There are some very tough questions I’ve come across in my time. How does one walk into Mordor, if not simply? Why isn’t there a special name for the tops of your feet? (Credit to Lily Tomlin for that one.)
For a security leader, the toughest questions are often around security buy-in: How do you achieve active support across the organization for building resilience? Is there a way to overcome legacy systems, and perhaps even more crucially, legacy mindset?
To help answer those questions, three experts recently joined me for a live Cisco Chat. They offered context and insights into how a security leader might want to approach this scenario.
Meet the experts
I was joined by Liz Waddell, Incident Response Practice Lead at Cisco Talos, who’s often there at ground zero for data breaches, helping teams put out fires in remediation. She’s also been instrumental in shoring up network resilience for our customers in Ukraine.
Also, “Accidental CISO” (AC), Chief Information Security Officer, who was just trying to get SOC2 and ISAC certifications for a vendor when he was abruptly named CISO of his organization.
And finally, Christos Syngelakis, CISO, and Data Privacy Officer at Motor Oil Group. We asked Christos how he was able to align security resilience considering the digital transformation.
Our experts gave us their top four tips for getting the buy-in of the business when it comes to security resilience.
1. Lead with, “How can I make your life easier?”
To get company-wide buy-in, we need to approach IT decision-makers with the mindset of making their lives easier. As Christos says, “You must be blended with the business mindset and understand what they really need.”
Accidental CISO (“AC”) adds, “Then you can implement tools and processes that also happen to address security risks, but that first and foremost are going to make everyone’s lives easier.” After that, he states you next rally support to help solve those problems by leveraging key relationships, and become an advocate for improving conditions from their perspective.
AC went on to give an example of a methodology that worked in his organization – “Happy Path Thinking.” The general thought with this approach is that other groups in the organization know their areas better than any security team ever will:
“Labelling happy path thinking was very helpful to get the organization to step back and consider what doomsday scenarios would wreck their plans and make it impossible for them to operate.
“We established standard design patterns and team norms to mitigate those doomsday scenarios. And we did this with input from across the business – engineering, product management, the development team infrastructure, customer support, and other groups.”
AC went on to talk about the gamification aspect of happy path thinking, and the importance of creating a safe space to do it:
“We turned it into a fun game. It was never personal in any way – we used objective neutral language. People didn’t end up feeling attacked when assumptions were challenged because the whole purpose of this was to try and think of risks that would blow up their entire thinking.
“The consistency of doing these exercises, and the creation of the safe space, were both crucial. We wanted to ensure that somebody who was not a developer could still make a suggestion. And nobody was going to tell them to stay in their lane. For example, the customer support team gave us valuable insights, because they are the ones on the frontlines.”
2. Identify the key relationships you need
It’s all about people. It is through contextualizing security in the realm of human problems, solutions and lifesavers that gives our solutions relevance in the eyes of the humans that run these businesses, and allows us to get out of our own way.
This is best accomplished by getting to know the people with their “boots on the ground” – they’ll let you know where the weak spots are. “People think C-levels are most important (CISO, CIO, CFO), but the most effective relationships were at manager/director levels,” says AC.
“They own the day-to-day implementation of the controls, processes, and business operations in general. Working closer to ground-level let me better understand how the business worked and how to solve their problems and manage risk at the same time.”
Ultimately, security resilience buy-in comes when you can get out your own way. As Christos put it, “you must give them a safe way to do what they already want to do.”
3. Align your Business Continuity Plan and your Incident Response plan
Liz made the point that “The best Business Continuity plans have the roles and responsibilities marked out very clearly.” She then reflected on her onsite visits with customers:
“One of the things that I’ve often noticed is that it’s rarely made clear where the handoff is between your incident response team and whomever is managing your Business Continuity and Disaster Recovery (BCDR) plan.”
For many organizations, the IR team and the BCDR team are separate. Liz pointed out that these organizations may be missing an opportunity for alignment:
“We want to make sure that that handoff/partnership is going to be aligned in the best possible way. And that typically comes down to who is making your business decisions.
“For example, who has the authority to say we’re going to shut off the internet? That’s a pretty big call. Are we are going to do an entire enterprise password reset, and what does that involve?”
What’s crucial here is that the inputs that are developed during the BCDR plan, can often be applied directly to your incident response plan.
4. Have “slow and steady” expectations
We lean back on the adage often in security, “it’s not a sprint; it’s a marathon.” Christos cautions, “Do not be disappointed. Keep trying to push the environment where it needs to go. It will not turn fast.” This is good to keep in mind when we pride ourselves on results, but they can be slow in coming. It’s also good to remind the organization in question, who might be expecting the same thing.
Work on making security improvements to your environment every day, and your security posture will grow, Christos continues. However, you won’t notice a big change from day to day, but when the activities are reviewed, the progress becomes apparent.
It is in constant, diligent, and persistent methods that your legacy systems will improve from their current capabilities to where they need to be to secure the technology of today.
By setting “slow and steady” expectations, you can gain the support of your employees, management, and C-Level for the long-haul.
Liz supports this theory: “I always make the joke that we’re not CSI Cyber. That’s not how actual security works. Ideally, you’ll have the infrastructure in place to enable a quick response. But it’s important for the C-suite and those who are making business decisions to understand that sometimes, they’re going to have to wait for an answer, and why that is.
“As the security team we’re going to get you answers as quickly as possible. But understand that we’re also going to need to take a breath and figure out what’s going on, so we can make an informed decision about what to do next.”
“Security resilience is the ability to protect the integrity of every aspect of your business in order to withstand unpredictable threats or changes – and then emerge stronger,” Neville Letzerich, VP of Marketing, Cisco Secure states.
However, improvement is deliberate and methodical, and security needs to find a way it can “fit in” without slowing down progress. The desire for speed, constant advancements, and ever more complex networks, technologies, platforms requires clear communication and expert execution.
You can check out more in our eBook, Building Security Resilience: Stories and Advice from Cybersecurity Leaders. It covers more firsthand accounts from Liz, AC, Christos and 10 other industry professionals sharing how they built security resilience within their organizations.
More on Security Resilience
Find this blog helpful? Here’s a couple more you might like:
- Improvise, Adapt, Overcome: Building Security Resilience in a World of Uncertainty
- Cisco Partner Story: Security Resilience is a Journey, Not a Destination
View all our blogs on security resilience here.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels