CISO Survival Guide: Vital Questions to Help Guide Transformation Success
Blog Article Published: 02/22/2023
Originally published by Google Cloud.
Written by Anton Chuvakin, Security Solution Strategy, and David Stone, Office of the CISO, Google Cloud.
Part of being a security leader whose organization is taking on a digital transformation is preparing for hard questions – and complex answers – on how to implement a transformation strategy.
In our previous CISO Survival Guide blog, we discussed how financial services organizations can more securely move to the cloud. We examined how to organize and think about the digital transformation challenges facing the highly-regulated financial services industry, including the benefits of the Organization, Operation, and Technology (OOT) approach, as well as embracing new processes like continuous delivery and required cultural shifts.
Today we offer tips on how to ask the right questions that can help create the conversations that lead to better transformation outcomes for your organization. While there often is more than one right answer, a thoughtful, methodical approach to asking targeted questions and maintaining an open mind about the answers you hear back can help achieve your desired result. These questions are designed to help you figure out where to start and where to end your organization’s security transformation. By asking the following questions, CISOs and business leaders can develop a constructive, focused dialogue which can help determine the proper balance between implementing security controls and fine-tuning the risk tolerance set by the executive management and the board of directors.
To start the conversaion, begin by asking:
- What defines our organization’s culture?
- How can we best integrate the culture with our security goals?
CISOs should ask business leaders:
- What makes a successful transformation?
- What are the key goals of the transformation?
- What data is (most) valuable?
- What data can be retired, reclassified, or migrated?
- What losses can we afford to take and still function?
- What is the real risk that the organization is willing to accept?
Business leaders should ask CISOs and the security team:
- What are the best practices for protecting our valuable data?
- What is the business impact of implementing those controls?
- What are the top threats that we need to address?
CISOs and business leaders should ask:
- Which threats are no longer as important?
- Where could we potentially use spending for more cost-effective controls such as firewalls and antivirus software?
- What benefits do we get from refactoring our applications?
- Are we really transforming, or lifting and shifting?
- How should we perform identity and access management to meet our business objectives?
- What are the core controls needed to ensure enterprise-level performance for the first workloads?
CISOs and risk teams should ask:
- How can we use the restructuring of an existing body of code to streamline security functions?
- How should we monitor our security posture to ensure we are aligned with our risk appetite?
Business and technical teams should ask:
- What’s our backup plan?
- What do we do if that fails?
Practical advice and the realities of operational transformation
Some organizations have been working in the cloud for more than a decade and have already addressed many operational procedures, sometimes with painful lessons learned along the way. If you’ve been operating in the cloud securely for that long, we recognize that there’s a lot to be gained from understanding your approaches to culture, operational expertise, and technology.
However, there are still many organizations that have not thought through how they will operate in a cloud environment until it’s almost ready – and at that point, it might be too late. If you can’t detail how a cloud environment will operate before its launch, how will you know who should be responsible for maintaining it?
Who are the critical stakeholders, along with those responsible for engineering and maintaining specific systems, who should be identified at the start of the transformation? There are likely several groups of stakeholders, such as those aligned with operations for transformation, and those focused on control design for cloud aligned with operations.
If you don’t have the operators involved in the design phase, you’re destined to create clever security controls with very little practical value because those tasked with day-to-day maintenance most likely won’t have the expertise or training to effectively operate these controls.
This is complicated by the fact that many organizations are struggling to recruit and retain resources with the right skills to operate in the cloud. We believe that training current employees to learn new cloud skills, and giving them the time away from other responsibilities, can help build skilled, diverse cloud security teams.
If your organization continually experiences high turnover in security leadership and skilled staff, it’s up to you to navigate your culture to ensure greater consistency. You can, of course, choose to supplement internal knowledge with trusted partners – however, that’s an expensive strategy for ongoing operational cost.
We met recently with a security organization that turns over skilled staff and leadership every two to three years. This rate of churn results in a continual resetting of security goals. This particular team joked that it’s like “Groundhog Day” as they constantly re-evaluate their best security approaches yet make no meaningful progress. This is not a model to emulate.
Many security controls fail not because they are improperly engineered, but because the people who use them – your security team – are improperly trained and insufficiently motivated. This is especially true for teams with high turnover rates and other organizational misalignments. A security control that blocks 100% of attacks might be engineered correctly, but if you can’t efficiently operate it, the effectiveness of the control will plummet to zero over time. Worse, it then becomes a liability because you incorrectly assume you have a functioning control.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.