Security Experts:

CISO Perspective: Overcoming "No" Fatigue

CISOs Need to Support Their Peers and Businesses Goals Instead of Just Trying to Achieve Their Own

CISOs are notoriously disliked. Trying to protect company, customer and employee data often means having to say “no” to new projects and implementations. This does not earn you many friends. The CISO is not doing this because she likes saying “no,” she’s legitimately trying to do her job. Most of these projects and implementations were not well thought out from a security standpoint - there is no security built into the design or process - thus the CISO is left with no choice, but to say no.

And so it goes - the CISO walks into a meeting and you can feel the aggression, people are ready to fight, they know she is going to say no. From the top to the bottom, no one wants the CISO involved in a project...ever. This is why the average tenure of a CISO is only a few years - they literally suffer from “no fatigue” and quickly burn out. Is there a way to overcome this? I have firsthand knowledge that there is.

CISO Saying NoWhen I started with TiVo, security was inside the IT organization without any external visibility. By the time I left, I was meeting with the CEO, reporting to the board, and participating in executive meetings. We were able to transform the organization by changing the way it looked at security, and reshaping security practices that had been in place for a decade. It goes without saying that this transformation didn’t happen overnight.

The first step was to identify the risks to the business and prioritizing those risks. Part of identifying the risks is learning the goals of the business, the product direction, and the needs of the teams. The next was making sure that I remained one step ahead of these needs. That meant working with my peers - all of the other functional teams - to help them meet the security requirements we had outlined. It was important to not just mandate requirements and make it the team’s problem to meet those requirements, nor to make the requirements so complicated and overreaching there was no way they could succeed. We had to work together to find the solutions for the tasks at hand. Once we did this, we increased buy in and were able to gradually increase security measures, and ultimately decrease both our risk as well as work loads across the board.

It may sound logical, but it’s not simple or easy. As organizations and their employees adopt new technologies faster and faster, the CISO is in an increasingly challenging position. The technologies that we all use to do our job no longer require integration, they can be purchased and implemented quickly by an individual user - BYO-anything - increasing the number and speed of requests while reducing the window of time the CISO has to build, or even think about a solution. It’s no wonder that the CISO gets overwhelmed and defaults to “no”.

The CISO is not alone in this. Despite the fact that insurance companies, the government and the military had all proven this years ago, it took our industry a while to realize that security wasn’t absolute, it was risk-based. For a long time, we as an industry spent time trying to protect everything when we should have been focused on what was most important. Someone in the US Army Special Forces once described his job to me as “protecting the noun” - the person, package, etc. that really mattered. This makes sense in business as well. Instead of mitigating every risk, increasing the number of rings of security, we need to make sure that the ring is where we need it most - next to the thing that really matters to the business.

Mobile Device in EnterpriseThe evolution of BYOD is a good example of the importance of protecting the noun. With mobile security we started off by looking at how to secure the whole device and ended up with an approach to fully lock it down. Once BYOD took off this was no longer acceptable for end users; however many organizations never reevaluated their strategy. As a result they continued to say no to users, who continued to go around the bounds of IT. The result: unsecured corporate data. At the end of the day, the noun that we need to protect in mobile is “data”.

There are some CISOs out there on the cusp of progress who are trying to push progress forward in the organization. Progressive CISOs are the ones that earn respect at the executive table and are trusted by their peers. When they do have to say no, it’s heard and it’s respected because their peers know the CISO has the company’s best interest in mind.

Unfortunately, most CISOs are not here yet. For the CISO trying so hard to play catch up that she never looks forward, stepping back to look at where the business is going, and whether or not you are doing the right things to meet the needs of the business and manage risk, is no easy feat. It goes against everything she’s learned. But once she learns to step back, she will start to see patterns, and from there, can focus on protecting the things that matter.

When you talk about being in line with the business, most of us still don’t know what that means. We don’t realize that means that we have to step back from our own agenda first to understand the company’s goals and the goals of each of our peers, and ultimately determine how we allow them to conduct business securely. The key to success is conduct business the primary goal, and conducting business securely the secondary goal. How do you do this?

Step away from your own agenda and be open to the agendas of your peers and of the business. For the passionate CISO wanting to do a good job and protect everything, this is not easy. However, if you find out what the company really cares about and understand the true risks to the business, you’ll be most effective and successful.

Prioritize. You can’t do everything – you can’t address every risk. No matter how many people you have on your team, it’s just not possible. Prioritize the biggest risk to the noun (what’s most valuable to the business) - not the theoretical risk, not the newest risk you hear about in the media, but the risk to the organization - and start there. Don’t get frustrated. Or try not to, anyway. This will take time, lots of time. It is not a fast process. It takes a minimum of two years to make headway. After all, you’re trying to change company culture. In the meantime, do what you can for your cross-functional peers and focus on building relationships with them. In order to achieve success, CISOs need to support their peers and businesses goals instead of just trying to achieve their own.

view counter
Adam Ely is the Founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties. Adam is a CISSP, CISA, NSA IAM, MCSE and holds an MBA from Florida State University.