the forefront of maintaining this military and economic superiority. In 2022 the Whitehouse signed an executive order, called the CHIPS and Science Act, to fund initiatives to make critical supply chain components, like semi-conductors, in the United States. Shifting or changing the global supply chain will take time, particularly with semi-conductors and so it makes sense to start immediately. Almost all of the manufacturing for semi-conductors occurs in Asia (South Korea, Taiwan and China) and it makes sense for the United States to begin to diversify this critical resource from a geographic region that is seeing increasing geopolitical instability. For example, if China invaded Taiwan it would massively disrupt the global supply chain for the rest of the world (including the United States). However, most semi-conductor industries have been built with, or heavily subsidized by, local governments and so the United States will have to match or exceed these subsidies if they truly want to be competitive in the global market, while securing a critical component of the supply chain.

Wrapping Up

Overall, the National Cybersecurity Strategy is a comprehensive and forward thinking strategy that has identified areas of national strategic cybersecurity importance in need of investment. Not all of the strategic objectives are clear on how they will achieve the goal without causing unintended negative consequences, but the intent to improve the resilience and preparedness of the United States is evident.

Thinking About Compensation

In the last quarter there have been a significant number of layoffs at high profile technology companies. The economy has also made these layoffs particularly challenging. If you didn’t receive a raise of at least 12% last year to keep up with inflation, then you didn’t get a raise or even got a pay cut. A job market flooded with candidates combined with top candidates seeking new positions means the job market is heating up for tech positions across the board. Some of these positions will be CISO level jobs and if you are in the market to make a career change you will inevitably run into salary negotiations at some point during the interview and negotiation process. Here are some things you will need to think about as a new or repeat CISO when negotiating for compensation in your new position.

Job Level

The management level of the CISO role varies across industry and company size. Some CISO roles are Director level, the majority are VP level (including Sr. VP and Executive VP) and a few are truly C-Level as named officers of the company. The role level should be commensurate with the level of responsibility – the more responsibility, the greater the impact to the company and the more senior the role should be. Likewise, the more responsibility, the more risk you are assuming (or responsible for) and so compensation should recognize and reward this.

Company Size

The first choice you will need to navigate is what type of company you want to work for. Public vs private companies will be the main tradeoff, but government or public sector may also be something else you are considering. The main thing to consider with company size is you typically can get a higher title at a smaller company, but this comes at the expense of a lower base salary or more risk in terms of the longevity and stability of the company or the ability to liquidate your equity. However, this risk comes with the potential for a bigger payout and so it is important to really do your research and make sure it is something you truly believe will succeed.

Government and public sector also offer interesting advantages. These roles can come with high visibility, but will typically offer lower salaries or total annual compensation than the private sector. The tradeoff here is you are forming highly visible connections across government and the public sector. You can also establish your reputation on a nationwide level. Lastly, government and public sector positions offer a pension or some form of retirement after the fact. Private sector companies typically do not offer the same level of retirement unless you self fund or have a match via an employer plan. There is a real tradeoff between private and public sector in terms of immediate compensation or deferred compensation, which will come down to your overall financial goals and associated timing.

Risk vs Reward

Let’s briefly talk about risk vs. reward. The type of company you choose to work for and the sector you choose to work in will dictate how much risk you are assuming, which will directly impact your compensation. On the one extreme there are startup companies. They offer the most risk, but also the most reward. On the conservative end of the spectrum there is government and public sector. These jobs are really stable, but can’t match the big pay offs that are associated with start ups or publicly traded companies.

Reward vs Risk

In the graph above I placed public companies as having more risk than private companies due to the fluctuating nature of equity that typically makes up a large portion of the compensation at these companies. However, the real answer is “it depends” and so I encourage you to do your homework on the company you are considering.

Total Compensation

The next thing to understand is: what is the total compensation for the position and what makes up that total compensation? I often find interview candidates are hyper focused on base salary because it offers the guaranteed paycheck each month. However, there are a lot of other ways to build a total compensation package, especially at the executive levels. My recommendation is to take the time to understand all of the components that go into total compensation at the new role. Carefully evaluate the risks and to determine what you are comfortable with, then use that to discuss options with your prospective employer.

