Last week we spoke with the originator of the “Virtual CISO” concept, Barak Engel, for a thought leadership profile and review of his upcoming book, The Security Hippie (to be published by Routledge in 2022). His upcoming book follows his previous title, Why CISOs Fail, which earned a spot in Palo Alto Networks’ / The Ohio State University’s prestigious Cybersecurity Canon project as a leading text on the topic of information security management.It turned out our conversation contained two articles' worth of security wisdom.
Barak is the Founder and Chief Geek of EAmmune, a boutique information security firm with a proven track record of advising, developing, and implementing security programs tailored to all sorts of organizations’ individual needs. Clients are enabled to efficiently manage risk, achieve technology objectives, and meet their compliance obligations efficiently and with the minimum possible business disruption. The goal is to help each organization derive the greatest business value from its information security investments.
Two decades ago, security was the four-letter word no one wanted to learn and the CISO was barely distinguishable from the physical-security-oriented CSO, says Barak. There’s been progress, but information security and the CISO position remain, respectively, an immature industry and an emerging job title lagging behind the parallel rise of IT and the CIO by about 20 years.CISOs have a lot to learn from their CIO counterparts. In the 1990s, the CIO advanced to a high perch in the C-suite by becoming a bridge between IT and the surrounding business departments. Reaching such elevated status will require CISOs to likewise heighten their business awareness and communication skills. If we're carrying the countercultural metaphor to its conclusion, CISOs must learn to open their third eye and see infosec holistically, in a way perhaps similar to the self actualization Robert Pirsig described in Zen and the Art of Motorcycle Maintenance.In this follow-up article to our thought leadership profile, Barak shares 8 insights into how CISOs can take infosec leadership to the next level.
“If you've never taken a psychology class, take psychology 101. That is the most important class you will ever take, more than any technology class, more than any business class. Learn how humans operate, and understand people.”
When large companies want to hire a CISO, Barak advises them to look for someone with at least some P&L business experience. No matter how impressive their technical CV is, business experience helps CISOs speak the CEO’s language. The goal is to create growth and revenue, not achieve the unachievable Platonic ideal of 100% security. CISOs must be able to see information security holistically within the context of the business.
Data classification can set the tone for a security system. It's also an exercise in business leadership.“The one rule to rule them all in data protection is really, really simple: Don’t store sensitive data where it isn’t absolutely needed.”From there, the CISO must trust in the judgment of executive management, who should have discretion over how their data is classified; not the CISO. If management deems information is confidential or secret, great. Otherwise, the information can be assumed to be free for internal use. Some CISOs blanch at the idea of sensitive data being accessed and shared throughout the organization, because they don’t trust management to make that call. And this fundamental mistake can alienate the information security team.“Do you think data sharing is not actually happening regardless of your data classification policy? I'll tell you what's also happening: when the CFO and the CEO get together for mergers and acquisitions discussions with a potential buyer, I guarantee you 1000% that you, the CISO, will not hear about it unless they think that you'd need to be brought into the conversation. In fact, nobody will hear about it because it's very sensitive information. They're fully aware that it's very sensitive information and therefore they treat it as very sensitive information. See, we humans are very, very good at understanding what really matters when it comes down to it.”
Like with data classification, Barak urges CISOs to be more zen and less micro-managey (my words, not his) about audits. The purpose of SOC 2 audits and ISO 27001 certifications, explains Barak, are to cover your backside in the event of a breach and to assist commerce. Hire a vendor who can provide you with a SOC 2 audit report and move on, he advises. If you do your own audit of the vendor's audit report because, say, you don’t trust the audit firm, you are wasting everyone’s time. You can barely manage your own security department, much less the dozens of other vendors you work with as well. It’s a rabbit hole Barak dissuades CISOs from jumping down.“This is where my hair starts falling out… My question is: what are you trying to achieve? The entire purpose of this mechanism, this ISO 27001 certification and the SOC 2 audit, is to smooth the wheels of commerce to make it easier for you to allow that vendor to sell you their services. That's what it is. Therefore, let's not pretend that it's anything beyond that. The purpose is to help us with the issue of commercial liability in our contract and move on.”
