I have been doing a lot of thinking lately, given the state of the economy and some of the discussion I've had with many of my colleagues. What I've come to realize is that I have taken a different approach than many of my colleagues when it comes to leadership and Information Security. It's well past time to reinvent the information security field, and reverse the impression that we are the Ministry of No, and the buzzkills that are constantly looking to shut down everyone's chat. Our role is so much more than that. Too often we paint ourselves into that corner because we are unwilling or unable to engage the organization at a higher level, or learn how to make the business function better.
Given the landscape of the past and the changes due to economics, a successful infosec leader must do the following things, and do them well, to cultivate a healthy information security program that will support and align with the business:
Communicate to the business about the business
When we started, years ago, we most often looked for the most technical person in the room for senior [information security] positions, and now we're finding that we're replacing those technical execs with execs that truly understand, and can take a holistic approach to, risk. What we're finding in the jobs that we're filling, not just at the C-level, but at many levels, is that they're asking us for folks that really understand how to communicate effectively to the board. -Joyce Brocaglia, Alta Associates, RSA 2009
Risk is the language of business, and if you cannot communicate risk to the powers-that-be in your organization, your infosec program (and career) will never evolve. You will never be invited to the table if you cannot demonstrate that you belong there by helping them make critical business decisions.
Businesses manage risk, day in and day out. What is the risk of investing in a new product line? What is the risk of leaving out Feature X until Version 2? What is the risk that the $10,000 investment in the new marketing campaign won't result in an uptick in new business?
If you learn how to quantify risk, you will never be accused of trying to scare the business into buying needless security widgets (the Chicken Little syndrome), and you will be able to justify the investments that make sense for the business.
Never let "it's a best practice" be a justification for a security initiative
"Best practice" is an excuse, not a justification. Best Practices are what you resort to when you don't know what the right thing for your business is. The company isn't in the business of aligning its security program with industry best practices. The company is in the business of selling widgets. How many more widgets will the company sell if they implement your suggestion? Is some significant risk reduced by implementing the suggestion? These are the arguments that will allow the business to say Yes.
Never say "No"
No is rarely an acceptable response to someone communicating a requirement. Someone's secretary wants to access Facebook during lunch? "No" isn't going to get you anywhere. How about "Sure, we can do that, but given the various threats coming from Facebook lately (demonstrate some), we'd be wise to implement some additional protections around that traffic." I bet you can leverage that secretary's lunch desires to reduce her rights on the system, which kills 2 birds with one stone. Or, if the organization isn't willing to spend the money on the necessary controls. you can go back to the secretary and let her know that you went to bat for her but failed. Either way, you're the guy that tried to help, not the bad guy who just said "No". Chances are, she'll come back to you the next time she wants to do something risky.
No doesn't make you friends. "So what, I'm not here to make friends, I'm here to secure the enterprise," I hear some of you say. Well, your job will be orders of magnitudes harder if you are viewed as an obstacle that must be overcome, rather than a friend of the business. How many groups will invite you to the conversation when all you do is burden them with costly and time-consuming controls and processes? Which brings me to...
Be approachable
Encourage dialog. Reach out to end users. Introduce yourself to business owners, solicit their opinion on things, and ask them what their challenges are, how they work, and their perspective on information security. Learning what the end users really think rather than what you assume builds a relationship of shared ownership. The result are allies that will enable you to sell future initiatives with their help.
Don't let the first contact with your end users or business owners be only after you have discovered a problem. Integrate yourself into the onboarding process. 5 minutes spent in a new hire orientation, introducing the infosec organization, and going over basic guidelines will make a night-and-day difference in the attitude end users will have of you and your program. Sharing with them why security is integral to the business and making it personal will give them motivation to support information security on an ongoing basis.
Conduct brown-bag sessions on security topics. Make them short. 15 minutes is my target, with questions for however long they need. Record them, if you can, so you can distribute them via intranet to people at other sites or who couldn't make it to the live show.
Speaking of which...
Learn to talk like a human being
If you have a conversation with 99.999% of the population on this planet, and you toss out words like "AES256" or "Diffie-Hellman", you will not connect with your audience. All you are doing is confusing your audience, at best, and probably alienating them. End users don't need to know how the sausage is made, only that they have ready access to sausage and that It's A Good Thing(tm). You can go into a little more detail during Brown Bags, but be clear about the level of technical depth of the talk, so you will hopefully get an appropriate audience. But I would argue then that you should be spending time on topics that will reach a larger portion of your user population.