Cash Equivalents

Base salary is the big one here, but not the only one. This is the safest form of compensation because it is explicitly written in your offer letter and arrives at regular intervals. I will also lump sign on bonuses into base salary because they are typically granted when you start employment or are guaranteed payouts over a period of time (subject to remaining with the company for a specific term).

Annual Bonuses, Incentive Compensation Plans, Long Term Incentive Plans and Profit Sharing Plans are next on the list in terms of risk. These are basically cash payouts that are given at some interval (monthly, quarterly, semi-annually, annually) depending on the performance of the company. For example, if you are supposed to get a $100 bonus quarterly and in the first quarter your company misses their financial goals, they may choose to only finance 75% of the bonus amount and so you only get $75 that quarter.

Likewise, commission (if applicable) is essentially cash in your pocket, but assumes an amount of risk depending on your sales cycles, lead times, what vertical you are in, your customer, etc. CISOs who are in a public facing role at a product company may be eligible. Similarly, CISO Advisors who help drive sales may also be eligible for commission.

Commission is a lever you can pull on depending on how much risk you want in your compensation. Sales people typically carry very high commissions as percentage of base salary to incentivize them to get out there and sell. Sales engineers or indirect sales people typically have a much lower commission percentage as part of total salary.

Another common compensation option, particularly at public technology companies, is equity. Equity can come in many forms such as Restricted Stock Units (RSUs), Shares or Stock Options. All of these require some sort of sale to convert them to cash and their value will depend on the vesting schedule, how the company is performing, how the stock market is doing (if a public company) or the terms of your ownership in the company that specifies when and how you can sell your stake.

Equity is a form of compensation that allows the employee to assume an amount of risk in their total compensation and it ties their performance (and compensation) to the performance of the company. For a CSO this can be an incredibly rewarding form of compensation particularly if you help take a company through IPO or help mature a company to grow revenue or increase shareholder value.

All of these cash equivalents are negotiable, particularly things like amounts, vesting schedules, strike prices or even equity percentages. Whether or not you get some or all of these will depend on the company and job level of the role.

Indirect Compensation

Other things that will contribute to your paycheck are the benefits your company will provide. Here is a list:

  • Healthcare – Do they cover healthcare, what type of plans do they offer and how much does the company cover? Do they have an on site gym or allow employees to expense gym memberships?
  • Vacation / Leave – Does the company offer unlimited time off or are you limited to a certain number of weeks per year? What is the accrual rate, are there blackout periods, are there times when the whole company is expected to take off?
  • Retirement – Does your company offer a 401k match and what other type of retirement investment options do they offer? Does your employer offer a deferred compensation plan, which can be useful as you approach retirement age?
  • Training & Continuing Education – What type of training does your employer cover? Do they support you going to conferences? Does your employer offer tuition reimbursement or even pay for a full executive education program if you are considering going back to school? Do they cover professional memberships and certifications?
  • Work Permits / VISA Sponsorship – Do you require and does your prospective employer offer VISA sponsorship?
  • Relocation Assistance – Do they offer relocation assistance if you are being asked to move? What type of accommodations and support will they provide if you are being asked to move to a foreign country?
  • Travel & Expense Policies – What type of travel policies do they have when you travel? Do they provide you with a cell phone or allow you to expense your current phone and plan? Do they pay for your internet connection if you are a remote employee? Do they cover mass transit passes or parking (if located in a major city)?
  • Discounts & Perks – Do they offer employees other perks like discounts, free tickets to sporting events or awesome swag?

All of these options will vary depending on the company you are considering and it is important to ask questions and consider all of these additional benefits that will indirectly boost your paycheck.

Other Things To Consider

When negotiating for your new CISO role, there are other things you may want to consider asking for depending on your job level and amount of responsibility.

First, you will most likely want to negotiate a severance if you are laid off or terminated as a result of a security event. Typical severance packages offer some amount of base salary payout, but can also include accelerated vesting schedules, guaranteed bonuses, relocation, cash payouts, etc. Severance packages typically don’t come into play until the more senior levels, but given the high risk nature of the CISO role it is something to ask about during the interview or salary negotiations.

