24
Daniel J Blander
Daniel J Blander
Introduction
D fi i S f l CSO Defining Successful CSOs
Our Mistakes
Making the Change
Summary - Q&A
Daniel Blander• 24+ years in IT and InfoSec24 years in IT and InfoSec
• Application, System, Network, Consultant (and CSO)
• A couple FFLAsA couple FFLAs
• Organizer of:
• Started as an Architect (buildings)
• Researching & Writing a book “So You Want to Be the CSO…”
“ if you ever touch the …if you ever touch the keyboard again, you’re fired”fired.
“Strive not to be a success, but rather to be of value.”
- Albert Einsteinbe t ste
Executive support
Support across organization Support across organization
Balance risk and business
Effective communicator / “influencer”
Included, listened to in strategic meetings Included, listened to in strategic meetings
Enables collaborative problem solving
“ No one ever taught us to be influential instead of authoritarian.”
- Eric Cowperthwaite
P f i l d fProfessional deference
“ W d t f th t d it!”“ We need to force the users to do it!”
“ If I were in that meeting I would have told them what their problem is!”
“ It’s not my job…it is their responsibility to fix it!”
“ The CSO must report to the CEO!”
Trust
RespectRespect
Communication
Collaboration
== Job Search
“ Security is about eliminating risk. Business is about taking risk to make money See how those are a perfect match?” risk to make money. See how those are a perfect match?
@shitmycsosays- @shitmycsosays
Small Company – PCI
Me: You have to fix everything.
Owner: But I don’t see why…that’s a lot of money.Owner: But I don t see why…that s a lot of money.
Me: But you have to do it…
Owner: Why? What if I don’t? I take risks all the time.
“ I don’t need to go to Vegas to gamble. I gamble with my business every day! ”with my business every day!
“ We have to accept that it’s not our risk tolerance that matters We have to accept that it s not our risk tolerance that matters … It’s the person accountable for the risk at the end of the day And until you overcome that you’re almost a barrier to day. And until you overcome that you re almost a barrier to what you’re trying to achieve.”
Ch i H-Chris Hayes
Mistake: Pre-conceived CSO
Success: Enterprise Risk ManagementERM B i Ri k ( i k)• ERM = Business Risks (macro-risk)
• ERM <-> InfoSec as BCP <-> DR
• Collaborative definition of Risks across the organization
• Business groups own their business risk
• ERM defines role of Information Security – may not be CSOy y
Chief Risk Officer• Engineering & Operations distributed to individual owners• Engineering & Operations distributed to individual owners
• CRO is evangelist, consultant, policy
E f ERM • Executes as part of ERM group
IT Security, CSO, ISOO ns en ineerin and O erati ns• Owns engineering and Operations
• Executes as part of IT organization
“We are born with two ears and one mouth so we may listen more and talk the less.”listen more and talk the less.
- Epictetus (Stoic philosopher)p ( p p )
Bad Communication:
“Th h ld k h d ”“They should know what to do”
Good Communication: Good Communication:
• Speak at your audience’s level
• The medium is the message.
• Align What you Do with What you Say.g y y y
Expose Inferences & make your ideas explicit
All id t b h ll d Allow your ideas to be challenged
Test competing views and their impact
Do so in a “blameless” environment
(Ladder of Inference – Chris Arygris, Donald Schön)
“To lead people, walk beside them.”
- Lao-Tzu
Understand People’s Motivations & Priorities
Step Up and Reach Out Step Up and Reach Out
Make Their Problems Yours
Help Outside the Box
Result: Rabid Fans! Emotional Capital.
“You may barely be real to the people above you in an organization if you don’t find a way to improve their organization if you don t find a way to improve their lives.”
- David F. D’Alessandro
Solving problems is always an act of design• 2 Million solutions 1 million right ways to do it• 2 Million solutions, 1 million right ways to do it
Work towards a goal other than your own• Think of the Organization’s goals and give back
C ll b t S l ti Collaborate on Solutions• Include the team and let your ideas be challenged
Learn to let go of old ideasA good leader knows learning is a sign of strength• A good leader knows learning is a sign of strength.
You lead from a role, not a title
C t t Create cross-company support
Influence inclusion & participation
Ri k d i i l l l Risk managed at organizational level
Not trying to be “100% Secure”y g
Be willing to let go
Find Your Role
Be the Communicator
Build Your Emotional Capital
C ll b t & P bl S l Collaborate & Problem Solve
