I’m pleased to offer an excerpt from the book Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, by author Roland Cloutier and published by Syngress. Cloutier is Vice President and the CSO of ADP, in addition to being active in industry development and serving on several private advisory boards, including ADP’s board representative for the National Cyber Security Alliance Council.
This section from chapter three outlines the primary role of the chief security officer. The book is available on Amazon and other online publishing websites.
The CSO and Their Role
There is no doubt that the CSO role has significantly developed and expanded in the past decade. From technology, to convergence, to legal considerations, the security executive requires broad, career-focused technical acumen across a large set of service areas while still serving as a business executive supporting the organization’s goals and strategies and managing his or her business of security.
No matter how the position of the CSO develops, there are some basic fundamental concepts and requirements of which each senior security executive should be aware. This section of the chapter touches on some of these critical concepts to create a baseline expectation to be used when thinking about how you lead, how you manage, and how you drive your own organization.
These expectations are not just assumed practitioner requirements; they are the expectations of your business in how you carry out and assume these responsibilities, which determine the success you have within your position.
In a search of any generic explanation about “security” or a similar service, the word “protect” most often is associated – and for good reason. I often respond to messages of thanks with a simple phrase: to protect and serve. Although a bit tongue-in-cheek, there’s a lot of reality to that statement. As a chief security executive, your primary duty is to protect. Certainly, one can argue that your job has many more functions – as it most certainly does – and will continue to grow in the future. But that word “protect,” that duty of care, the fundamental necessity to protect from harm, is by definition the primary goal of your position. Prevention of negative impact events against people, businesses, economies, technologies, and markets is why our jobs were created.
When establishing some ground rules about how we protect, security practitioners can take their cue from ancient Greek science that is still in use today by doctors who take the Hippocratic Oath. The Latin phrase primum non nocerehas been a consistent part of that oath for centuries, and loosely translated it means “do no harm.” There is a lot of wisdom in that statement, and for years it has been studied as a part of governmental rule, societal management, and the advancement of human studies. For our purposes, the principle of “do no harm” should serve as that voice in your head on a daily basis that guides you in delivering your services to the business every day. It has been the downfall of many great practitioners when they become so focused on accomplishing the mission, destroying the bad guy, driving absolute defense; they forget that their principal actions should be to enable the organization, not to reduce, restrict, or inappropriately constrain it in any way. So, to start off this conversation on how to protect, this is a reminder to be diligent and ensure you don’t cause more harm by overprotecting.
Before you get all charged up and start running out to protect, you need to think about what you are protecting. When I asked some new CSOs what they thought they were protecting, I was surprised by the wide variety of answers I got but was encouraged by not only the inward look but the outward look of what they understood was at stake if they did not do their job. Broadly stated, in most cases, CSOs are focused on protecting people, assets, infrastructure, and technology. Of course, there are wide definitions associated with these. Take assets, for example. An asset can be a digital asset, such as intellectual property, or a financial instrument, such as a currency or trading document. An asset can be a building, a campus, or a supertanker. Your job is to understand which assets need protecting and exactly how to protect them.
In each of these areas, the key in knowing how to protect each one is understanding the downstream residual impact of not protecting it. In one of my previous commercial jobs I worked for an electronic manufacturing company that provided storage technology for just about every Fortune 500 and government agency in the United States. At times, my decisions were not predicated on the immediateness of what would happen to the company I served, but rather what would happen if I did not successfully protect the issue, and I allowed a situation to occur that could have developed into a negative impact event affecting the technology and the structure of all of those companies and government agencies. What would that impact be? How would that affect the economies and societies we supported? These types of questions often help drive a clearer definition beyond the “what is the risk to my business?” concern and support the creation of priorities based on the downstream residual impact of your business threats.
In the end, you will find that you have many things to protect. Your programs will all line to the eventual strategy of defensive operations for the prevention of harm to your business or agency. It is up to you to create that broad picture, that canvas by which your own teams will operate. By understanding your business, the environment in which you operate, and the threats associated with it, and by prioritizing your efforts to address the most critical issues facing your business, whether external or internal, you will be well positioned to protect now and in the future.
Preventing things before they happen is, of course, the desired outcome of anyone in our business. Bad things do happen, however, and as your company’s senior-most security expert, you will be seen as the chief responder, the bad things know-it-all, and you will be held accountable for preparing your company, your organization, and yourself to lead through a crisis.
In the pure sense of the word, not everything you will respond to will be a crisis. In the eyes of those you serve, however, every issue will be a crisis. Taking away labels, frameworks, and everything else associated with business resiliency and crisis response, the point here is that you need to be (and will be expected to be) the rock of any type of crisis at your business. During critical times, businesses need an authoritative anchor to help sort out the process of responding, remediating, and moving forward. Critical incidents are so broad that when one is not strictly business-related (e.g., a product failure, a brand issue, a client support issue) the business turns toward the leader who should be most capable to manage them through the crisis. That would be you.
Don’t mistake knowing how to manage a crisis with knowing how to fix everything or know everything about everything. The secret of crisis management is knowing the practitionership of crisis handling. It can be argued that the same crisis response protocol can be used just as easily for a fire in one of your buildings as for a data center outage at a third-party vendor site affecting your go to market. In fact, the most mature crisis management programs incorporated in governments follow the same standards and protocol developments formulated from a program originally designed for forest fires, now referred to as the National Incident Management System (NIMS). The figure below is an example of the NIMS crisis management architecture and associated functions. Notice that the descriptions are fairly general, and all serve specific functions. Your job is not to manage all those functions, but rather to ensure leadership is assigned and trained in each of those areas. Consider becoming certified in a national or global standard of crisis management. This way, when bad things do happen, and when the business does call, you will be prepared to execute appropriately.