Second, if you are in the senior management ranks it is important to ask if the role is going to be a named officer of the company. If it is, you will want to ask about being included in the liability policy for Directors and Officers. If not, you may want to ask if the company has a standard corporate liability policy and if you can be included in it, which can help protect you during lawsuits or other legal issues you may encounter while employed in the role. You may also want to negotiate for the company to cover your legal fees if you are sued and have the ability to select and retain legal counsel of your choosing that the company pays for, but represents you.

This brings us to the last point of consideration which is contracts and contract terms. At the more senior ranks it is typically to negotiate for all these things, but agree to stay for some period of time as specified in an employment contract. This contract may also have specific non-compete agreements, specific non-disclosure agreement terms and other terms you may have negotiated. They key takeaway is to get everything that has been agreed to in writing and included in the contract.

Wrapping Up

Salary negotiations can be stressful, but they don’t need to be. Doing research, asking questions and knowing your worth can help make salary negotiations go smoothly. Some states now have pay transparency laws which can make it easier to understand the compensation range for the role. At the higher employment levels you may want to consider retaining a compensation lawyer who can draft and review contract or compensation terms on your behalf. Not all of the options I’ve mentioned above will be available at your employer or at the job level you are applying for and so taking the time to understand what is available is important to make sure you are being compensated and protected appropriately.

How Playing Video Games Can Help Your Career In Security

One of my favorite things to do after work is to sit down and play video games. I’ve enjoyed playing video games ever since my father purchased the first family computer in 1986. Now many years later, high powered video game consoles combined with fast internet connections have made playing video games a truly incredible experience and I believe playing video games helps develop and reinforce the skills that are important in a successful security career. Let’s look at some of the skills required by both video games and security professionals.

Problem Solving

One of the most important skills when playing video games is problem solving. Whether you like first person shooters, role playing games, racing games or any other game, all of them require you to determine how to achieve some sort of objective like getting to the next level or unlocking a secret. The thought processes required to solve riddles and level up in video games are also useful in security.

Problem solving in security is important in every discipline. CISOs need to determine how to best manage risk, while supporting the needs of the business. An incident responder needs problem solving skills to determine the nature of an attack and how to best recover from the incident. Security engineers identify problems, establish requirements and then solve the problem by building the solution. All of these roles (and the rest of the Security Org) need well developed problem solving skills to be successful in their role.

Curiosity

Curiosity is also an important skill in video games. What is in this crate? Where does this path go? How do I open this door? What does this new skill do? Exploring the limits of the game are essential to ultimately beating the game and that is also why curiosity is an fundamental skill for working in security. The security industry is inundated daily with new vulnerabilities, new technologies, new attacks and new methods to defend against them. Persistent curiosity is required to continually advance your knowledge, test the limits, learn new skills and ultimately persevere in protecting the business.

As a CSO, curiosity is an important skill to exercise everyday. Asking questions to understand how regulations will impact your industry, how business processes work, how products function or how customers interact with your business is important to inform your decisions on how to best protect the business and manage risk.

Collaboration and Teamwork

Over the past three decades some of the most popular video games have been multiplayer games that rely on collaboration and teamwork to win. When working in a team you increase your odds of capturing a flag, completing a quest, winning the race or beating the game. Team mates can help you, resupply you and even save your life. Just like in video games, security requires team work and collaboration to be successful.

A CSO needs to collaborate with the rest of the business in order to understand how to best manage risk. CSOs need to understand every part of the business to be successful, incident responders need to work as a team to protect the business, compliance professionals need to work with the business owners to gather evidence and governance teams need to work with the rest of the business to establish processes that are minimally invasive. All of this requires teamwork and collaboration in order to be successful.

Attention To Detail

Video games offer unique challenges and the ability to pay attention to small details is often important to complete quests, solve puzzles or beat a level. Racing games require the ability to absorb small details at incredible speed, sports games require players to pay attention to detail to score a point and strategy games require players to pay attention to small details to beat enemies or unlock new skills. Attention to detail is an important skill when playing video games and it is also an important skill in security because all roles in security require attention to detail, which can be the critical difference in resolving a vulnerability or reducing risk.

Often, the small details make the biggest difference in security. GRC professionals need attention to detail to understand specific regulatory requirements or frameworks and how they apply to specific controls or technologies. Incident response professionals need attention to detail to understand how to respond, how to gather evidence and how to recover. Sometimes, it is the small details that someone notices that lead to an investigation and that investigation leads to an incident. Finally, CSOs need attention to detail to understand how to allocate resources, how to budget appropriately and how threats relate to business risk.