What you *can* do, however, is...
Blow your end users' minds from time to time
End users get complacent about their computer usage habits. Always have a small collection of ready-to-roll, and easily demonstrated exploits in your bag of tricks, even if they have been long since fixed. Maybe it's a virtualized image of a poorly patched Windows box that you can bring up at a moment's notice. Doesn't matter. Demonstrating the sneakiness of attackers is often an eye-opening experience for your end users. I once orchestrated a demonstration of a chromeless window exploit to a group of system admins, and their mouths all dropped. Demonstrations like that tend to re-engage your users, and remind them that they are critical part of the company's security posture. That's a win for you.
Cultivate your reputation
Develop a reputation for protecting the business. Understand the risks of the changes you are proposing and work diligently to reduce them. Even if the company doesn't have an official change management program, you should. Even if it's just yourself. I can count on my hand the number of times a security control under my purview has negatively impacted the business' ability to operate. Availability trumps security every single time, and those security controls will get ripped out if they impact the business' ability to operate.
Develop a reputation for being a straight shooter. The business needs to know it can count on your for a fair and accurate assessment of risk, countermeasures, controls and technology. Also ensure that you include ancillary costs (personnel, OS licenses, etc) associated with solutions you propose, to minimize having to go back to the well for more funding than what the business owners originally approved. The business needs to trust that the solution you've proposed can be realized with the financial outlay you've indicated.
Develop a reputation as a problem solver. You want business units to approach you with problems, and ask for help solving them, rather than route around you with a solution they know is poorly considered. See above guidance regarding "no". You need to be seen as a business enabler, not an obstacle that must be continually overcome.
Develop a reputation for being pragmatic. Don't blindly follow the industry. Reevaluate your beliefs, frequently. If the password policies don't make sense, change them. Ignore best practices if they don't fit the realities of the business, even if it means bucking an auditor in the process. Mold the information security program to the needs of the business.
Understand that robust security begets compliance, not vice versa
If you have a solid information security program, you will not have to worry about audits or regulatory compliance exceptions, because you are 99% there on most compliance obligations your company is likely to have. That does not mean implementing every suggestion from NIST or similar bodies of infosec standards. Remember, "best practices" are recommendations for what to do if you don't otherwise know what's best for your business. If you blindly implement controls and processes to satisfy your PCI audit, for instance, it doesn't mean your business is secure. Secure your business, and compliance will be trivial.
Befriend your auditors
If you have an adversarial relationship with your auditors, internal or external, you're doing it wrong. Your auditors are partners. They help you measure (and demonstrate) improvements you are making to the business, and help you justify investments in additional areas. If you have a healthy relationship with your auditors, your audits will go more smoothly and they'll be out of your hair quicker. An adversarial relationship with your auditors will only result in them looking harder and longer for cracks in your program, and every hour they spend doing so costs your business money. Once the auditors develop confidence in your program, and understand that they can't run up the bill generating finding after finding, they'll be motivated to complete their report and move on to the next engagement. Reducing your company's annual audit bill is a fantastic way information security can contribute to the company's bottom line.
Contribute to the InfoSec Body of Knowledge
The information security profession relies heavily, perhaps more than most other fields, on information sharing and peer review. You should be writing; be it articles, blog postings, or contributing answers to questions posted in online forums. A good infosec leader should be continually contributing to the InfoSec Body of Knowledge, even if the contributions sometimes seem trivial.
Show up at local infosec events, and speak at one at least once a year. One thing you should take away from the other habits listed above is that your communication skills are critical to being successful in the information security field. Hone them, exercise them. If you are not an effective communicator, you will not be an effective information security leader.
In conclusion
This isn't the same business many of us were introduced to when we started our infosec careers. For example, the CISO role didn't even exist when I entered the business, and it is being redefined constantly. Hard economic times have put increased pressures on all business units within a given company to innovate and bring new ideas to the table about how to make the business run better. By aligning yourself with the organization's larger goals, and adopting the strategies outlined here, you will help Information Security transcend the stereotypical roles and evolve into a business unit that has true and measurable impact on the success of the business. And that's a win for everyone.