Breaches are an inevitability. It’s asymmetric warfare, says Barak, and if someone wants to hack you they eventually will, no matter how powerful your defenses. But a data breach crisis should be embraced as a CISO’s career-defining moment. The job of the CISO, said Barak, is to be the calmest voice in the room during a breach. It’s their time to shine. Everyone will take their cues from the CISO’s reaction, and madly barking orders invites panic.He shared a story in Security Hippie where he was at a conference and got a call that a system he had helped design the security for was being breached.“I wrongly assessed the incident as it was developing and I could have been fired for that alone, let alone considering that it was my design! But the relationships we’d made with the organization really held it all together, and it led to a really cool situation because the program we designed was really resilient. So we discovered the issue as it was unfolding and it led to this extremely rare event--one that really almost never happens--where we have this red-team-blue-team exercise unfolding in real life. But the red team was an actual professional hacker group and the blue team were the poor IT people in that organization fighting for control of our systems over a period of several days. It was insane, but we came out of it OK.”Sidenote: the guardian of the gate, referenced in the previous article, would have gotten fired. But a business-minded CISO, who’s learned the CEO’s language and built the right relationships, may well persist. They will have conveyed how this job really works—that it’s asymmetric warfare and that breaches happen—while gaining long-term management support.
“When you’re in this leadership position, everybody’s looking up to you to come up with solutions to all these problems. But if you don’t really understand what they’re saying about the business, then what happens is you start feeling this imposter syndrome and seek out vendors for the answers. It’s a very unhealthy dynamic. As a result, security management becomes vendor driven. There are 20,000 vendors all telling you they know what’s wrong and how to fix it and they are all selling their solutions as silver bullets to a multi-billion-dollar problem. But they can’t know your business better than you and the CEO. And by the way, if you aggregate all of their claims on the back of a paper napkin, you 'realize' that the security industry is apparently worth about three times the size of the total global GDP.”
The board are required by the SEC to listen to a CISO’s risk report, even if it’s terribly boring and business-irrelevant. Rattling off how many bugs were fixed last quarter over 15 slides will get the board to nod their heads and say, “Atta boy, now get the hell out of here and let the rest of us talk about the business.” Security risk contains a compelling narrative that can be communicated in business terms to the board. But how?Barak identifies the right cross section of stakeholders in an organization and talks to them. They aren’t necessarily leaders and management; he calls them “The insiders.” They’re the people who have engineered the systems and processes since the beginning. They’re the admins who know all the dirty secrets of half the executive team. Their insights propel a grand risk assessment narrative.“We talk to them and explain what we’re doing, and say, ‘Hey, just tell us what comes to your mind. What keeps you up at night? What are the things you want to tell us? What’s the dirty gossip?’ And then we apply our methodology with the goal of … building a mirror that reflects back to the organization what it thinks about itself in a neutral way. We take multiple inputs and coalesce them into a single risk description, but it’s very business oriented. While it generates the required spreadsheet risk register for ISO 27001 compliance or whatever the case may be, it’s so business oriented you could literally write it in narrative form. I think it’s a much more powerful way to communicate risk to any stakeholder.”
Barak has enjoyed turning security-neutral-or-downright-hostile employees into cybersecurity champions by working with them as individuals. In our conversation, he shared a story not in Security Hippie about a virus his team found in an organization that would repeatedly start from the same source in a small team and spread. Turned out one team member became curious about what would happen if he clicked on the malicious link and turned off his antivirus.After a shocked silence, Barak laughed it off and instructed his IT team to build the employee a safe computer sandbox and let him play with viruses. The employee loved it! He became something of an adjunct professor of cybersecurity from his sales role, explaining cybersecurity to his colleagues and building awareness. It’s an outstanding (albeit hard to scale) example of customizing training to individual skills and interests, and nurturing awareness rather than punishing failure.And yet… “trick-or-treat” security awareness training still is far more trick than treat. Barak gets animated over the subject of punishment-based cybersecurity training programs.“So you're telling me that your clever way to increase security awareness is by tricking people, and then making them feel bad about the fact that they were tricked; and now they are going to love the security department? That's basically what you're saying with these phishing exercises. Okay. All right. Interesting premise. The reality is that most people hate security because security makes them hate them. That’s not a people problem it’s a security problem. Nobody cares to listen to security people because security people never crack a joke. They always walk around with this dour face telling you you're not allowed to do this and that and how bad your behavior is. I mean, seriously, we don't like hall monitors and that's what most security people's style is.”(Editor’s note: Nodding and fist-bumping.) We at Hoxhunt agree, Barak. And we do our darndest to offer a customized, positive alternative that actually elevates the infosec team.