Other Important Skills

In addition to the four skills I’ve described above. Video games and security roles also require a number of other common skills. Here is a short list:

Time Management – Using your time wisely and completing tasks within a specific time period.

Discipline – Setting boundaries for yourself and adhering to them.

Competitiveness – Competing with others, rising to the challenge, conducting yourself with honor and being a good sport.

Perseverance – Never giving up, pushing through and completing the job.

Detachment – The ability to look at problems from different perspectives.

Positivity – Don’t dwell on the losses. Focus on the good and believe in a positive outcome.

Cognitive Performance – The ability to focus, perform well under pressure, react quickly and even get into a state of flow.

Wrapping Up

A successful career in security requires not only focusing on domain specific skills (like GRC, Incident Response, etc.), but also more generalized skills that translate to all aspects of life. I personally enjoy playing video games for the reasons above, but also because of the social component that now exists in games. The ability to share the experience with others or discuss games with co-workers and friends is enjoyable. So, next time you are looking to advance your career don’t forget to work on the softer skills along with the security specific skills required for your job and I hope you will consider video games as a viable way to develop those skills!

How Security Evolves As Organizations Move From the Datacenter To The Cloud And Beyond

Despite cloud growth slowing in the past quarter, the momentum of existing and planned cloud adoption remains. As a new or existing CISO, your organization may be just starting to migrate to the cloud or may be looking to improve efficiency by adopting newer technologies like Kubernetes. Wherever you are in your cloud journey security needs to be in the forefront with careful consideration for how your security org, its governance and controls will evolve along the way.

Avoid The Free For All

I’ve been through multiple cloud migrations and before anyone in your organization begins to migrate, the IT, Security and Finance organizations need to come together to lay the appropriate foundation in the new environment. This means you need to set up the appropriate structure for mapping and controlling costs. You also need to map all of your existing IT and security policies and controls into the new cloud environment before people migrate to avoid having to do clean up later. It doesn’t have to be perfect right away, but doing some preparation and implementation of guard rails before teams migrate will pay dividends later.

Not Everything Is Easier

As organizations migrate to the cloud, security teams need to consider how the tools and processes they rely on may change. For example, if you currently rely heavily on netflow or packet captures to monitor your networks, the methods to get the same visibility may be different in the cloud. Similarly, transferring large amounts of data or security events can incur significant costs and so your logging and SIEM infrastructure may need to be re-architected to keep the events as close as possible to the environment, while only shipping the most critical events to a centralized location.

Penetration tests are also different in the cloud. If you regularly penetration test your environment or have third parties conduct pentests for contractual, compliance or regulatory reasons, then these will need to be scheduled and coordinated with your cloud provider so you don’t accidentally disrupt another customer. When you move to the cloud you no longer “own” or control the network and so you have to operate within the terms laid out by your cloud provider. As a result, pentests may be less frequent or may need to have their scope adjusted as appropriate for the environment.

Asset inventory may also change. If you are used to assigning your own DHCP addresses and having these addresses be relatively static in your inventory this will change in the cloud. Your asset inventory will change based on how frequently your organization spins up and down resources. This could be a few hours or days. Your associated inventory, reporting, vulnerability scanning, etc. will all need to be adjusted to the frequency of resource utilization and this can make tracing security events difficult if your inventory isn’t correct.

Processes aren’t the only thing that will need to be adapted to the cloud. Let’s consider how the scope of security changes as you move to the cloud.

In The Beginning

Consider a traditional technology stack where an organization has purchased and manages the storage, network, compute, OS and software running in the stack.

In this model the security organization is responsible for ensuring the security of not only the physical environment, but the security of all of the other technology layers. In some ways this environment offers simplicity because a production application maps directly to a network port, firewall rule, operating system, physical server and dedicated storage. However, this simplicity comes with the full scope of security of the entire environment and technology stack. The leading tech companies largely moved away from this model in the early 2000’s because it is inefficient in terms of resource utilization, portability of applications and velocity of deploying new software at scale.

Enter Virtualization

Organizations looking for more efficiency and utilization from their technology assets found an increase as virtualization came onto the scene. Now companies can run multiple Operating Systems (OS) and application stacks on a single stack of physical hardware.

