Opinion: A better way to CISO (with A better CISO mindmap!)

Introduction

I’m excited for this one! I’ve been working on this security mind map to capture how I think about security for some time. If you’re just here for the mind map, you can jump to the end. I encourage you to share and use the mind map to create a dialog. I create content not to imply there is an absolute right, but to create discussions that help us all get better!

Background

When there is transition there should be reflection. In context, any time I change roles, move within a company, reach a new quarter or new year I ask a few questions. Why does the CEO, CFO, and board care what I do? What have others in this role done to succeed? What do I do differently, both positively and negatively?

Over the last two months I spent a lot of time thinking on these topics. As I wrote down everything in the CISO domain, and looked at how other folks organize thoughts, I felt that most of the conversation and mind maps seemed tactical. Those methods may work for others, but I want to share what I felt better represented how I think.

Let’s start at a high level and work down to the mind map.

How I think about the office of the CISO

My opinion? A CISO has three jobs:

1. Understand technology, data, and how it applies to the business. Advise on the use and how to take advantage of technology and data.
2. Understand legal, operational and strategic risk of technology and data and how it applies to the business. Govern the risk.
3. Understand the cultural undertones, social expectations of privacy and applications of technology, and how that applies to the business. Advise and lead the business.

The most time in a given day is spent on governing risk, the second bullet. The other two bullets deserve their own articles, which are in the works and will come separately. The mind map and the rest of this article will focus on this primary day to day risk management.

Risk Domains

Before building a mind map of functional areas, procedures and controls, we need to understand the risk to be managed. At the highest level a breach of confidentiality, integrity, or availability of information systems or data, would lead to one or more of the following risks.

• Strategic risk
  Long term financial impact to the business from strategic / competitive forces . For example, a breach leading to IP losses allows market competitors to compete more aggressively or evenly.
• Legal risk
  Financial damages incurred from breach of contract or breach of regulations. For example financial penalties for violating HIPAA.
• Operational risk
  Financial damages from downtime or inability to deliver goods or services to customers. Example: Operational technology or customer facing applications are impacted by ransomware causing down time.
• Reputational risk
  Financial losses from brand damage. The most difficult to measure. Example: Customers choose one service provider over another because of a history of data breaches.
• Lack of innovation risk
  A secondary risk domain for a CISO, loss of market share to a competitor due to stagnation in technology adoption.
• Theft risk
  Losses from theft, typically physical.
• Employee error risks
  Financial losses, for example, from employees deleting data needed to deliver on a service.
• Physical risk
  Losses associated with lack of productivity or outages from physical threats. Example, flooding creates an inability for employees to work.

Risk governance framework / Information security life cycle

Second to a list of risk domains, we need a governance framework. The most common framework referenced is the NIST information security life cycle model with five phases: Identify, protect, detect, respond, recover. I actually prefer a seven phase model. I think certain activities do not receive enough prominence in the NIST model. For instance supply chain and third party risk programs are risk avoidance processes. You will see in the mind map, this creates a better framework for breaking out work into an organizational model.

 

• Understand and Govern
  Document and work with each business leader, and business unit, to understand the risks, what is acceptable loss, legal compliance requirements and operating market requirements.
• Quantify and Qualify
  Create metrics and determine how the board and the CISO will measure success. Understand other team and business metrics including financial, and your impact on them.
• Avoid
  Create processes and implement controls to avoid risk where possible.
• Prevent
  Create processes and implement controls to prevent a non-avoidable risk scenario from causing damages.
• Detect
  Create processes and implement controls to detect where avoid and prevent doesn’t work.
• Respond
  Create processes and implement controls to act when a detection causes concern for material damages.
• Recover
  Create processes and implement controls to maintain the integrity of the business to be resilient during a risk event (Cyber, Physical, or other).

The CISO Mindmap

With this framework, we can manage our risk domains. Thinking in these terms It’s easy to map process and technical controls to a phase, and then create teams, projects and tasks for each functional area. 

Below is the mind map I created that does just that. I looked at controls, processes and industry standards that we use to manage the above risk domains, mapped each to the risk governance model /framework and created an organizational structure overlay. For small businesses one person may have to manage all of this, or it may be one person per “team”. No matter the size, this framework can be used. (See the Dynamic & zoomable mind map here.) 

 

If this is helpful and enough people enjoy the framework, I will work on a second to map control standards to the framework, maybe ISO 27001. Drop a line and let me know if this was helpful!

Thanks for reading!