Inevitably, to call in a crisis, you need a 911 operator; rest assured that is you as well. Part of your crisis preparation must be understanding how to qualify issues, route issues, and escalate them as needed. The business needs you to help it solve and manage these issues, and you must be prepared to support it by doing this. Being prepared ahead of time by setting up simple processes and infrastructure to support this “911 function” puts you well on your way in meeting the business’s expectations.
There are three basic things to consider when preparing to be that 911 operator:
Methods to Report: The most important thing that you must be able to provide to your business is a capability to get information to you. Whether it’s a centralized telephone number, a messaging service, an email address, a web portal site, or smoke signals, ensure you create a sustainable capability, inform the business of it, and train your people on how to operate it. Depending on the type and size your business, there may be multiple avenues of reporting critical incidents and issues, from automated alert notifications, to more basic technologies. By understanding your business, who needs to report, the best way for them to report, and even regional considerations, you will be better prepared to design systems, mechanisms, and processes to get information when its most critically needed.
Notification and Escalation Mechanisms: Once an emergent issue has been reported, your processes must require that you have a capability to get the word out as part of your incident and crisis managing capabilities. There is an infrastructure part to this, and there’s a process development aspect. The process development requirement is understanding to whom and when to escalate. For different incidents and crisis types, different people have to be notified. In diversified businesses this often means that each one of your business units have their own requirements as well. Sometimes it’s the entire company; in other types of emergencies in a single building, and during certain events may be your only way of notifying the crisis team of an escalation – that is the what. The how is a little different. Once you make certain decisions and have preplanned escalation and notification sequencing, you need a mechanism to deliver those messages. Again, these can be as simple as emails or manual telephone calls or as complex and integrated as automated messaging systems for SMS, phone, or web-based technologies.
Issue Classification and Handling Index: The last area of basic preparation for getting that “911 call” is to be prepared with a simple handling index for different types of issues. Applications and technologies that automate this for you are certainly available, but you can start simply by listing all the possible, potential, and probable types of incidents you may face based on the type of company or agency you are, prioritizing them by probability and severity, and populating them with data such as who is responsible for managing that type of incident, who needs to be notified, and other routing, notification, and escalation information. Of courses, this gets more complex as you take on the responsibility for more sites, more business units, and more geographies, but the premise is the same. Know who will be calling, what they could potentially be calling about, and whom you have to call to get the ball rolling.
The Business Principals
The next critical attribute for the next-generation security leader is business acumen. As a business operations protection executive, you are required to understand how your business works and how it makes money, and be able to articulate how you support that business and enable it to meet its goals.
A crucial part of business knowledge is understanding profit. Another chapter discusses the general details of financial acumen, but the business principles of how profit is derived from the goods, services, or efforts of your organization are the underpinning connectors between all decisions made at your company. Is your business a revenue-focused company or a margin-focused company? If you are a margin-based company, what critical elements drive margin expansion? How is top-line revenue recognized at your company? What are the most critical times of the year around revenue development? These type of questions are minimum barriers to entry if you are truly a business operations protection executive. You cannot possibly begin to assess risk, prioritize threats, and direct your teams to protect the business if you are not even sure of how they fiscally operate.
Another aspect of basic business principles required for the next-generation security executive is to understand the concept of risk versus reward. I’ve mentioned it before and I will mention it again in this book: Your job as a CSO is predominantly risk management. How you identify, measure, and support the business in remediating, transferring, and accepting risk must be based on the profitability and financial implications of the business. This is not to say that risk shouldn’t be addressed because it’s too expensive; rather, we look at risks, their downstream impacts, probability factors, and many other measurements to create a financial risk picture. It is that financial risk picture that supports the decision-making process in context with the holistic operations and profitability of your company. Further, risk needs to be measured and evaluated across all other operations and profitability components of your company, such as research and development investments, service enhancements, workplace enhancements, and expense management initiatives. Sometimes this means that a risk that seems to be very straightforward and have an obvious resolution may not meet that risk-versus-reward threshold needed to move it forward, and you need to accept this. Security risk and privacy issues, although important, are only a component of your business’s operations, and in most cases they are only a minor component in the context of the entire business go to market. Understanding all aspects and priorities of your organization will help you better provide to your leadership the information and data needed in making those risk decisions.
The final component of basic business principles for security executives is the concept that their job is actually to protect the business and not just provide security. Business executives have long lamented that the “security guy” just doesn’t get it, that we are paid paranoids that are incapable of putting security issues in the context of the business they are responsible for every day. Don’t be that “security guy.” By converting your concept of information security, corporate security, risk operations, and the like to business operations protection programs, and by starting to use the language of your business, you will be well on the way to changing the hearts and minds of those in the business. Of course, actions speak louder than words, as discussed throughout this book, and you need to implement business-focused programs that look at the entire business process, to prioritize threat management based on business needs and criticality, and to immerse yourself into operating business units to learn how they operate and to be able to articulate the services you deliver in alignment with what they deliver every day.