For security teams, virtualization increases the density of their asset inventory compared to physical assets. This means the asset inventory no longer has a 1:1 correlation with physical assets and the attack surface for the organization will shift towards the OS, Application and Network layers. In this model security teams still need to focus on the full scope of security, but it also allows the organization to begin taking advantage of modern IT infrastructure and deployment concepts.

One extremely important concept is the idea of immutable infrastructure. With immutable infrastructure the organization no longer makes changes to things in production. Instead, they update, patch or improve on their virtual machine images and production applications in their development or test environments and then push those into production. This means development teams can increase the velocity of the software development lifecycle (SDLC) by fixing once and deploying many times. It also means security teams can more tightly control the production environment, which is the highest area of risk for the business.

Moving To The Cloud

At some point your organization may make the decision to migrate to the cloud. Migrating to the cloud offers a number of benefits such as no longer having to purchase and manage depreciating assets, no longer having to staff people to physically manage hardware, no longer having to pay to protect and insure physical assets, increased development velocity and the ability to scale compute, storage and network as needed.

For the security organization, moving to the cloud means you no longer need to worry about physical assets such as network, storage or compute. Your cloud provider now takes care of those layers and so your team has reduced physical scope, but increased logical scope, which results in increased attack surface. Development teams can now deploy with increased velocity and so it is incredibly important to enforce good security hygiene. Shifting security as far left as possible within the CI/CD pipeline and automating the security checks are incredibly important. Similarly, putting guard rails in place to control the environment will be really important to avoid magnifying security issues at scale. Some things to think about are:

  • Tagging is required for security, finance, development, etc. otherwise the deployment fails or the instance is shut down
  • Object storage private and encrypted by default
  • Only specific and required network ports allowed
  • NACLs, ACLs, WAF and/or proxies configured and deployed by default based on service or application
  • Applications are not allowed in production with critical or high vulnerabilities
  • Security logging at each layer sent to object storage, filtered and then sent to a centralized SIEM
  • Control software libraries to minimize software supply chain risks
  • OS images patched, hardened and loaded with required agents
  • Identifying and controlling the flow of data to avoid data leakage
  • Setting and enforcing data retention policies to no only control costs, but reduce the volume of data that needs to be protected

Moving to the cloud allows organizations to dramatically improve the velocity of development and as a result security teams need to shift their controls left in order to improve security and increased visibility without impeding velocity.

Commoditizing The OS Layer

Lastly, once organizations are in the cloud they can begin to ask questions like – what if the OS didn’t matter? What if memory, compute, storage and everything below the application layer was taken care of automatically and all developers need to worry about is the actual application? Enter containers and kubernetes.

Containers and kubernetes allow organizations to scale their applications with incredible speed. All developers need to worry about is to package up their application in a container, deploy it into the cluster and let everything else happen automatically. This model presents both a challenge and an opportunity for security teams.

First, all of the security checks we discussed previously need to happen within the build process and deployment pipeline to make sure organizations aren’t amplifying a vulnerability across their applications.

Second, security teams will continue to make sure the underlying kubernetes clusters meet their security requirements, but the main focus will be on the application layer. Controlling ingress and egress of network traffic going to the application, making sure software libraries are approved and free of vulnerabilities, ensuring software security checks like SAST, DAST and even fuzzing of interfaces are performed before deploying to production will be incredibly important. It will also be important to maintain an inventory, but this wont be a typical inventory of who owns an OS or compute instance. Instead, this inventory will map which team owns a particular application. This will be important for events like Log4j so the appropriate dev team can identify and remediate software libraries or flaws in their applications quickly and then re-deploy. Remember the environment should be immutable so security teams will need to scan, monitor and respond to vulnerabilities detected in production quickly since the attack surface will be much larger in this model.

