TL;DR: Security, if leveraged and led properly, should help drive your business and increase speed of delivery. Listen to your security leader to identify opportunities and risks, and determine how you will use that information to be the best.
Continue readingTag Archives: CISO
Security’s Evolution: From “No” to “I Told You So” to Your Strategic Oracle
TL;DR: Security a few years ago was known as the “Department of No!” As security evolved into a true risk management discipline learning about the business and its risk appetites, it gained insights across the organization. The insights gathered led to organization-wide intuitions. When ignored, the intuitions turn into “I told you so”, but those intuitions can instead be leveraged as a significant business advantage if security has the opportunity to collaborate with the business.
Continue readingWhere does the CISO belong?
TL;DR: One of the most common questions I receive is “Who should the CISO report to?”. My answer is “it depends and there is no universally right answer.” However, there are definitely failure modes that need to be avoided if the security program is going to succeed.
Continue readingA survey of CISO archetypes
TL;DR: Understanding your company’s risk profile and security goal is key to finding the right CISO. CISOs come in all types and flavors and have different areas of specialization. There’s a good chance that the CISO who is good for you now as a young company will not be the right CISO later unless they also adapt.
Continue readingWhat’s In A Security Program?
TL;DR: This post is long and there’s no way around it; security is complex and varied. Fundamentally, security breaks down into 8 verticals covering everything from physical security to privacy to engineering to incident response. Don’t expect one person to get it all done, and be concerned if your CISO doesn’t have something to say about each of these.
Continue readingSo You’ve Decided to Hire a CISO….
TL;DR: Organizations start security programs for a variety of reasons but often times have motivations that may limit the success of the security program. Keep in mind that the business needs a security program will cover on day one will likely be very different as the company evolves; companies and their security leaders have to be ready to adapt. Finally, security is far more complex than most would imagine. The breadth and depth can be daunting even for experienced security professionals, let alone those who are not responsible for security.
Continue reading