As a typical CISO, we find ourselves with a minimum 50-hour workweek pretty much every week. The question is, where are you spending your time – and is that investment of time getting you the results you, your team, and your organization command?

Thinking about your program, where are you investing your time and resources? Where are you overinvesting? Where are you underinvesting? These are essential questions that are often difficult to answer. Perhaps the challenge here is one introduced from not knowing where your resources – people, process, and technology – are allocated.

One clue to help answer these questions can be found in recent research from Gartner [2020 Gartner CISO Effectiveness Survey], which shows that CISOs tend to overinvest in:

• Security operations
• Leading staff
• Setting policy/standards
• Overseeing project risk assessments
• Managing third-party vendors

What does that mean to the overall security program and business when key relationships and strategies aren’t included in the 50-hour workweek?

One thing that shouldn’t be ignored – these overinvestments could be the result of another data point captured in the same Gartner report: CISOs tend to underinvest in:

• Building relationships with key stakeholders
• Strategic plans that align with the company’s vision, mission, and objectives

A lack of a cohesive strategy and alignment at the highest levels will result in an attempt to make up for these deficiencies through other measures where tension is created across the organization and everyone ultimately suffers.

This topic was one of many that garnered a lively discussion during the recent Blue Lava MasterClass with Frank Kim, Fellow and Curriculum Director at SANS Institute. Frank’s presentation culminated in dialogue recognizing that every CISO has a different perspective about their program and how it can, and should, support the business. These perspectives are created from personal backgrounds, training, education, paths into the role, experiences in multiple industries, and so much more.

What do these perspectives bring with them? Much more than you may realize.

Everybody has a lesson that they’ve learned – in some of the cases Frank and I have discussed, this proved to be the hard way of learning. In my humble opinion, there is incredible value in sharing these lessons with each other.

From my early days as a security leader, I had to learn many things the hard way. Doing metrics by spreadsheet, creating strategic plans manually via PowerPoint, and building relationships one meeting at a time.
Blue Lava helps consolidate these lessons learned so we as a community can share tips and best practices to build our security programs and enable our businesses.
–Frank Kim

Below is a sampling of some of the CISO lessons discussed during this Blue Lava MasterClass:

Solving business problems: Get out of your own CISO wheelhouse and break free from the noise to focus on what really matters: your program exists to help the business solve problems.

Shaping strategy: Strategizing in isolation will result in an ineffective security and risk management program and will produce the opposite business results desired.

Mastering your message: It’s important to remember that nobody likes to be told “no” about their project launch or service delivery – you must connect your security message to the business value behind your message.

Creating credibility: Even if your message is on point, if it is delivered without credibility it will almost certainly land flat with the intended recipients – share your view regularly with stakeholders and speak to the business benefits with conviction.

Championing change: Focus on building relationships so “security champions” can assist you in achieving your program’s objectives in support of fulfilling the company’s goals.

Let’s also remember not to lose the lesson. Not every lesson will directly apply to everyone: different businesses in different industries with different cultures and different budgets … all have a unique method to identify, assess, mitigate, and control risk. This doesn’t mean lessons from others aren’t applicable and should be tossed to the side. Instead, it just means that the nature of the lesson must be tailored to meet your own unique environment – which also comes back to your own perspective, that of your team, and your company.

These topics are critical and warrant additional discussion. So, we’ll be exploring these a bit more with Jon Oltsik from Enterprise Strategy Group (ESG) in our upcoming webinar this January. To be notified when registration opens for this event, follow Blue Lava on LinkedIn.

Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.