Wrapping Up

No matter where your organization is in their cloud journey security teams need to identify their scope of responsibility and apply security best practices within their environment. Organizations still in data centers will require security teams to address the full scope of security from the physical layer to the application layer and everything in between. As organizations begin to adopt technologies like virtualization, development velocity should begin to increase and security teams will need to adapt. Moving to the cloud is a big step, but will pay dividends to the organization in terms of increased velocity. Organizations no longer have to acquire or focus on physical hardware and so they can staff more software developers. Likewise, the security teams will need to adjust their requirements and controls to focus on the OS layer and above. Lastly, organizations that have moved to container technologies or embraced kubernetes will have tremendous velocity and security teams will need to make sure the appropriate checks are integrated into the CI/CD pipeline so vulnerabilities aren’t magnified across the entire environment. In order to avoid this security teams need to focus primarily on the application layer and automation will be key.

Conquering Impostor Syndrome

Over the past eighth years I have been shifting my personal interests from reading technical books to reading books on mental performance. Navy SEALs like to say their training is 10% physical and 90% mental and I think this holds true for a lot of endeavors in life. The security industry is inundated with training courses about how to penetration test, how to be an incident responder or how to become a CISO. However, if you want to strengthen your mind to handle the stress of a security role you have to leave the community and seek answers in other places like extreme sports, the military or even self help.

Mental Health is an extremely important aspect of career management that often gets overlooked or neglected. The security community is notorious for burnout because the issues we deal with on a daily basis have a sense of urgency or feel never ending. One important mental health issue that is particularly pervasive within the security community is Impostor Syndrome, which is when people who are otherwise talented or successful still feel as if they are a fraud.

I have personally experienced both burnout and impostor syndrome throughout my career and in my experience impostor syndrome is caused by a fundamental lack of belief in oneself. Therefore, in order to overcome impostor syndrome one must somehow boost their own confidence, which can be difficult because it is tough to self assess.

Understanding the problem

In order to overcome impostor syndrome it is important to first diagnose and understand the problem by asking the question:

What part of your life, career or skillset makes you feel like a fraud?

Perhaps you recently received a promotion, but haven’t received training or coaching to build the necessary skills in that role?

Or, maybe you have the skills, but you haven’t received feedback or validation that these are the right skills to have?

Maybe you are worried your skills are sub-par compared to other people you see at conferences or who you interact with regularly?

Whatever the issue, it is important to be honest with yourself about what makes you feel like a fraud. This is an important step because once you identify the issue you can build a plan to address the problem.

Develop A Balanced Approach

One of the most impactful books I’ve read on mental performance is called With Winning In Mind by Lanny Bassham. This book discusses different parts of the human psyche that need to be in balance in order to avoid psychological performance issues like Impostor Syndrome. With Winning In Mind discusses how to balance the Conscious mind, Sub-conscious mind and the Self Image to achieve balance of the psyche and ultimate performance.

In my opinion, Impostor Syndrome is caused by an imbalance in the Self-Image. The self image has not developed in line with the knowledge, career progression or skillsets possessed by an individual. As a result the individual lacks confidence in themselves and needs to spend time building up their self image to conquer impostor syndrome.

Building (Or Rebuilding) Your Self Image

Below are the steps I recommend you follow in order to overcome Impostor Syndrome. These steps require work and dedication, but if you commit and follow through it will be worth it in the end. The steps are as follows:

  1. Identify the skills or character traits in which you lack confidence. Write these down.
  2. Develop a plan to train or develop each area so you can begin to build confidence in that area.
  3. Create positive affirmations to reinforce your training and build your self image. Put these in prominent places (fridge, desk, mirror, car dashboard, etc.) that you see daily and repeat them to yourself whenever you see them.
  4. Record your progress in a journal and review regularly.

Example

  1. Identify skills – I feel like an impostor when I speak in public. “I want to be a better public speaker”
  2. Develop a plan – “I will practice public speaking for 15 minutes a day, while recording myself. I will review the recording each time and make a plan for the following day for how to improve.”
  3. Create Positive Affirmations – “It is like me to be a great public speaker”
  4. Record your progress

Wrapping Up

Impostor Syndrome is a common psychological performance issue, particularly in the security community and it is caused by fundamental lack of confidence in oneself. By honestly identifying where you lack confidence, you can develop a plan that will help you improve your self image and ultimately overcome the feeling that you are a fraud. If you suffer from impostor syndrome I encourage you to speak openly and honestly about it with a mentor, trusted colleague or mental health professional who can help you create a plan to overcome the issue because impostor syndrome can cause you to psychologically hold yourself back from truly achieving your fullest potential.